Re: question about fiters

2009-10-16 Thread Cottalorda Sébastien 
On Fri, 16 Oct 2009 00:33:19 +0200, mouss  wrote:
> Cottalorda Sébastien a écrit :
>> Hi all,
>> 
>> I need to add a vacation function into an existing postfix server which
>> is already protected by an Antispam/Antivirus software that uses
>> advanced filter.
>> 
>> I've that configuration:
>> 
>> port 25 > 10025 [Antivirus/Antispam] > 10026 [smtpd] ->
>> delivery
>> 
>> my master.cf looks like this:
>> 
>> smtp  inet  n   -   n   -   -   smtpd
>> [snip]
>> localhost:10026 inet n  -   n   -   10  smtpd
>>   -o content_filter=
>>   -o local_recipient_maps=
>>   -o relay_recipient_maps=
>>   -o myhostname=localhost
>>   -o smtpd_helo_restrictions=
>>   -o smtpd_client_restrictions=
>>   -o smtpd_sender_restrictions=
>>   -o smtpd_recipient_restrictions=permit_mynetworks,reject
>>   -o mynetworks=127.0.0.0/8
>> 
>> into my main.cf, I've that:
>> 
>> content_filter=pmx:127.0.0.1:10025
>> 
>>  
>> 
>> If I want to add vacation filter _before_ content filtering, is that
>> configuration correct ?
> 
> don't. if you use a vacation, make sure mail is filtered before.
> auto-respinding to spam is bad.

Yes, you're true.
In fact I'm thinking of using the qpsmtpd program as an entry of my
mailserver, make him reject as many spam as it can, do vacation process,
and finally deliver mails to the existing postfix server without doing any
configuration modifications.

> also, there are way too man borked vacation scripts/programs. if you use
> one, make sure it follows the "best practices". some of these are
> described in RFC 3834.

I think I will use the "vacation.pl" program given with the posfixadmin
suite, maybe it follows what you said


> if you use dovecot as your imap server, consider using its vacation
module.
> 

Sorry, I've courier-imap, and I use roundcubemail as webmail.
I also add to roundcube the vacation plugin that allow my users to program
themselves theirs vacations.
Everything is good, the link between the mysql database and the plugin, but
now I want to connect the vacation program to my existing
antivirus/antispam postfix server explained above.

If I'm wrong doing what I want, please tell me.

Cheers.

Sébastien

Re: question about fiters

2009-10-16 Thread Charles Marcus 

On 10/16/2009 Cottalorda Sébastien wrote:
I think I will use the "vacation.pl" program given with the 
posfixadmin suite, maybe it follows what you said


As long as you're running the latest version (not latest stable, but 
latest from svn)...

Re: question about fiters

2009-10-16 Thread Mikael Bak 
Cottalorda Sébastien wrote:
> Sorry, I've courier-imap, and I use roundcubemail as webmail.
> I also add to roundcube the vacation plugin that allow my users to program
> themselves theirs vacations.
> Everything is good, the link between the mysql database and the plugin, but
> now I want to connect the vacation program to my existing
> antivirus/antispam postfix server explained above.
> 
> If I'm wrong doing what I want, please tell me.
> 

If your mailbox server != antivirus/antispam server, then I think it's a
wrong approach.

A vacation script should be implemented after any filtering is done IMO,
as "close" to the mailboxes as possible.

HTH,
Mikael

Re: address lookup/verify question

2009-10-16 Thread Wietse Venema 
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

Wietse

Re: postscreen lookalike, but in FreeBSD kernel (presentation)

2009-10-16 Thread Victor Duchovni 
On Thu, Oct 15, 2009 at 09:05:17PM -0400, Wietse Venema wrote:

> Postscreen's greetpause is only the first step in a sequence of
> barriers that I expect will be needed. Adding greylisting support
> would be a next step. Adding greylist support to a kernel-based
> implementation looks unattractive.

