milter and restriciton classes
Hi smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket unix:/run/spamass-milter/spamass-milter.sock so far works fine on a testing environment but is there a way to combine it with restriction classes and other rules while running as milter just because before-queue to avoid become a backscatter? ___ below an theoretical example how i would like to have it work * postscreen in front for blacklists * basic checks * PTR checks * virus scan unconditional * whitelists to disable content filters * spamassasin smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender check_client_access proxy:regexp:/etc/postfix/spam-ptr.cf unix:/run/clamav-milter/clamav-milter.socket permit_dnswl_client list.dnswl.org unix:/run/spamass-milter/spamass-milter.sock
Combining sender_dependent_relayhost_maps and smtp_sasl_password_maps
Hi, I am trying to use the functionality of sender_dependent_relayhost_maps and smtp_sasl_password_maps, but I run into an issue. With sender_dependent_relayhost_maps I can configure postfix to use the right relayhosts for different senders. I use this because I have many email accounts, but I want to use only my own email server to send mail from all my different desktop and mobile MUA's. Several of these email accounts have features like domain keys, so my mailserver needs to distribute those mails to the right relayhost for them to get signed. Now of course these relayhosts also require authenticated smtp. So I use smtp_sasl_password_maps to configure the credentials used for the several authenticated smtp accounts that need to be relayed. However, smtp_sasl_password_maps aren't sender dependent, but relayhost dependent. And that's where I run into problems. As long as I only have one sender that needs a certain relayhost, there are no problems. I configure sender_dependent_relayhost_maps for accountA to use relayhostA, and I configure smtp_sasl_password_maps for relayhostA to use credentialsA, easy enough. However, as soon as I have a second account that uses the same relayhost, I run into trouble. I can configure accountB to use relayhostA no problem. But now I can't configure relayhostA to use credentialsB... This relayhost is smart enough to only allow credentialsA for accountA and credentialsB for accountB, so I can't just use credentialsA only. What is the best way to handle this? Thanks, Erik.
Re: Postfix removes content from a file
First let me clear, am not accusing postfix server. today i found message sending as attachment,file having 1583 lines, so may be sending as attachment, am not sure. am working on this to figure-out.i sent with 10 lines in a file, receiving as expected. Thanks for replies. On Thursday, 7 August 2014 11:36 PM, "li...@rhsoft.net" wrote: first: * don't post in HTML * don't reply-all on lists * don't top-post * provide useful informations - "don't work" is not useful http://www.catb.org/esr/faqs/smart-questions.html#beprecise Am 07.08.2014 um 19:23 schrieb Ramesh: > It is not a problem with quotes what you posted has *surely* a problem with quotes that can't work and if it worked before than something else *before* postfix fixed the mistake > all these days it was working fine, since yesterday receiving > messages without content. i doubt > I don't know where went wrong in the server how should we? * you provide no logs * you don't provide a "cat /path/file-what-does-something.sh" you need to prove a postfix problem by un-stripped input and logs otherwise it's likely a mistake somewehere else > On Thursday, 7 August 2014 5:06 PM, "li...@rhsoft.net" > wrote: > > Am 07.08.2014 um 13:22 schrieb Ramesh: >> postfix removes status message information from a file > > no it don't > > and even if without logs nobody could help > >> mail -s 'stat" m...@example.com < stat.txt >> sends blank message, verified stat.txt file has log information. > > well try that command in a shell > what you will see is the following wating for input > > [harry@rh:~]$ mail -s 'stat" rhs...@test.rh < /etc/php.ini > > after fixing the quotes it just works > > [harry@rh:~]$ mail -s 'stat' rhs...@test.rh < /etc/php.ini > [harry@rh:~]$ > >> this is happening since yesterday, i just reinstalled php, >> i didn’t make any changes to postfix configuration. >> >> Please let me know how to fix this > > by just try script command in a shell and fix them instead > pretend an MTA removes anything out of a message
Re: milter and restriciton classes
