Re: C/C++ based Content filter API
On Nov 23, 2012, at 08:58, Sharma, Ashish wrote: > Jona, > > The suggested solution is too specific to postfix, in my solution I might use > SMTP aware content filter like amavisd-new prior to feeding mail to my own > custom content filter, so pipe is not suitable in my case. > > I am looking for a SMTP aware content filter api in C/C++ just like > 'subethasmtp' (http://code.google.com/p/subethasmtp/) for Java. I think you either did not read/understand the documentation, are asking on the wrong list, or both. Postfix supports several ways to chain together components, and build custom mail workflows. Passing mail to amavisd-new before redirecting it to a pipe is not a problem, for example, and that's just one of the options available. If your Google search for C/C++ libraries did not yield any usable results, and the use of Python, Perl, Java or what have you is not an option, then you'll either have to write something from scratch, or redefine your problem. Cya, Jona -- > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of DTNX Postmaster > Sent: Wednesday, November 21, 2012 9:50 PM > To: Postfix users > Subject: Re: C/C++ based Content filter API > > On Nov 21, 2012, at 15:10, Sharma, Ashish wrote: > >> Any comments on the following posted queries. > > I suggest you read the documentation available, such as; > > http://www.postfix.org/documentation.html > http://www.postfix.org/CONTENT_INSPECTION_README.html > http://www.postfix.org/FILTER_README.html > http://www.postfix.org/pipe.8.html > > Cya, > Jona > > -- > >> -Original Message- >> From: owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sharma, Ashish >> Sent: Monday, November 19, 2012 8:35 PM >> To: postfix-users@postfix.org >> Subject: C/C++ based Content filter API >> >> Hi, >> >> I am implementing a customized enterprise solution where I need to receive >> an email , pull out the contents from the email and initiate some enterprise >> operations based on the received content of the email. >> >> I am using Postfix as mail receiving server and, for mail parsing I am >> planning to use Gmime (http://spruce.sourceforge.net/gmime/), >> >> The real problem here I am facing is that I am unable to find a good C/C++ >> based Content filter api, as one is provided in java like 'subethasmtp' >> (http://code.google.com/p/subethasmtp/). >> >> Can someone suggest one please? >> >> Thanks in advance!!! >> >> Ashish >
Re: C/C++ based Content filter API
Sharma, Ashish: > Jona, > > The suggested solution is too specific to postfix, in my solution > I might use SMTP aware content filter like amavisd-new prior to > feeding mail to my own custom content filter, so pipe is not > suitable in my case. CONTENT_INSPECTION_README introduces two SMTP-based filter solutions. > I am looking for a SMTP aware content filter api in C/C++ just > like 'subethasmtp' (http://code.google.com/p/subethasmtp/) for > Java. Amavisd-new is widely used with Postfix and already does all the MIME parsing that you need. Wietse
Re: OpenSSL: TXT_DB error number 2
>> > $ openssl s_client -starttls smtp -connect mail.example.com:25 >> >> The above command returned >> >> SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol > > Check the server logs. /var/log/mail.info: warning: cannot get RSA private key from file /etc/postfix/smtpd.pem: disabling TLS support warning: TLS library problem ... Expecting: ANY PRIVATE KEY I used these commands [0] to create smtpd.pem: # cd /etc/postfix # tmp=$(mktemp smtpd.pem.XX) # openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \ -days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp # chmod 0600 $tmp # mv $tmp smtpd.pem Why Postfix fail to get a key from smtpd.pem? main.cf: smtpd_tls_cert_file = /etc/postfix/smtpd.pem smtpd_tls_key_file = /etc/postfix/smtpd.pem Thanks [0] http://article.gmane.org/gmane.mail.postfix.user/233328
SSL Certificates
I was wondering who is the best CA Cert for Postfix? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Initial 220 greeting timeout
On 11/22/2012 12:39 PM, Alex wrote: > Hi, > >>> I'm sure by now it's in the PBL or SBL. >> >> This is a bad assumption. The PBL lists dynamics/etc, not snowshoe IPs. > > Right, that makes sense. A spammer wouldn't have access to a > consecutive block of dynamic IPs, like from a cable company or > Verizon. It still could mean that it's listed in the PBL by now, > though. Again, the IP in question will never be listed in the PBL. SBL maybe, PBL no. Might be time to brush up on Spamhaus various lists and their criteria. >>> They were later all tagged as spam, but it would definitely be nice to >>> be blocking these outright with postscreen. I've now added an iptables >>> rule manually, but I wish there was a way to build in some >>> intelligence to automate it, such as with fail2ban. >> >> Unfortunately fail2ban doesn't work for snowshoe. The rate is >> intentionally low, which is why snowshoe avoids most trap driven DNSBLs >> as well. > > I have fail2ban working with dnsblog. It may not necessarily work for > snowshoe, but it works well for repeated attempts. Fail2ban doesn't stop spam. It merely shifts the burden of rejection from Postfix to the IP stack. And it won't work for snowshoe because you're never going to detect snowshoe with Postscreen, or any Postfix controls. > Just to confirm my > understanding, dnsblog does the lookup and logging, then rejects based > on the policy, correct? So it wouldn't be necessary filter on > postscreen entries because it's the same IP log info as with dnsblog? Someone else will need to answer this. >>> Are you suggesting I increase the weight of the BRBL with postscreen? >> >> I don't use postscreen. I block outright in SMTPD on any DNSBL hit. >> I.e. I don't use weighting. With any of the reputable DNSBLs you should >> probably outright block, not score. So set postscreen weighting so any > > Okay, I've set the postscreen threshold to 1, so any hit is a reject. > It's already dramatically increased the number of