The kernel can be a good place to implement TCP connection concurrency,
rate-limit and bandwidth cap controls. The "sensor" logic to determine
which IPs are subject to which controls should be in "user-land".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

can't stop anvil

2009-10-16 Thread Len Conrad 
postconf mail_version
mail_version = 2.3-20060126

postconf | egrep smtpd_client_connection_rate_limit
smtpd_client_connection_rate_limit = 0

but after a few minutes of running, maillog is flooded with 1000s of

Oct 16 12:11:45 postfix/smtpd[82433]: warning: connect to private/anvil: 
Connection refused

Oct 16 12:11:45 postfix/smtpd[82433]: warning: problem talking to server 
private/anvil: Connection refused

how do we kill anvil?

Len

Re: can't stop anvil

2009-10-16 Thread Wietse Venema 
Len Conrad:
> postconf mail_version
> mail_version = 2.3-20060126
> 
> postconf | egrep smtpd_client_connection_rate_limit
> smtpd_client_connection_rate_limit = 0
> 
> but after a few minutes of running, maillog is flooded with 1000s of
> 
> Oct 16 12:11:45 postfix/smtpd[82433]: warning: connect to private/anvil: 
> Connection refused
> 
> Oct 16 12:11:45 postfix/smtpd[82433]: warning: problem talking to server 
> private/anvil: Connection refused
> 
> how do we kill anvil?

What has changed?

Wietse

Re: can't stop anvil

2009-10-16 Thread Victor Duchovni 
On Fri, Oct 16, 2009 at 06:11:19PM +0200, Len Conrad wrote:

> postconf mail_version
> mail_version = 2.3-20060126
> 
> postconf | egrep smtpd_client_connection_rate_limit
> smtpd_client_connection_rate_limit = 0

This is the default value. To disable anvil in an otherwise default
configuration:

smtpd_client_connection_rate_limit = 0
smtpd_client_connection_count_limit = 50
smtpd_client_message_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0

change the *count* limit from 50 to zero.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

S/Mime with Postfix?

2009-10-16 Thread Paul Hutchings 
After a little guidance on what those of you using Postfix as a gateway are 
using for doing s/mime email encryption?

I did some digging and it seems you can get certificates that authenticate a 
company for s/mime rather than needing to authenticate each individual using a 
cert on their MUA.

Of course Postfix can't do this, but I'm hoping I can get some suggestions on 
what can, and (importantly) what integrates easily with Postfix?

Thanks,
Paul

-- 
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.
If you receive this e-mail in error, please delete it and notify us either by 
e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as 
this is prohibited.

Re: can't stop anvil

2009-10-16 Thread Len Conrad 
-- Original Message --
From: wie...@porcupine.org (Wietse Venema)
Date:  Fri, 16 Oct 2009 12:38:22 -0400 (EDT)

>Len Conrad:
>> postconf mail_version
>> mail_version = 2.3-20060126
>> 
>> postconf | egrep smtpd_client_connection_rate_limit
>> smtpd_client_connection_rate_limit = 0
>> 
>> but after a few minutes of running, maillog is flooded with 1000s of
>> 
>> Oct 16 12:11:45 postfix/smtpd[82433]: warning: connect to private/anvil: 
>> Connection refused
>> 
>> Oct 16 12:11:45 postfix/smtpd[82433]: warning: problem talking to server 
>> private/anvil: Connection refused
>> 
>> how do we kill anvil?
>
>What has changed?

nothing, we just reviewed the server, one of 5 MXs, and saw it was struggling 
with bad overload. the load balancer sucks.   

disk, os, and postfix all to be upgraded soon.

Len

Postfix, fetchmail, and forwarding loop

2009-10-16 Thread John te Bokkel / Tempus 
I am not sure why this is happening now, I haven't made any changes to
configurations in the last while.

It seems that fetchmail is catching mail that it shouldn't.

Here is an example of an email that got bounced. It was sent locally
in a backup script.



