Re: Sender Authentication
> > I'm pretty sure I already know the answer , just need confirmation. > > Is this statement true or false? You cannot restrict sending mail to > authenticated sessions without also restricting incoming mail as well. > > False
Re: Sender Authentication
On Jun 12, 2010, at 3:20 AM, Thomas Polliard wrote: >> >> I'm pretty sure I already know the answer , just need confirmation. >> >> Is this statement true or false? You cannot restrict sending mail to >> authenticated sessions without also restricting incoming mail as well. >> >> > > False False unless you dont want mail for your domain(s) at all. When a user wants to send mail to a domain NOT hosted by your mail server then you want them to authenticate to ensure that you are not an open relay, but incoming mail need not be restricted except to make sure that you are the MX for the domains. Make sense? Thomas
Re: how to stop backscatter without check headers
Am 11.06.2010 19:31, schrieb Jeroen Geilman: > On 06/11/2010 04:40 PM, motty.cruz wrote: >> >> >> >> >> >> *From:* owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] *On Behalf Of *Jeroen Geilman >> *Sent:* Thursday, June 10, 2010 4:02 PM >> *To:* postfix-users@postfix.org >> *Subject:* Re: how to stop backscatter without check headers >> >> >> >> On 06/11/2010 12:44 AM, motty.cruz wrote: >> >> Is there a best way to stop backscatter spam without using check >> headers? Traffic is too heavy to user check headers + we received >> email for three different domains. >> >> Using postfix 2.6. >> >> >> >> Thanks, >> >> motty >> >> >> To stop backscatter spam, don't accept mail you cannot deliver. >> >> That is a very smart answer, please pardon my stupidity. >> >> >> Header_checks are trivially spoofed. >> >> J. >> >> Spammers spoof the “from” and gets redirected to “user” in my domain? >> How do you fight that? >> > > I don't understand what you mean. > If spammers spoof the envelope sender, header_checks will not help you. > If spammers spoof the sender header, well, postfix doesn't look at From: > headers. > > J. > >> From: Mail Delivery Subsystem [mailto:mailer-dae...@smtp.newsguy.com] >> >> Sent: Thursday, June 10, 2010 1:28 AM >> >> To: u...@obscure.com >> >> Subject: Returned mail: see transcript for details >> >> >> >> The original message was received at Thu, 10 Jun 2010 01:28:19 -0700 >> (PDT) from [124.217.198.141] >> >> >> >>- The following addresses had permanent fatal errors - >> >> >> (reason: Can't create output) >> >> >> >>- Transcript of session follows - 550 5.0.0 >> ... Can't create output >> >> >> >> >> > hi, you can do it like this, but think and analyse your logs and setup before, dont simple copy paste i.e smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_backscatter_access, --- /etc/postfix/sender_backscatter_access Symantec_Mail_Security_for_SMTP@ backscatter Gateway_SMTP@ backscatter Notify_nav_gateways@ backscatter <> backscatter postmaster@ backscatter MAILER-DAEMON@ backscatter devnull@ backscatter MDaemon@ backscatter imsspostmaster@ backscatter Administrator@ backscatter imss@ backscatter majordomo@ backscatter symantec_antivirus_for_smtp_gateways@ backscatter Mail_Security_for_SMTP@ backscatter FETCHMAIL-DAEMON@ backscatter NULL@ backscatter -- smtpd_restriction_classes = , backscatter, - from here you may use rbls and/or a list of your well known backscattered recipients or match it only to your daily backscatter ips etc, many combinations are possible, keep care that they make sense rejecting valid bounce mails i.e from <> may loose you urgent debug info backscatter = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, check_recipient_access hash:/etc/postfix/backscatter_recipient_access Again attention , you should analyse your logs and setup to match setup like this to your needs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Sender Authentication
On 06/12/2010 07:06 AM, Walter Pinto wrote: Recipient map is also SQL based, here's the config. [r...@mx sql]# cat relay_recipient_map.conf user = xxx password = xxx dbname = xxx query = SELECT y FROM relay_recipient_map WHERE x='%s' I'm pretty sure I already know the answer , just need confirmation. Is this statement true or false? You cannot restrict sending mail to authenticated sessions without also restricting incoming mail as well. I quote myself: Unless you want to leave your mail server unable to receive mail, you normally allow mail to be sent TO your own domains FROM anywhere. Think about it. J.