Am 08.08.2014 um 10:32 schrieb li...@rhsoft.net: > Hi > > smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket > unix:/run/spamass-milter/spamass-milter.sock > > so far works fine on a testing environment > > but is there a way to combine it with restriction classes and > other rules while running as milter just because before-queue > to avoid become a backscatter? > ___ > > below an theoretical example how i would like to have it work > > * postscreen in front for blacklists > * basic checks > * PTR checks > * virus scan unconditional > * whitelists to disable content filters > * spamassasin > > smtpd_recipient_restrictions = permit_mynetworks > reject_non_fqdn_recipient > reject_non_fqdn_sender > reject_unlisted_sender > check_client_access proxy:regexp:/etc/postfix/spam-ptr.cf > unix:/run/clamav-milter/clamav-milter.socket > permit_dnswl_client list.dnswl.org > unix:/run/spamass-milter/spamass-milter.sock > that sounds you want something like http://milter-manager.sourceforge.net/reference/introduction.html milter manager milter manager is a milter that manages multiple milters. We can register multiple milters to milter managers and a milter session for milter manager is transferred to registered milters. Registered milter is called "child milter". milter manager works as a proxy. milter manager looks like a milter from MTA side. milter manager looks like an MTA from child milter. \n MTA, milter manager and child milter\n milters can be managed by milter manager layer not MTA layer by the structure. milter manager has the following features that improve milter management: milter detection feature flexible milter apply feature The former is for "reduce milter administration cost" advantage, the the latter is for "combine milters flexibly" advantage. We can use milters effectively by milter manager's those features. ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: milter and restriction classes
Am 08.08.2014 um 11:11 schrieb Robert Schetterer: > Am 08.08.2014 um 10:32 schrieb li...@rhsoft.net: >> smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket >> unix:/run/spamass-milter/spamass-milter.sock >> >> so far works fine on a testing environment >> >> but is there a way to combine it with restriction classes and >> other rules while running as milter just because before-queue >> to avoid become a backscatter? >> ___ >> >> below an theoretical example how i would like to have it work >> >> * postscreen in front for blacklists >> * basic checks >> * PTR checks >> * virus scan unconditional >> * whitelists to disable content filters >> * spamassasin >> >> smtpd_recipient_restrictions = permit_mynetworks >> reject_non_fqdn_recipient >> reject_non_fqdn_sender >> reject_unlisted_sender >> check_client_access proxy:regexp:/etc/postfix/spam-ptr.cf >> unix:/run/clamav-milter/clamav-milter.socket >> permit_dnswl_client list.dnswl.org >> unix:/run/spamass-milter/spamass-milter.sock > > that sounds you want something like > http://milter-manager.sourceforge.net/reference/introduction.html thanks, bookmarked looks like build a rock-solid and manageable spamfirewall VM to replace a commercial blackbox becomes a "funny" project and having time until summer 2016 helps to plan features careful luckily "smtpd_relay_restrictions = reject" exists for that project to only accept listed rcpt and deliver via transtport-tables to the right backend server what makes it easy to add "OK" actions without become an open relay - split MX and submission on different machines __ dreamed about like below but dreams don't always become true :-) smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket permit_dnswl_client list.dnswl.org check_sender_access proxy:hash:/etc/postfix/disable-sender-contentfilter.cf check_recipient_access proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf unix:/run/spamass-milter/spamass-milter.sock
Re: Postfix removes content from a file
Showing message in body with max 1000 lines in a file, more than 1000 lines attaching as bin file. any suggestions to resolve this? -Thanks On Friday, 8 August 2014 12:41 PM, Ramesh wrote: First let me clear, am not accusing postfix server. today i found message sending as attachment,file having 1583 lines, so may be sending as attachment, am not sure. am working on this to figure-out.i sent with 10 lines in a file, receiving as expected. Thanks for replies. On Thursday, 7 August 2014 11:36 PM, "li...@rhsoft.net" wrote: first: * don't post in HTML * don't reply-all on lists * don't top-post * provide useful informations - "don't work" is not useful http://www.catb.org/esr/faqs/smart-questions.html#beprecise Am 07.08.2014 um 19:23 schrieb Ramesh: > It is not a problem with quotes what you posted has *surely* a problem with quotes that can't work and if it worked before than something else *before* postfix fixed the mistake > all these days it was working fine, since yesterday receiving > messages without content. i doubt > I don't know where went wrong in the server how should we? * you provide no logs * you don't provide a "cat /path/file-what-does-something.sh" you need to prove a postfix problem by un-stripped input and logs otherwise it's likely a mistake somewehere else > On Thursday, 7 August 2014 5:06 PM, "li...