>From MAILER-DAEMON  Fri Oct 16 12:31:13 2009
Return-Path: <>
X-Original-To: j...@localhost.powercoreeng.com
Delivered-To: j...@localhost.powercoreeng.com
Received: by server (Postfix, from userid 1013)
id 56D23272C9A; Fri, 16 Oct 2009 12:31:13 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS
autolearn=ham version=3.2.1-gr1
Received: from localhost (localhost [127.0.0.1])
by server (Postfix) with ESMTP id ECB5B272C95
for ; Fri, 16 Oct 2009 12:31:12 -0400 (EDT)
X-Original-To: r...@powercoreeng.com
Delivered-To: r...@powercoreeng.com
Received: from localhost [127.0.0.1]
by localhost with IMAP (fetchmail-6.3.11)
for  (single-drop); Fri, 16 Oct 2009 12:31:12 -0400 
(EDT)
Received: by server (Postfix)
id D761F272C97; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
From: mailer-dae...@powercoreeng.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: r...@powercoreeng.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C9994272C9A.1255710372/server"
Message-Id: <20091016162612.d761f272...@server>

This is a MIME-encapsulated message.

--C9994272C9A.1255710372/server
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host server.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: mail forwarding loop for
j...@localhost.powercoreeng.com

--C9994272C9A.1255710372/server
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; server
X-Postfix-Queue-ID: C9994272C9A
X-Postfix-Sender: rfc822; r...@powercoreeng.com
Arrival-Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)

Final-Recipient: rfc822; j...@localhost.powercoreeng.com
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail forwarding loop for
j...@localhost.powercoreeng.com

--C9994272C9A.1255710372/server
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: by server (Postfix, from userid 1013)
id C9994272C9A; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,NO_RELAYS
autolearn=unavailable version=3.2.1-gr1
Received: from localhost (localhost [127.0.0.1])
by server (Postfix) with ESMTP id A1EC1272C95
for ; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
X-Original-To: j...@localhost.powercoreeng.com
Delivered-To: j...@localhost.powercoreeng.com
Received: from localhost [127.0.0.1]
by localhost with IMAP (fetchmail-6.3.11)
for  (single-drop); Fri, 16 Oct 2009 12:26:12 -0400 
(EDT)
Received: by server (Postfix, from userid 1013)
id 0B09D272C9C; Fri, 16 Oct 2009 12:21:13 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by server (Postfix) with ESMTP id 4A7E8272C97
for ; Fri, 16 Oct 2009 12:21:12 -0400 (EDT)
X-Original-To: r...@localhost
Delivered-To: r...@localhost.powercoreeng.com
Received: from localhost [127.0.0.1]
by localhost with IMAP

Re: S/Mime with Postfix?

2009-10-16 Thread Victor Duchovni 
On Fri, Oct 16, 2009 at 06:36:59PM +0100, Paul Hutchings wrote:

> After a little guidance on what those of you using Postfix as a gateway
> are using for doing s/mime email encryption?

S/MIME is in theory an MUA issue, MTAs just move the mail. This said, if
an end-to-end approach is not for you (as it is for most users), and you
want gateway to gateway security, by far the most widely adopted is TLS,
but this naturally protects only the first hop, and works one direction
at a time, so it is difficult for a recipient to audit sender policy.

A number of vendors offer gateway-to-gateway S/MIME support in the form
of border email security "appliances". I am not in a position to endorse
or specifically recommend any of these, but a *partial* list (sorted from
shortest to longest URL) should help you to search in the right direction:

- http://www.pgp.com/products/universal_server/index.html
- http://www.entrust.com/email-security/messaging-server/index.htm
- http://www.tumbleweed.com/products/mailgate/secure_messenger.html
- http://www.ironport.com/resources/datasheet_ironport_encryption.html
- 
http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/email_gateway.html

> I did some digging and it seems you can get certificates that
> authenticate a company for s/mime rather than needing to authenticate
> each individual using a cert on their MUA.

The type of certificates required or supported by the various gateways
is product dependent. Note that for S/MIME it is not enough to be able
to authenticate a certificate when it is presented, one actually needs
to have the relevant public keys on hand to initiate encryption, and
given lack of the mythical global X.500 directory in which such certs are
published securely, keys are deployed manually, at which point signatures
by a trusted third party are less important (but some products will still
want these).

Some of the certificates will be "proxy certificates", and various other
product-specific characteristics will arise, but there is little that
one can generally say beyond "follow the vendor's" directions.