rejects. And decreased the load on your content filters as well, I presume, and likely decreased or eliminated your 220 delay issue. > I've also added the reject_rhsbl_reverse_client and other rhsbl > statements you've recommended. I decided not to bother with > warn_if_reject and trust the DNSBLs. I realize it's doing twice as > many DNS lookups for now. You're using SA which makes all of these same DNSBL lookups. So you're not doing any extra lookups, just doing them sooner in the cycle. If mail reaches SA its lookups are now local to your resolver, which speeds up SA as it doesn't have to wait for remote DNS server responses. > I'll also have to whitelist any false > positive IPs in multiple places for now too. RHSBL restrictions trigger on domains, not IPs. Domains that end up on domain based block lists or URI block lists rarely, if ever, send legit mail. > When I was working on this in 2010 (how the hell did you remember > that?), my system was so old that it not only didn't support > warn_if_reject, it didn't support any of the rhsbl statements in > smtpd_recipient_restrictions. It was certainly pre-2.0 release I was > using, so I wasn't able to implement any of the suggestions. It's obviously always best to stay close to current. >> smtpd_recipient_restrictions = >> ... >> reject_rhsbl_reverse_client dbl.spamhaus.org >> reject_rhsbl_sender dbl.spamhaus.org >> reject_rhsbl_helo dbl.spamhaus.org >> ... >> >> And in fact you asked about DNSBLS in April 2010 >> http://comments.gmane.org/gmane.mail.postfix.user/208344 >> >> and were given all of this information then, by Ralf and myself. You >> can also use multi.uribl.com and multi.surbl.org here, requiring a total >> of 9 parameter entries. > > For now I've just added the spamhaus.org entries. I've added them > after reject_unknown_recipient_domain and before check_helo_access. Is > that correct? I always put my least expensive restrictions first and most expensive last. So inbuilt Postfix checks go first, then local table checks, then DNSBL lookups, then content filters. > How about barracuda? I'm currently using it with postscreen. Set it to reject outright (which I believe you already have) and you're done. > I think I like postscreen better than the rhsbl statements because of > the additional features of postscreen. Fuzzy dice hang'n on your mirror don't make the car go faster. If you find that you *need* weighting of RHS domain rejection decisions due to high FPs (which I doubt), then you can use postfwd or policyd for weighting. Keep in mind policy servers are much slower than Postfix smtpd restrictions, but faster than content filters. Thus it's always best to reject with inbuilt Postfix restrictions if you can, on a busy server. >> I just noticed you don't require HELO. So you need this as well: >> >> smtpd_helo_required = yes >> >> And in fact, your current HELO based restrictions are having no effect >> if clie
[OT] Non-interactive Debian (aptitude) install
Hello, When I install Postfix using aptitude on a fresh Debian system, an interactive GUI comes up asking me how it wants me to configure postfix. I'd like to suppress this interface and make it default to "No configuration" (I am automating the installation and have my own configuration files, thank you). However I can find nothing documented that allows me to do this. Can anyone help? Thank you
Re: SSL Certificates
On Nov 23, 2012 9:48 PM, "The Doctor" wrote: > > I was wondering who is the best CA Cert for Postfix? The one YOU trust the most - even if that's someone no one else has heard of. Simon
Re: SSL Certificates
I use StartCOM (http://www.startcom.org/) for all my SSL certificate needs. I've had no problem with the certificates generated and signed through them working with Postfix installations. On 23.11.2012 20:46, The Doctor wrote: I was wondering who is the best CA Cert for Postfix? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013
Re: [OT] Non-interactive Debian (aptitude) install
On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote: > Hello, > > When I install Postfix using aptitude on a fresh Debian system, an > interactive GUI comes up asking me how it wants me to configure > postfix. I'd like to suppress this interface and make it default to > "No configuration" (I am automating the installation and have my own > configuration files, thank you). However I can find nothing > documented that allows me to do this. Can anyone help? There are some assumptions built into the way the postfix packaging interact with debconf that make this a risky thing to do. See (Debian and Ubuntu are the same in this regard): https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061 Scott K
Re: [OT] Non-interactive Debian (aptitude) install
On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman wrote: > On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote: >> Hello, >> >> When I install Postfix using aptitude on a fresh Debian system, an >> interactive GUI comes up asking me how it wants me to configure >> postfix. I'd like to suppress this interface and make it default to >> "No configuration" (I am automating the installation and have my own >> configuration files, thank you). However I can find nothing >> documented that allows me to do this. Can anyone help? > > There are some assumptions built into the way the postfix packaging interact > with debconf that make this a risky thing to do. See (Debian and Ubuntu are > the same in this regard): > > https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061 Pardon my lack of understanding here (I did read that whole conversation), but I'm a little hazy on what the problem is. What's the difference between giving a "No Configuration" answer ahead of time/by default and doing it with the GUI that is presented? But are you saying that it's impossible to suppress anyway? Rather, you seem to be suggesting that upon update, we may see our configuration changed out from under us? We are not using puppet or anything like that. Config is by hand.