@rhsoft.net" > wrote: > > Am 07.08.2014 um 13:22 schrieb Ramesh: >> postfix removes status message information from a file > > no it don't > > and even if without logs nobody could help > >> mail -s 'stat" m...@example.com < stat.txt >> sends blank message, verified stat.txt file has log information. > > well try that command in a shell > what you will see is the following wating for input > > [harry@rh:~]$ mail -s 'stat" rhs...@test.rh < /etc/php.ini > > after fixing the quotes it just works > > [harry@rh:~]$ mail -s 'stat' rhs...@test.rh < /etc/php.ini > [harry@rh:~]$ > >> this is happening since yesterday, i just reinstalled php, >> i didn’t make any changes to postfix configuration. >> >> Please let me know how to fix this > > by just try script command in a shell and fix them instead > pretend an MTA removes anything out of a message
Re: milter and restriction classes
On 8/8/2014 4:58 AM, li...@rhsoft.net wrote: > dreamed about like below but dreams don't always become true :-) > > smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket > permit_dnswl_client list.dnswl.org > check_sender_access proxy:hash:/etc/postfix/disable-sender-contentfilter.cf > check_recipient_access proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf > unix:/run/spamass-milter/spamass-milter.sock > It is not possible for postfix to do conditional milters because postfix must connect to the milter at the beginning of the SMTP session, before any client/sender/recipient information is known. But some milters have their own settings per client/sender/recipient. -- Noel Jones
verify database
Hello list, Is it possible to manage the verify database manually? E.g. remove a negative address entry? I forward mail to backend servers and when a backend server gives a "5xx no such user", the negative entry is stored 3 hours (default). I'd like to be able to remove such an entry manually. R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| +--+
Re: verify database
Do you mean remove the email? On Aug 8, 2014 7:38 AM, "richard lucassen" wrote: > > Hello list, > > Is it possible to manage the verify database manually? E.g. remove a > negative address entry? > > I forward mail to backend servers and when a backend server gives a > "5xx no such user", the negative entry is stored 3 hours (default). I'd > like to be able to remove such an entry manually. > > R. > > -- > ___ > It is better to remain silent and be thought a fool, than to speak > aloud and remove all doubt. > > +--+ > | Richard Lucassen, Utrecht| > +--+ Do you mean remove the email?
Re: verify database
On Fri, 8 Aug 2014 07:56:24 -0400 Rich wrote: > Do you mean remove the email? No, the entry of the recipient in the btree db. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| +--+
More about "Allow only mu servers to send mail from my domain"
Hi Everybody, I was trying to use check_sender_access as sugested here in the forum to avoid this type of SPAMs. But it is not working. check_sender_access works more like a blacklist and the spammers are ready for that. Check this message bellow: First the maillog: Aug 7 17:40:19 hubble cbpolicyd[20640]: module=Greylisting, action=pass, host=81.45.22.109, helo=109.Red-81-45-22.staticIP.rima-tde.net, from=www-d...@109.red-81-45-22.staticip.rima-tde.net, to=webmas...@iqm.unicamp.br, reason=authenticated Aug 7 17:40:19 hubble postfix/smtpd[21446]: 7319F143C27: client=109.Red-81-45-22.staticIP.rima-tde.net[81.45.22.109] Aug 7 17:40:19 hubble postfix/cleanup[21233]: 7319F143C27: message-id=<20140807202603.b31032...@109.red-81-45-22.staticip.rima-tde.net> Aug 7 17:40:19 hubble postfix/qmgr[21657]: 7319F143C27: from=, size=2838, nrcpt=1 (queue active) Aug 7 17:40:19 hubble postfix/smtpd[21446]: disconnect from 109.Red-81-45-22.staticIP.rima-tde.net[81.45.22.109] Aug 7 17:40:19 hubble postfix/smtpd[20751]: connect from localhost[127.0.0.1] Aug 7 17:40:19 hubble postfix/smtpd[20751]: EB443143C3C: client=localhost[127.0.0.1] Aug 7 17:40:20 hubble postfix/cleanup[21534]: EB443143C3C: message-id=<20140807202603.b31032...