I am not aware of any open-source S/MIME gateway, if someone has a pointer
to something reasonably well-designed/robust, perhaps they will step
forward with a suitable pointer.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix, fetchmail, and forwarding loop

2009-10-16 Thread Wietse Venema 
John te Bokkel / Tempus:
> I am not sure why this is happening now, I haven't made any changes to
> configurations in the last while.

The Postfix local delivery agent will report a loop when it tries
to deliver mail to u...@example.com, and that message already has
a "Delivered-To: u...@example.com" message header.

You can disable ADDING the Delivered-To header, but you cannot
disable TESTING for the header's presence.


Wietse
> 
> Here is an example of an email that got bounced. It was sent locally
> in a backup script.
> 
> 
> 
> >From MAILER-DAEMON  Fri Oct 16 12:31:13 2009
> Return-Path: <>
> X-Original-To: j...@localhost.powercoreeng.com
> Delivered-To: j...@localhost.powercoreeng.com
> Received: by server (Postfix, from userid 1013)
>   id 56D23272C9A; Fri, 16 Oct 2009 12:31:13 -0400 (EDT)
> X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
> X-Spam-Level:
> X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS
>   autolearn=ham version=3.2.1-gr1
> Received: from localhost (localhost [127.0.0.1])
>   by server (Postfix) with ESMTP id ECB5B272C95
>   for ; Fri, 16 Oct 2009 12:31:12 -0400 (EDT)
> X-Original-To: r...@powercoreeng.com
> Delivered-To: r...@powercoreeng.com
> Received: from localhost [127.0.0.1]
>   by localhost with IMAP (fetchmail-6.3.11)
>   for  (single-drop); Fri, 16 Oct 2009 12:31:12 -0400 
> (EDT)
> Received: by server (Postfix)
>   id D761F272C97; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
> Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
> From: mailer-dae...@powercoreeng.com (Mail Delivery System)
> Subject: Undelivered Mail Returned to Sender
> To: r...@powercoreeng.com
> Auto-Submitted: auto-replied
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type=delivery-status;
>   boundary="C9994272C9A.1255710372/server"
> Message-Id: <20091016162612.d761f272...@server>
> 
> This is a MIME-encapsulated message.
> 
> --C9994272C9A.1255710372/server
> Content-Description: Notification
> Content-Type: text/plain; charset=us-ascii
> 
> This is the mail system at host server.
> 
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
> 
> For further assistance, please send mail to postmaster.
> 
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
> 
>The mail system
> 
> : mail forwarding loop for
> j...@localhost.powercoreeng.com
> 
> --C9994272C9A.1255710372/server
> Content-Description: Delivery report
> Content-Type: message/delivery-status
> 
> Reporting-MTA: dns; server
> X-Postfix-Queue-ID: C9994272C9A
> X-Postfix-Sender: rfc822; r...@powercoreeng.com
> Arrival-Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
> 
> Final-Recipient: rfc822; j...@localhost.powercoreeng.com
> Action: failed
> Status: 5.4.6
> Diagnostic-Code: X-Postfix; mail forwarding loop for
> j...@localhost.powercoreeng.com
> 
> --C9994272C9A.1255710372/server
> Content-Description: Undelivered Message
> Content-Type: message/rfc822
> 
> Received: by server (Postfix, from userid 1013)
>   id C9994272C9A; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
> X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
> X-Spam-Level:
> X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,NO_RELAYS
>   autolearn=unavailable version=3.2.1-gr1
> Received: from localhost (localhost [127.0.0.1])
>   by server (Postfix) with ESMTP id A1EC1272C95
>   for ; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
> X-Original-To: j...@localhost.powercoreeng.com
> Delivered-To: j...@localhost.powercoreeng.com
> Received: from localhost [127.0.0.1]
>   by localhost with IMAP (fetchmail-6.3.11)
>   for  (single-drop); Fri, 16 Oct 2009 12:26:12 -0400 
> (EDT)
> Received: by server (Postfix, from userid 1013)
>   id 0B09D272C9C; Fri, 16 Oct 2009 12:21:13 -0400 (EDT)
> Received: from localhost (localhost [127.0.0.1])
>   by server (Postfix) with ESMTP id 4A7E8272C97
>   for ; Fri, 16 Oct 2009 12:21:12 -0400 (EDT)
> X-Original-To: r...@localhost
> Delivered-To: r...@localhost.powercoreeng.com
> Received: from localhost [127.0.0.1]
>   by localhost with IMAP
> 
>

Re: Postfix, fetchmail, and forwarding loop

2009-10-16 Thread John te Bokkel / Tempus 
So which one is the guilty party in adding the Delivered-To header? I
didn't think that fetchmail touched the headers. I don't think that
fetchmail should have even been involved in this transaction, but it
looks like it did.

