Re: Postfix and Portimail Issues
The Stovebolt Geek: > --On October 11, 2012 4:38:12 PM -0500 Noel Jones > wrote: > > > On 10/11/2012 4:05 PM, Paul Schmehl wrote: > >> mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall > > > > While that may mask the problem, it is almost certainly the wrong > > solution. > > > > Please explain why. > > I'll grant you I left off the CIDR mask. My example should have been: > mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall/32 Are you now an open mail relay? Wietse
Re: Postfix and Portimail Issues
On 10/11/2012 11:34 PM, The Stovebolt Geek wrote: > --On October 11, 2012 4:38:12 PM -0500 Noel Jones > wrote: > >> On 10/11/2012 4:05 PM, Paul Schmehl wrote: >>> mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall >> >> While that may mask the problem, it is almost certainly the wrong >> solution. >> > > Please explain why. If outside mail arrives from that IP, adding it to mynetworks could make you an open relay. -- Noel Jones
Re: Postfix and Portimail Issues
Am 12.10.2012 12:56, schrieb Noel Jones: > On 10/11/2012 11:34 PM, The Stovebolt Geek wrote: >> --On October 11, 2012 4:38:12 PM -0500 Noel Jones >> wrote: >> >>> On 10/11/2012 4:05 PM, Paul Schmehl wrote: mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall >>> >>> While that may mask the problem, it is almost certainly the wrong >>> solution. >>> >> >> Please explain why. > > If outside mail arrives from that IP, adding it to mynetworks could > make you an open relay. explain how outside mail arrives trough a spamfirewall to become a open-relay? mynetworks = client-ips you trust completly usually you trust your own filter-gateway signature.asc Description: OpenPGP digital signature
Re: Postfix and Portimail Issues
On Thu, Oct 11, 2012 at 04:05:14PM -0500, Paul Schmehl wrote: > mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall (BTW the /32 is implied, you do not need to specify it.) This in reply to: > --On October 11, 2012 1:44:04 PM -0700 BeauSanders > wrote: > > >I am attempting to configure a Postfix MTA in CentOS 6.3 for our > >school. The Postfix server has to send and receive email through > >a Fortimail firewall. Outgoing email is working fine. Email sent > >locally using the mail command to a local user on the > >CentOS/Postfix server works fine. However, all email coming in to > >the Fortimail firewall addressed to users on the Postfix server > >is NOT being accepted by Postfix. Inbound mail from Fortimail is > >being deferred and ultimately rejected by Postfix. It appears the > >email is being forwarded/relayed from the Fortimail firewall to > >the Postfix server. There are no errors on the Fortimail firewall. And subsequently Paul wondered why this was considered the wrong solution to the problem. One potential problem I see is that of mail loops. Fortimail is allowing Postfix to relay, and is our relayhost. If Fortimail believes Postfix should handle a certain address, but Postfix does not agree, it will loop. With Fortimail in $mynetworks, Postfix allows it to relay. And from the problem description above, it does not sound like relaying is needed. Fortimail wants Postfix to take this mail for final delivery, and $mynetworks won't help with that. I don't think open relay is likely to be the result, but again, there's no reason why a relayhost should EVER be in $mynetworks. The ball is in the OP's court, so to speak, to better define the problem and to share the logs which show it. > >Here is the main.cf file as it is currently configured: snip -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: Postfix and Portimail Issues
Am 12.10.2012 13:55, schrieb /dev/rob0: > I don't think open relay is likely to be the result, but again, > there's no reason why a relayhost should EVER be in $mynetworks surely it is * barracuda as MX * postfix as mail-server * check_recipient_access proxy:mysql:/etc/postfix/mysql-spamfilter.cf EVERY message without SASL or from mynetworks goes directly to the barracuda-spamfilter and if it is OK it comes back this prevents from spammers ignoring the MX and try directly to spit their crap to "mail.thelounge.net" not many, but hey - there has to be no single message which did not went through spam/virus-filter signature.asc Description: OpenPGP digital signature