Re: Sender Authentication
There's no need to be rude sir. I'm just trying to become more familiar with the Postfix system as an alternative to Qmail which I've had more real world experience dealing with, You have my problem reversed. I'm troubleshooting what seems to be mail being sent FROM our own domains TO anywhere On Sat, Jun 12, 2010 at 9:40 AM, Jeroen Geilman wrote: > On 06/12/2010 07:06 AM, Walter Pinto wrote: > > Recipient map is also SQL based, here's the config. > > [r...@mx sql]# cat relay_recipient_map.conf > user = xxx > password = xxx > dbname = xxx > query = > SELECT y > FROM relay_recipient_map > WHERE x='%s' > > I'm pretty sure I already know the answer , just need confirmation. > > Is this statement true or false? You cannot restrict sending mail to > authenticated sessions without also restricting incoming mail as well. > > > I quote myself: > > > Unless you want to leave your mail server unable to receive mail, you > normally allow mail to be sent TO your own domains FROM anywhere. > > Think about it. > > J. > > -- Walter Pinto System Support / Administrator supp...@amhosting.com www.amhosting.com 4690 Longley Lane, Suite 34 Reno, NV 89502 775.331.3319 866.425.2035
Re: Sender Authentication
Clarification, Troubleshooting what seems to be mail being sent FROM our own domains *without authentication* TO anywhere. On Sat, Jun 12, 2010 at 2:03 PM, Walter Pinto wrote: > There's no need to be rude sir. I'm just trying to become more familiar > with the Postfix system as an alternative to Qmail which I've had more real > world experience dealing with, > > You have my problem reversed. I'm troubleshooting what seems to be mail > being sent FROM our own domains TO anywhere > > > > > On Sat, Jun 12, 2010 at 9:40 AM, Jeroen Geilman wrote: > >> On 06/12/2010 07:06 AM, Walter Pinto wrote: >> >> Recipient map is also SQL based, here's the config. >> >> [r...@mx sql]# cat relay_recipient_map.conf >> user = xxx >> password = xxx >> dbname = xxx >> query = >> SELECT y >> FROM relay_recipient_map >> WHERE x='%s' >> >> I'm pretty sure I already know the answer , just need confirmation. >> >> Is this statement true or false? You cannot restrict sending mail to >> authenticated sessions without also restricting incoming mail as well. >> >> >> I quote myself: >> >> >> Unless you want to leave your mail server unable to receive mail, you >> normally allow mail to be sent TO your own domains FROM anywhere. >> >> Think about it. >> >> J. >> >> > > > -- > Walter Pinto > System Support / Administrator > supp...@amhosting.com > www.amhosting.com > 4690 Longley Lane, Suite 34 > Reno, NV 89502 > 775.331.3319 866.425.2035 > -- Walter Pinto System Support / Administrator supp...@amhosting.com www.amhosting.com 4690 Longley Lane, Suite 34 Reno, NV 89502 775.331.3319 866.425.2035
Re: Sender Authentication
Thomas, That makes sense thanks. What you described is the goal I'm trying to achieve. On Sat, Jun 12, 2010 at 12:22 AM, Thomas Polliard wrote: > > On Jun 12, 2010, at 3:20 AM, Thomas Polliard wrote: > > > I'm pretty sure I already know the answer , just need confirmation. > > Is this statement true or false? You cannot restrict sending mail to > authenticated sessions without also restricting incoming mail as well. > > > > False > > > > False unless you dont want mail for your domain(s) at all. > > When a user wants to send mail to a domain NOT hosted by your mail server > then you want them to authenticate to ensure that you are not an open relay, > but incoming mail need not be restricted except to make sure that you are > the MX for the domains. > > Make sense? > > Thomas > -- Walter Pinto System Support / Administrator supp...@amhosting.com www.amhosting.com 4690 Longley Lane, Suite 34 Reno, NV 89502 775.331.3319 866.425.2035
Re: Sender Authentication
On Sat, 12 Jun 2010, Walter Pinto wrote: > Troubleshooting what seems to be mail being sent FROM our own domains > *without authentication* TO anywhere. One option: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch -- Sahil Tandon
Re: Sender Authentication
On 6/12/2010 4:04 PM, Walter Pinto wrote: Clarification, Troubleshooting what seems to be mail being sent FROM our own domains _without authentication_ TO anywhere. Apparently we're having a hard time understanding exactly what you are asking for. Showing your "postconf -n" and logging of the unwanted behavior might help us understand. If you want all local users to authenticate before sending mail, the solution is to remove the local LAN from the mynetworks setting, ie. mynetworks = 127.0.0.1 -- Noel Jones
Strange problem : email refused during the night ???