Received: from localhost [127.0.0.1]
   by localhost with IMAP (fetchmail-6.3.11)
   for  (single-drop); Fri, 16 Oct 2009 12:31:12 -0400 (EDT)

fetchmail is only configured to pop in some other accounts and send
them through port 25.

On Fri, Oct 16, 2009 at 3:05 PM, Wietse Venema  wrote:
> John te Bokkel / Tempus:
>> I am not sure why this is happening now, I haven't made any changes to
>> configurations in the last while.
>
> The Postfix local delivery agent will report a loop when it tries
> to deliver mail to u...@example.com, and that message already has
> a "Delivered-To: u...@example.com" message header.
>
> You can disable ADDING the Delivered-To header, but you cannot
> disable TESTING for the header's presence.
>
>
>        Wietse
>>
>> Here is an example of an email that got bounced. It was sent locally
>> in a backup script.
>>
>>
>>
>> >From MAILER-DAEMON  Fri Oct 16 12:31:13 2009
>> Return-Path: <>
>> X-Original-To: j...@localhost.powercoreeng.com
>> Delivered-To: j...@localhost.powercoreeng.com
>> Received: by server (Postfix, from userid 1013)
>>       id 56D23272C9A; Fri, 16 Oct 2009 12:31:13 -0400 (EDT)
>> X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
>> X-Spam-Level:
>> X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS
>>       autolearn=ham version=3.2.1-gr1
>> Received: from localhost (localhost [127.0.0.1])
>>       by server (Postfix) with ESMTP id ECB5B272C95
>>       for ; Fri, 16 Oct 2009 12:31:12 -0400 (EDT)
>> X-Original-To: r...@powercoreeng.com
>> Delivered-To: r...@powercoreeng.com
>> Received: from localhost [127.0.0.1]
>>       by localhost with IMAP (fetchmail-6.3.11)
>>       for  (single-drop); Fri, 16 Oct 2009 12:31:12 -0400 
>> (EDT)
>> Received: by server (Postfix)
>>       id D761F272C97; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
>> Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
>> From: mailer-dae...@powercoreeng.com (Mail Delivery System)
>> Subject: Undelivered Mail Returned to Sender
>> To: r...@powercoreeng.com
>> Auto-Submitted: auto-replied
>> MIME-Version: 1.0
>> Content-Type: multipart/report; report-type=delivery-status;
>>       boundary="C9994272C9A.1255710372/server"
>> Message-Id: <20091016162612.d761f272...@server>
>>
>> This is a MIME-encapsulated message.
>>
>> --C9994272C9A.1255710372/server
>> Content-Description: Notification
>> Content-Type: text/plain; charset=us-ascii
>>
>> This is the mail system at host server.
>>
>> I'm sorry to have to inform you that your message could not
>> be delivered to one or more recipients. It's attached below.
>>
>> For further assistance, please send mail to postmaster.
>>
>> If you do so, please include this problem report. You can
>> delete your own text from the attached returned message.
>>
>>                    The mail system
>>
>> : mail forwarding loop for
>>     j...@localhost.powercoreeng.com
>>
>> --C9994272C9A.1255710372/server
>> Content-Description: Delivery report
>> Content-Type: message/delivery-status
>>
>> Reporting-MTA: dns; server
>> X-Postfix-Queue-ID: C9994272C9A
>> X-Postfix-Sender: rfc822; r...@powercoreeng.com
>> Arrival-Date: Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
>>
>> Final-Recipient: rfc822; j...@localhost.powercoreeng.com
>> Action: failed
>> Status: 5.4.6
>> Diagnostic-Code: X-Postfix; mail forwarding loop for
>>     j...@localhost.powercoreeng.com
>>
>> --C9994272C9A.1255710372/server
>> Content-Description: Undelivered Message
>> Content-Type: message/rfc822
>>
>> Received: by server (Postfix, from userid 1013)
>>       id C9994272C9A; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
>> X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on server
>> X-Spam-Level:
>> X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,NO_RELAYS
>>       autolearn=unavailable version=3.2.1-gr1
>> Received: from localhost (localhost [127.0.0.1])
>>       by server (Postfix) with ESMTP id A1EC1272C95
>>       for ; Fri, 16 Oct 2009 12:26:12 -0400 (EDT)
>> X-Original-To: j...@localhost.powercoreeng.com
>> Delivered-To: j...@localhost.powercoreeng.com
>> Received: from localhost [127.0.0.1]
>>       by localhost with IMAP (fetchmail-6.3.11)
>>       for  (single-drop); Fri, 16 Oct 2009 12:26:12 -0400 
>> (EDT)
>> Received: by server (Postfix, from userid 1013)
>>       id 0B09D272C9C; Fri, 16 Oct 2009 12:21:13 -0400 (EDT)
>> Received: from localhost (localhost [127.0.0.1])
>>       by server (Postfix) with ESMTP id 4A7E8272C97
>>       for ; Fri, 16 Oct 2009 12:21:12 -0400 (EDT)
>> X-Original-To: r...@localhost
>> Delivered-To: r...@localhost.powercoreeng.com
>> Received: from localhost [127.0.0.1]
>>       by localhost with IMAP
>>
>>
>
>