Re: Postfix and Portimail Issues
Am 12.10.2012 13:05, schrieb Reindl Harald: > > > Am 12.10.2012 12:56, schrieb Noel Jones: >> On 10/11/2012 11:34 PM, The Stovebolt Geek wrote: >>> --On October 11, 2012 4:38:12 PM -0500 Noel Jones >>> wrote: >>> On 10/11/2012 4:05 PM, Paul Schmehl wrote: > mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall While that may mask the problem, it is almost certainly the wrong solution. >>> >>> Please explain why. >> >> If outside mail arrives from that IP, adding it to mynetworks could >> make you an open relay. > > explain how outside mail arrives trough a spamfirewall > to become a open-relay? > > mynetworks = client-ips you trust completly > usually you trust your own filter-gateway needless to speculate until there is no exact detailed description how spamfirewall in this case Portimail works, this is the postfix mail list, recommands how Portimail should be connected to i.e postfix, should provided by Portimail not vice versa after all i couldn found somthing usefull at Portimail by websearch i found fortimail http://www.fortinet.com/products/fortimail/ as it looks like a commercial product, ask their support for fortigate ( the firewall solution ) , there is nat mode, and transparent mode, antispam,antivirus is optional, speculation you need to know what mode you re running to goal best postfix config at minimum, there is also a product itself called fortimail ( which seems to be a full working mail solution ,no need then ,for postfix ) > -- Best Regards MfG Robert Schetterer
clamsmtp or clamav-milter for antivirus with postfix 2.9?
Hello, This might be off topic, but I was wondering I am using Postfix 2.9.x and am wanting to integrate antivirus capabilities. What are the differences between clamsmtp and clamav-milter? I'm wondering which one would be better for an antivirus setup? Thanks. Dave.
Re: clamsmtp or clamav-milter for antivirus with postfix 2.9?
On Friday, October 12, 2012 12:38:28 PM David Mehler wrote: > Hello, > > This might be off topic, but I was wondering I am using Postfix 2.9.x > and am wanting to integrate antivirus capabilities. What are the > differences between clamsmtp and clamav-milter? I'm wondering which > one would be better for an antivirus setup? In situations where I was only doing anti-virus and not anti-spam, I've used clamsmtp for years with no issues. It hasn't had a release in awhile, but only because it does what it was designed to do and the author decided not to try to make it into a swiss army knife. I know in Debian/Ubuntu clamav-milter doesn't have a lot of users and does not get heavily tested. I don't know generally though and have never used it. In situation where you are doing both A/V and A/S, then I would integrate clamav with postfix using amavisd-new. Scott K
Re: clamsmtp or clamav-milter for antivirus with postfix 2.9?
On 10/12/2012 11:47 AM, Scott Kitterman wrote: > On Friday, October 12, 2012 12:38:28 PM David Mehler wrote: >> Hello, >> >> This might be off topic, but I was wondering I am using Postfix 2.9.x >> and am wanting to integrate antivirus capabilities. What are the >> differences between clamsmtp and clamav-milter? I'm wondering which >> one would be better for an antivirus setup? > > In situations where I was only doing anti-virus and not anti-spam, I've used > clamsmtp for years with no issues. It hasn't had a release in awhile, but > only because it does what it was designed to do and the author decided not to > try to make it into a swiss army knife. I know in Debian/Ubuntu > clamav-milter > doesn't have a lot of users and does not get heavily tested. I don't know > generally though and have never used it. > > In situation where you are doing both A/V and A/S, then I would integrate > clamav with postfix using amavisd-new. > > Scott K > +1 for clamav + amavisd-new (which uses clamdscan internally). You can also use amavisd-new as a smtpd_proxy_filter with postfix if you want before-queue scanning. If you don't want or need amavisd-new, clamav-milter works well with postfix; I've used it for a couple years. -- Noel Jones
Re: clamsmtp or clamav-milter for antivirus with postfix 2.9?