Re: [OT] Non-interactive Debian (aptitude) install
On Friday, November 23, 2012 09:29:08 PM Glenn Park wrote: > On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman wrote: > > On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote: > >> Hello, > >> > >> When I install Postfix using aptitude on a fresh Debian system, an > >> interactive GUI comes up asking me how it wants me to configure > >> postfix. I'd like to suppress this interface and make it default to > >> "No configuration" (I am automating the installation and have my own > >> configuration files, thank you). However I can find nothing > >> documented that allows me to do this. Can anyone help? > > > > There are some assumptions built into the way the postfix packaging > > interact with debconf that make this a risky thing to do. See (Debian > > and Ubuntu are the same in this regard): > > > > https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061 > > Pardon my lack of understanding here (I did read that whole > conversation), but I'm a little hazy on what the problem is. What's > the difference between giving a "No Configuration" answer ahead of > time/by default and doing it with the GUI that is presented? But are > you saying that it's impossible to suppress anyway? > > Rather, you seem to be suggesting that upon update, we may see our > configuration changed out from under us? We are not using puppet or > anything like that. Config is by hand. Yes. The postfix package is designed to be configured by the debconf (Debian Configuration) system. If, in the internal status of the debconf system, postfix is marked as "No configuration" via there being no status entry, so there's currently no way to distinguish between "desired configuration is 'No configuration'" and "Don't do anything, something else will handle it." I have not had time to research this issue. I expect it's reasonably tractable to fix, but I don't know when I'll be able to get to it. What I usually do is pick "Internet site" and then modify things from there. If you do that once, even if you copy your config files over the provided ones, you won't have to worry about your changes getting reverted. Scott K
Re: SSL Certificates
On 11/23/2012 8:46 PM, The Doctor wrote: > I was wondering who is the best CA Cert for Postfix? > Probably the same as the best CA for dovecot, and it depends on your needs. Any certificate will give good security, the difference is how many end-user software applications will automatically trust the certificate. For a personal or small group server, a self-signed certificate is great. Just tell the small group to add your self-signed snakeoil certificate to their "trusted" list. For a business where you want the certificate to work automatically with most client software, most of the low-cost CAs will be fine (not the free ones). I've used rapidsslonline, godaddy, and some other one I can't think of right now. If this is a commercial site, you may need an expensive certificate from the big guys -- not because it provides better security, but because it may be useful for your marketing. So in the end, there is no single best. -- Noel Jones
Re: [OT] Non-interactive Debian (aptitude) install
On Fri, Nov 23, 2012 at 10:02 PM, Scott Kitterman wrote: > On Friday, November 23, 2012 09:29:08 PM Glenn Park wrote: >> On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman > wrote: >> > On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote: >> >> Hello, >> >> >> >> When I install Postfix using aptitude on a fresh Debian system, an >> >> interactive GUI comes up asking me how it wants me to configure >> >> postfix. I'd like to suppress this interface and make it default to >> >> "No configuration" (I am automating the installation and have my own >> >> configuration files, thank you). However I can find nothing >> >> documented that allows me to do this. Can anyone help? >> > >> > There are some assumptions built into the way the postfix packaging >> > interact with debconf that make this a risky thing to do. See (Debian >> > and Ubuntu are the same in this regard): >> > >> > https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061 >> >> Pardon my lack of understanding here (I did read that whole >> conversation), but I'm a little hazy on what the problem is. What's >> the difference between giving a "No Configuration" answer ahead of >> time/by default and doing it with the GUI that is presented? But are >> you saying that it's impossible to suppress anyway? >> >> Rather, you seem to be suggesting that upon update, we may see our >> configuration changed out from under us? We are not using puppet or >> anything like that. Config is by hand. > > Yes. The postfix package is designed to be configured by the debconf (Debian > Configuration) system. If, in the internal status of the debconf system, > postfix is marked as "No configuration" via there being no status entry, so > there's currently no way to distinguish between "desired configuration is 'No > configuration'" and "Don't do anything, something else will handle it." > > I have not had time to research this issue. I expect it's reasonably > tractable to fix, but I don't know when I'll be able to get to it. > > What I usually do is pick "Internet site" and then modify things from there. > If you do that once, even if you copy your config files over the provided > ones, > you won't have to worry about your changes getting reverted. Woa, wait, so even if I choose "No configuration" in the GUI, my config may be overwritten? If I have to choose "Internet site" in order to be able to put my own config files in place (and not have them overwritten), that's fine. But my question is how I can do that unattended? Thanks, Scott