Is TLS strictly required?

2009-10-16 Thread Matt Friedman 
Hi,

For an internet facing postfix server, is TLS strictly required? Do I
need to obtain an SSL certificate for this?

What would happen if I didn't use TLS? Would I be inviting spammers
and hackers to take over my postfix installation? Are there
alternative security measures that are as secure or better?

Another question. If I have example.com setup to point to the IP
address 70.222.222.23 can I have u...@example.com go to another IP?

I'm a pretty good Linux admin but I haven't done much work with MTAs
or DNS so please bear with me as I ask these questions.

Thanks,
Matt.

Re: Is TLS strictly required?

2009-10-16 Thread Brian Evans - Postfix List 
Matt Friedman wrote:
> Hi,
>
> For an internet facing postfix server, is TLS strictly required? Do I
> need to obtain an SSL certificate for this?
>   

No and No.

> What would happen if I didn't use TLS? Would I be inviting spammers
> and hackers to take over my postfix installation? Are there
> alternative security measures that are as secure or better?
>   

TLS is to email as HTTPS is to web browsing.
They provide no protection for programs themselves.
Security of your system is only as tight as your firewall.
> Another question. If I have example.com setup to point to the IP
> address 70.222.222.23 can I have u...@example.com go to another IP?
>   

Do you mean message routing?
If so, use transport_maps.

Re: Is TLS strictly required?

2009-10-16 Thread Matt Friedman 
Thanks Brian,

Sorry if my questions are a bit inane. Feel free to point me at
reading material if I'm being too much of a noob.

Ok, so based on what you are saying postfix can be made sufficiently
secure without TLS or and SSL certificate.

I'm thinking about when users login to fetch their email. How is that
auth procedure made secure?

In terms of the IP addresses, I wasn't all that clear. I meant what
happens when your webserver is at one IP but your email server is at a
different IP. Can you set it up this way so that DNS points to the
right place based on whether the user is trying to go to the website
or trying to send email.

Thanks,
matt





2009/10/16 Brian Evans - Postfix List :
> Matt Friedman wrote:
>> Hi,
>>
>> For an internet facing postfix server, is TLS strictly required? Do I
>> need to obtain an SSL certificate for this?
>>
>
> No and No.
>
>> What would happen if I didn't use TLS? Would I be inviting spammers
>> and hackers to take over my postfix installation? Are there
>> alternative security measures that are as secure or better?
>>
>
> TLS is to email as HTTPS is to web browsing.
> They provide no protection for programs themselves.
> Security of your system is only as tight as your firewall.
>> Another question. If I have example.com setup to point to the IP
>> address 70.222.222.23 can I have u...@example.com go to another IP?
>>
>
> Do you mean message routing?
> If so, use transport_maps.
>

Re: Is TLS strictly required?