Dear all, a) I have a very strange problem with postfix, it worked for more than one year without problem, and now, for about one month some incoming emails started to fail in the night (approx. between 4AM and 5AM) but not every day, with errors like : * Out: 451 4.3.0 : Temporary lookup failure * Out: 451 4.3.0 Error: queue file write error It's very strange for me, therefore any help on that subject would be greatly appreciated ! b) I found this interesting link, but it doesn't contain a solution, it just says "sending server will anyway retry later" : http://flakshack.com/anti-spam/wiki/index.php?page=Queue+File+Write+Errors c) More info : That's what I see in the logs approximately at the same time these errors are seen : Jun 11 04:45:21 cirrus postfix/trivial-rewrite[3636]: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as cn=, ou= , dc=hsolutions, dc=ch: -5 (Timed out) Jun 11 04:45:25 cirrus postfix/trivial-rewrite[3648]: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as cn=, ou=, dc=hsolutions, dc=ch: -5 (Timed out) Jun 11 04:45:26 cirrus postfix/smtpd[3411]: warning: dict_ldap_lookup: Search error -5: Timed out or : Jun 11 04:46:14 cirrus postfix/trivial-rewrite[3636]: fatal: ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix): table lookup problem Jun 11 04:46:20 cirrus postfix/trivial-rewrite[3648]: fatal: ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix): table lookup problem or: Jun 11 04:46:30 cirrus postfix/master[17478]: warning: process /usr/libexec/postfix/trivial-rewrite pid 3636 exit status 1 Jun 11 04:46:31 cirrus postfix/master[17478]: warning: /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling Jun 11 04:46:32 cirrus postfix/master[17478]: warning: process /usr/libexec/postfix/trivial-rewrite pid 3648 exit status 1 or even : Jun 11 04:47:08 cirrus postfix/smtpd[3639]: warning: dict_ldap_lookup: Search error -5: Timed out Jun 11 04:47:09 cirrus postfix/trivial-rewrite[3481]: warning: dict_ldap_lookup: Search error -5: Timed out Jun 11 04:47:11 cirrus postfix/cleanup[3447]: warning: dict_ldap_lookup: Search error -5: Timed out Jun 11 04:47:12 cirrus postfix/smtpd[3639]: NOQUEUE: reject: RCPT from host[IP]: 451 4.3.0 : Temporary lookup failure; from= to= proto=SMTP helo= Jun 11 04:47:13 cirrus postfix/trivial-rewrite[3481]: fatal: ldap:/etc/postfix/ldap-domains.cf(0,lock|fold_fix): table lookup problem Jun 11 04:47:14 cirrus postfix/cleanup[3447]: warning: 8E616B80020: virtual_alias_maps map lookup problem for r...@host Jun 11 04:47:15 cirrus postfix/pickup[3593]: 8C561B80020: uid=0 from= Jun 11 04:47:16 cirrus postfix/cleanup[3447]: 8C561B80020: message-id=<20100611024715.8c561b80...@host> Jun 11 04:47:16 cirrus postfix/cleanup[3750]: warning: problem talking to service rewrite: Connection reset by peer Jun 11 04:47:16 cirrus postfix/master[17478]: warning: process /usr/libexec/postfix/trivial-rewrite pid 3481 exit status 1 Jun 11 04:47:34 cirrus postfix/qmgr[17481]: 2916A7C0006: from=, size=13273, nrcpt=1 (queue active) Jun 11 04:47:40 cirrus postfix/cleanup[3761]: A0A18B8002E: message-id=<20100611024714.a0a18b80...@host> Jun 11 04:47:41 cirrus postfix/smtpd[3639]: disconnect from mail184.messagelabs.com[193.109.254.3] Jun 11 04:47:49 cirrus postfix/cleanup[3750]: warning: dict_ldap_lookup: Search error -5: Timed out Jun 11 04:47:49 cirrus postfix/cleanup[3750]: warning: A16B9B8000B: virtual_alias_maps map lookup problem for em...@domain.ch Jun 11 04:47:49 cirrus postfix/qmgr[17481]: A0A18B8002E: from=, size=778, nrcpt=1 (queue active) Jun 11 04:47:59 cirrus postfix/trivial-rewrite[3764]: warning: dict_ldap_lookup: Search error -5: Timed out Jun 11 04:48:00 cirrus postfix/trivial-rewrite[3764]: fatal: ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix): table lookup problem Jun 11 04:48:01 cirrus postfix/trivial-rewrite[3768]: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as cn=mailadmin, ou=***, dc=***, dc=ch: -5 (Timed out) Jun 11 04:48:01 cirrus postfix/trivial-rewrite[3768]: fatal: ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix): table lookup problem Jun 11 04:48:01 cirrus postfix/cleanup[3762]: warning: problem talking to service rewrite: Connection reset by peer Jun 11 04:48:01 cirrus postfix/master[17478]: warning: process /usr/libexec/postfix/trivial-rewrite pid 3764 exit status 1 Jun 11 04:48:04 cirrus postfix/master[17478]: warning: process /usr/libexec/postfix/trivial-rewrite pid 3768 exit status 1 Thanks a lot in advance for any help ! Denis
Re: Strange problem : email refused during the night ???