Am 12.10.2012 18:47, schrieb Scott Kitterman: > On Friday, October 12, 2012 12:38:28 PM David Mehler wrote: >> Hello, >> >> This might be off topic, but I was wondering I am using Postfix 2.9.x >> and am wanting to integrate antivirus capabilities. What are the >> differences between clamsmtp and clamav-milter? I'm wondering which >> one would be better for an antivirus setup? > > In situations where I was only doing anti-virus and not anti-spam, I've used > clamsmtp for years with no issues. It hasn't had a release in awhile, but > only because it does what it was designed to do and the author decided not to > try to make it into a swiss army knife. I know in Debian/Ubuntu > clamav-milter > doesn't have a lot of users and does not get heavily tested. I don't know > generally though and have never used it. i use clamav-milter with 5000 users since years no problems before i used clamsmtp no problems milter is before-queue, so youre able to reject infected mails in the smtp income stage ( very cool ) http://www.postfix.org/MILTER_README.html clamsmtp ist after-queue like ie typical amavis filter, so you allready have the infected mail in queue, and have to do something with it ( quarantaine etc ), in germany its not allowed to i.e delete i.e infected mails which are allready queued, so at minimum you have to inform the recipient that he got an infected mail, bouncing to sender is no good option after queue cause it may be faked so for low traffic sites clamav-milter is an easy an good option you can also sanesecurity antispam siganature additional so you have basic antispam and antivir, clamav-milter is also fast enough scanning sasl_authed mail by your users outgoing, i als have combined it with spamass-milter ( but only for unauth income mail ) for more complex wishes use amavis > > In situation where you are doing both A/V and A/S, then I would integrate > clamav with postfix using amavisd-new. > > Scott K > -- Best Regards MfG Robert Schetterer
Postfix and LDAP connection management
Dear all, I am trying to resolve some LDAP issues, and I've been asked about Postfix's connection management behavior. How many concurrent connections to a given LDAP server will proxymap(8) open? When does it close a connection, and when does it open a new one? I checked the man page, but it didn't go into this kind of detail. Thanks, -- Ben Rosengart "Like all those possessing a library, Sendmail, Inc. Aurelian was aware that he was guilty of +1 718 431 3822 not knowing his in its entirety [...]" -- Jorge Luis Borges NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited.
Re: Postfix and Portimail Issues
--On October 12, 2012 6:49:06 AM -0400 Wietse Venema wrote: The Stovebolt Geek: --On October 11, 2012 4:38:12 PM -0500 Noel Jones wrote: > On 10/11/2012 4:05 PM, Paul Schmehl wrote: >> mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall > > While that may mask the problem, it is almost certainly the wrong > solution. > Please explain why. I'll grant you I left off the CIDR mask. My example should have been: mynetworks = 127.0.0.0/8,IP.Of.Fortimail.Firewall/32 Are you now an open mail relay? That depends on how both hosts are configured. In my case the relaying host only listens on 127.0.0.1, so any mail relayed through the MX originates on that box. In the case of the OP, the MX should be configured to only accept mail from the firewall when the final recipient is internal. Is there an alternative way to get the MX to accept mail from the firewall? Paul Schmehl (g...@stovebolt.com) The Stovebolt Geek The Net's Oldest and Most Complete Resource for Antique Chevy and GM Trucks http://www.stovebolt.com
Re: Postfix and LDAP connection management
Ben Rosengart: > Dear all, > I am trying to resolve some LDAP issues, and I've been asked about > Postfix's connection management behavior. How many concurrent > connections to a given LDAP server will proxymap(8) open? One proxymap process should make zero or one LDAP connection per LDAP configuration file. By design it uses the same LDAP handle for all queries that resolve to the same LDAP configuration file. There are as many proxymap processes as needed to handle the query load. A new proxymap process is created when a client process wants to look up something, and all proxymap servers are busy (this is an over-simplification, as a client will reuse its proxymap handle for a limited time). > When does > it close a connection, and when does it open a new one? I checked the > man page, but it didn't go into this kind of detail. I don't know when (if ever) an LDAP or *SQL connection is closed other than by process termination. As for connections between proxymap clients and servers, that has changed over time. Many connections between Postfix daemons are controlled by ipc_idle, ipc_timeout, and ipc_ttl, but some daemons have their own because their requirements differ. For example the queue manager can't afford to wait 3600 seconds. Wietse