2009-10-16 Thread Victor Duchovni 
On Fri, Oct 16, 2009 at 03:38:26PM -0400, Brian Evans - Postfix List wrote:

> > What would happen if I didn't use TLS? Would I be inviting spammers
> > and hackers to take over my postfix installation? Are there
> > alternative security measures that are as secure or better?
> >   
> 
> TLS is to email as HTTPS is to web browsing.
> They provide no protection for programs themselves.

It protects traffic, and in most cases (for better or mostly worse),
just authentication traffic. So you need TLS with email when:

- You allow plaintext authantication for mobile users using
  a submission (typically port 587) service where you host is
  the outbound SMTP server for the roaming users.

- You receive sensitive data via email, and would like to keep
  it safe(r). This is mostly a business-to-business feature.

> Security of your system is only as tight as your firewall.

No, it is only as good as the software running on the host behind the
firewall.

> > Another question. If I have example.com setup to point to the IP
> > address 70.222.222.23 can I have u...@example.com go to another IP?
> 
> Do you mean message routing?
> If so, use transport_maps.

I think the question is about incoming email from outside, i.e. the OP
is not familiar with MX records, (but is familiar with "example.com",
which is promising). Any decent book on DNS and email should cover
setting up MX records for the "example.com" domain.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Is TLS strictly required?

2009-10-16 Thread Victor Duchovni 
On Fri, Oct 16, 2009 at 03:50:30PM -0400, Matt Friedman wrote:

> Thanks Brian,
> 
> Sorry if my questions are a bit inane. Feel free to point me at
> reading material if I'm being too much of a noob.
> 
> Ok, so based on what you are saying postfix can be made sufficiently
> secure without TLS or and SSL certificate.
> 
> I'm thinking about when users login to fetch their email. How is that
> auth procedure made secure?

Users don't fetch their mail from Postfix, they do so from an IMAP
server. For an IMAP server, with more than just a handful of users (who
know how to configure trust in self-signed cert) you typically do need
an SSL/TLS cert. Once you have one, you can re-use for the submission
service too, if the same "hostname" is used for both.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

How can I has postfix reporting errors with an email address

2009-10-16 Thread Mark Johnson 
Is there any way to config postfix reporting errors with an invalid email 
address?

Thanks.
MJ

Re: How can I has postfix reporting errors with an email address

2009-10-16 Thread Wietse Venema 
Mark Johnson:
> Is there any way to config postfix reporting errors with an invalid email 
>-address?

Choose one of the following:

1) A client sends a non-existent address to the Postfix SMTP server.

2) A client sends a malformed address to the Postfix SMTP server.

3) A local program passes a non-existent address to the Postfix sendmail 
command.

4) A local program passes a malformed address to the Postfix sendmail command.

5) ...

Wietse

Re: How can I has postfix reporting errors with an email address

2009-10-16 Thread Victor Duchovni 
On Fri, Oct 16, 2009 at 01:32:11PM -0700, Mark Johnson wrote:

> Is there any way to config postfix reporting errors with an invalid
> email address?

Unfortunately, given the very brief description of the problem, no
answer is possible. You need to describe your problem in more detail,
giving examples, as necessary, to explain what you want to happen,
and what happens now.

If English is not your native language, you sadly need to add more detail,
not less, because your meaning will be easier to mis-understand.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Is TLS strictly required?

2009-10-16 Thread LuKreme 

On 16-Oct-2009, at 13:31, Matt Friedman wrote:

For an internet facing postfix server, is TLS strictly required?


Of course not.


Do I need to obtain an SSL certificate for this?


You can, but you can also use a self-signed cert.


What would happen if I didn't use TLS? Would I be inviting spammers
and hackers to take over my postfix installation? Are there
alternative security measures that are as secure or better?


The advantages of TLS don't have all that much to do with spam per se.

--
We all need help with our feelings. Otherwise, we bottle them up,
and before you know it powerful laxatives are involved.