On 6/12/2010 16:03, Denis BUCHER wrote: > > c) More info : > That's what I see in the logs approximately at the same time these > errors are seen : > > Jun 11 04:45:21 cirrus postfix/trivial-rewrite[3636]: warning: > dict_ldap_connect: Unable to bind to server ldap://localhost:389 as > cn=, ou= > , dc=hsolutions, dc=ch: -5 (Timed out) > Jun 11 04:45:25 cirrus postfix/trivial-rewrite[3648]: warning: > dict_ldap_connect: Unable to bind to server ldap://localhost:389 as > cn=, ou=, dc=hsolutions, dc=ch: -5 (Timed out) > Jun 11 04:45:26 cirrus postfix/smtpd[3411]: warning: dict_ldap_lookup: > Search error -5: Timed out > Well, according to this your LDAP server isn't working. ~Seth
Re: Strange problem : email refused during the night ???
On Sun, 13 Jun 2010, Denis BUCHER wrote: > a) I have a very strange problem with postfix, it worked for more > than one year without problem, and now, for about one month some > incoming emails started to fail in the night (approx. between 4AM > and 5AM) but not every day, with errors like : > > * Out: 451 4.3.0 : Temporary lookup failure > * Out: 451 4.3.0 Error: queue file write error [ .. ] > Jun 11 04:45:21 cirrus postfix/trivial-rewrite[3636]: warning: > dict_ldap_connect: Unable to bind to server ldap://localhost:389 as > cn=, ou= Your LDAP server stops responding; fix that. -- Sahil Tandon
Re: Strange problem : email refused during the night ???
On 6/12/2010 7:48 PM, Sahil Tandon wrote: On Sun, 13 Jun 2010, Denis BUCHER wrote: a) I have a very strange problem with postfix, it worked for more than one year without problem, and now, for about one month some incoming emails started to fail in the night (approx. between 4AM and 5AM) but not every day, with errors like : * Out: 451 4.3.0: Temporary lookup failure * Out: 451 4.3.0 Error: queue file write error [ .. ] Jun 11 04:45:21 cirrus postfix/trivial-rewrite[3636]: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as cn=, ou= Your LDAP server stops responding; fix that. The default config for Logrotate starts at, guess when, 4 AM During this time, LDAP's logs get rotated and then LDAP is suppose to be stopped and started at the END. Your logrotate COULD, however, be stopping LDAP service for the entire duration of logrotate and THEN started at the end of Logrotate. I think this is your problem! Jerrale
Re: Spoofed freemail domains protection not working for postmaster
Покотиленко Костик put forth on 6/11/2010 2:24 PM: > This client name unmungled: > > smtp.harddriveme.com [111.67.206.181] This should have been caught by one of the two SORBS lists you said you added per my advice. SORBS has been listing the parent /20 since Nov 2009. Netblock: 111.67.192.0/20 (111.67.192.0-111.67.207.255) Record Created: Thu Nov 12 03:59:27 2009 GMT Record Updated: Thu Nov 12 03:59:27 2009 GMT Additional Information: Viagra / Medz Mass spammers spam support http://www.au.sorbs.net/using.shtml Did you reload Postfix after editing main.cf? If so, you need to make sure your white listing and other checks that precede and follow your dnsbl checks aren't causing these spam connections to be accepted. I had similar problems quite some time ago until folks here convinced me to go with the "everything under smtpd_recipient_restrictions" method. This allows you to more easily dictate and verify the exact processing order of your restrictions. > I only changed my domain name to example.com. This mail server > smtp/pop/imap box which is MX for my domain. Mail server is in DMZ, > darkstar is it's local name. Router is doing DNAT for connects on 25 > port on external domain and mx ip. Ok, got it. > If I made log unreadable I can repost it unchanged, just let me know. No, I just needed to see that client unmunged for reasons stated above. That particular IP address is listed by SORBS. Your MX should be rejecting it based on that. Like I said, if it's not, something else is wrong that needs to be looked into. -- Stan