Re: Postfix and Fortimail Issues
First, I would like to thank those of you that have replied to this thread. I appreciate the feedback so far. I need to apologize for my typo...the email gateway/firewall is Fortimail as you figured out. I have implemented the suggestions that you have suggested so far: 1. Changed mynetworks to include fortimail.firewall.ip.address/32 2. Determined the Fortimail firewall is running in gateway mode 3. Researched the Fortimail knowledge base for help with postfix setup; nothing found 4. Examined /var/log/maillog and found no bounced or received messages from non-local addresses To better explain what we are doing, our postfix server is running CentOS 6.3. We are setting it up to run phplist mailling list manager. phplist has a bounce management feature that requires a pop3 account and a local user inbox to collect bounced messages. Herein lies the problem...since no messages are being received by postfix, the bounce management feature of phplist does not work. We are trying to manage a mailling list of around 12,000 students so bounce management is important. Our postfix server is the final destination for inbound mail. All inbound mail has to be relayed from the Fortimail firewall. Outbound from the postfix server is working fine. Inbound mail is being blocked apparently by our postfix server. Here is a sample of the warning message being sent by postmaster at our postfix server: Warning: could not send message for past 1 hour postmaster ** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ** The original message was received at Fri, 12 Oct 2012 08:57:28 -0400 from: - Transcript of session follows - ... Deferred: Connection timed out with bps.gvltec.edu. Warning: message still undelivered after 1 hour Will keep trying until message is 2 days old I have researched the string "Deferred: Connection timed out" to see if I can figure out what is not working, but have not yet located a solution. Our Fortimail administrator has been helpful but tells me that he is NOT receiving any errors and he is forwarding/relaying all inbound email to our postfix server. I hope this better explains where we are at finding a solution. Once again, thank you so much for sharing your experience and expertise with us. -Beau -- View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-and-Portimail-Issues-tp51465p51490.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Postfix and Portimail Issues
The Stovebolt Geek: > In the case of the OP, the MX should be configured to only accept mail from > the firewall when the final recipient is internal. > > Is there an alternative way to get the MX to accept mail from the firewall? The proper way is one of the following: - If the MX host is final destination, list the domain in mydestination, virtual_alias_domains or virtual_mailbox_domains (and list the valid recipients in local_recipient_maps, virtual_alias_maps, or virtual_mailbox_maps). - If the MX host is not the final destination, list the domain in relay_domains, and list the recipients in relay_recipient_maps. http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall Wietse
Re: Postfix and Fortimail Issues
BeauSanders: > Inbound mail is being blocked apparently by our postfix server. Can you see "connect from" logging in the Postfix logfile? Can you see the network packets when something tries to connect to your Postfix machine? Does your Postfix machine have iptables etc. that block port 25? Is Postfix configured to listen on port 25? Is Postfix configured to listen on 70.150.177.95? Wietse
Re: Postfix and Fortimail Issues
beau.sand...@gvltec.edu: > tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN What about iptables, do you have a rule that permits port 25 traffic into the machine? Now, there may *also* be mistakes in Postfix configuration but those mistakes don't matter while the machine can't receive port 25 connections. Wietse
Re: Postfix and LDAP connection management
On Fri, Oct 12, 2012 at 03:13:20PM -0400, Wietse Venema wrote: > > I am trying to resolve some LDAP issues, and I've been asked about > > Postfix's connection management behavior. How many concurrent > > connections to a given LDAP server will proxymap(8) open? > > One proxymap process should make zero or one LDAP connection per LDAP > configuration file. By design it uses the same LDAP handle for all > queries that resolve to the same LDAP configuration file. There is often fewer than one connection per table, because LDAP tables share connections that have the same connection properties. (I contributed code to make this work in both Sendmail and Postfix, so they behave similarly in this regard). The set of properties which are connection properties is easiest to describe by quoting the source (which has a very improbable collision issue when using consecutive integers, as they don't get a delimiter between their digits :-( ). #ifdef LDAP_API_FEATURE_X_OPENLDAP int sslon = dict_ldap->start_tls || dict_ldap->ldap_ssl; #endif LDAP_CONN *conn; #define ADDSTR(vp, s) vstring_memcat((vp), (s), strlen((s))+1) #define ADDINT(vp, i) vstring_sprintf_append((vp), "%lu", (unsigned long)(i)) ADDSTR(keybuf, dict_ldap->server_host); ADDINT(keybuf, dict_ldap->server_port); ADDINT(keybuf, dict_ldap->bind); ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : ""); ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : ""); ADDINT(keybuf, dict_ldap->dereference); ADDINT(keybuf, dict_ldap->chase_referrals); ADDINT(keybuf, dict_ldap->debuglevel); ADDINT(keybuf, dict_ldap->version); #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : ""); ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : ""); ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : ""); ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0); #endif ADDINT(keybuf, dict_ldap->ldap_ssl); ADDINT(keybuf, dict_ldap->start_tls); ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0); ADDSTR(keybuf, sslon ? dict_ldap->tls_ca_cert_file : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_ca_cert_dir : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_cert : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_key : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_random_file : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_cipher_suite : ""); #endif So the ADDINT macro should use " %lu" rather than "%lu". -- Viktor.
Re: Postfix and LDAP connection management
Viktor Dukhovni: > So the ADDINT macro should use " %lu" rather than "%lu". Just to be safe, should not there be a delimiter between string fields, too? That would be the equivalent of " %s". Wietse
Re: clamsmtp or clamav-milter for antivirus with postfix 2.9?
On Oct 12, 2012, at 19:04, Noel Jones wrote: > On 10/12/2012 11:47 AM, Scott Kitterman wrote: >> On Friday, October 12, 2012 12:38:28 PM David Mehler wrote: >>> Hello, >>> >>> This might be off topic, but I was wondering I am using Postfix 2.9.x >>> and am wanting to integrate antivirus capabilities. What are the >>> differences between clamsmtp and clamav-milter? I'm wondering which >>> one would be better for an antivirus setup? >> >> In situations where I was only doing anti-virus and not anti-spam, I've used >> clamsmtp for years with no issues. It hasn't had a release in awhile, but >> only because it does what it was designed to do and the author decided not >> to >> try to make it into a swiss army knife. I know in Debian/Ubuntu >> clamav-milter >> doesn't have a lot of users and does not get heavily tested. I don't know >> generally though and have never used it. >> >> In situation where you are doing both A/V and A/S, then I would integrate >> clamav with postfix using amavisd-new. >> >> Scott K >> > > +1 for clamav + amavisd-new (which uses clamdscan internally). You > can also use amavisd-new as a smtpd_proxy_filter with postfix if you > want before-queue scanning. > > If you don't want or need amavisd-new, clamav-milter works well with > postfix; I've used it for a couple years. We use clamav-milter on our relay servers (which run Debian) without any issues. There was some bug last year, IIRC, where clamd would bug out and needed a restart, but that would be detected by the milter, and it'd switch to passthru. Has since been resolved, it seems. Cya, Jona
Re: Postfix and LDAP connection management
On Fri, Oct 12, 2012 at 07:13:43PM -0400, Wietse Venema wrote: > > So the ADDINT macro should use " %lu" rather than "%lu". > > Just to be safe, should not there be a delimiter between > string fields, too? That would be the equivalent of " %s". Those are already NUL delimited. The vstring_memcat includes the terminating NUL byte. The hash table key is binary not ASCII. We could for consistency NUL terminate the ints also: "%lu%c", (unsigned long) i, '\0' That way ints don't merge with the start of strings that follow them either, otherwise we technically need " %lu " to guard on both ends. In practice such collisions are exceedingly unlikely (I don't think they've ever happend and likely never will for a real configuration), but I am not of a fan of keeping it wrong, no matter how improbable. -- Viktor.