@109.red-81-45-22.staticip.rima-tde.net> Aug 7 17:40:20 hubble postfix/qmgr[21657]: EB443143C3C: from=, size=3315, nrcpt=1 (queue active) Aug 7 17:40:20 hubble amavis[21479]: (21479-01) loaded policy bank "MYNETS" Aug 7 17:40:20 hubble amavis[21479]: (21479-01) ESMTP::10024 /var/spool/amavisd/tmp/amavis-20140807T174020-21479-yVTh_Crs: -> SIZE=3315 Received: from mail.iqm.unicamp.br ([127.0.0.1]) by localhost (hubble.iqm.unicamp.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Thu, 7 Aug 2014 17:40:20 -0300 (BRT) Aug 7 17:40:20 hubble postfix/smtpd[20751]: disconnect from localhost[127.0.0.1] Aug 7 17:40:20 hubble postfix/lmtp[20103]: 7319F143C27: to=, relay=mail.iqm.unicamp.br[/var/run/dspam/dspam.sock], delay=1.3, delays=0.97/0/0/0.31, dsn=2.6.0, status=sent (250 2.6.0 Message accepted for delivery) Aug 7 17:40:20 hubble postfix/qmgr[21657]: 7319F143C27: removed Notice that the message was sent from from=www-d...@109.red-81-45-22.staticip.rima-tde.net to=webmas...@iqm.unicamp.br When I received the message the header inside the e-mail message contains: Return-Path: Delivered-To: Received: from mail.iqm.unicamp.br ([143.106.51.19]) by kepler.iqm.unicamp.br (Dovecot) with LMTP id QB7kFa6P41PyTwAAV0VrhQ for ; Thu, 07 Aug 2014 17:40:24 -0300 Received: from localhost (localhost [127.0.0.1]) by mail.iqm.unicamp.br (Postfix) with ESMTP id 501F51449AD for ; Thu, 7 Aug 2014 17:40:24 -0300 (BRT) Received: from mail.iqm.unicamp.br ([127.0.0.1]) by localhost (hubble.iqm.unicamp.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmX2GScyk8hw for ; Thu, 7 Aug 2014 17:40:20 -0300 (BRT) Received: from localhost (localhost [127.0.0.1]) by mail.iqm.unicamp.br (Postfix) with SMTP id EB443143C3C for ; Thu, 7 Aug 2014 17:40:19 -0300 (BRT) Received: from 109.Red-81-45-22.staticIP.rima-tde.net (109.Red-81-45-22.staticIP.rima-tde.net [81.45.22.109]) by mail.iqm.unicamp.br (Postfix) with ESMTP id 7319F143C27 for ; Thu, 7 Aug 2014 17:40:18 -0300 (BRT) Received: by 109.Red-81-45-22.staticIP.rima-tde.net (Postfix, from userid 33) id B31032836; Thu, 7 Aug 2014 20:26:03 + (UTC) To: webmas...@iqm.unicamp.br Subject: CRUZ ALTA LTDA X-PHP-Originating-Script: 0:mag.php MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 X-Mailer: Microsoft Office Outlook, Build 17.551210 From: webmas...@iqm.unicamp.br Message-Id: <20140807202603.b31032...@109.red-81-45-22.staticip.rima-tde.net> Date: Thu, 7 Aug 2014 20:26:03 + (UTC) Inside the message, the FROM contains webmaster@mydomain... Is there a way to create rules like check_sender_access but based on the header inside the mail message instead of the server connection? I cannot block messages with SPF, because here we have a lot of false positives. Thanks
Re: verify database
On 8/8/2014 6:36 AM, richard lucassen wrote: > Hello list, > > Is it possible to manage the verify database manually? E.g. remove a > negative address entry? > > I forward mail to backend servers and when a backend server gives a > "5xx no such user", the negative entry is stored 3 hours (default). I'd > like to be able to remove such an entry manually. > > R. > The default negative expire is 3 days, with a refresh time of 3 hours. This might be too long for some folks. If you often have problems with bad addresses turning into good addresses, better to reduce the negative cache time to a few minutes. This should still be sufficient to keep the backend from being hammered with repeated bad addresses. address_verify_negative_refresh_time = 10m address_verify_negative_expire_time = 15m It is possible to remove entries from the verify database manually, but it's disruptive because you **must** stop postfix before maintenance. - postfix stop - postmap -d u...@example.com btree:/path/to/verify_cache - postfix start -- Noel Jones
Re: milter and restriction classes
Am 08.08.2014 um 13:18 schrieb Noel Jones: > On 8/8/2014 4:58 AM, li...@rhsoft.net wrote: >> dreamed about like below but dreams don't always become true :-) >> >> smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket >> permit_dnswl_client list.dnswl.org >> check_sender_access proxy:hash:/etc/postfix/disable-sender-contentfilter.cf >> check_recipient_access proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf >> unix:/run/spamass-milter/spamass-milter.sock > > It is not possible for postfix to do conditional milters because > postfix must connect to the milter at the beginning of the SMTP > session, before any client/sender/recipient information is known. > But some milters have their own settings per client/sender/recipient hmm - that would mean that even the cheap restrictions below would not make a reject decision *before* the expensive contentfilter and clamav are called? reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain reject_unauth_destination reject_invalid_hostname
Re: milter and restriction classes
On 8/8/2014 8:56 AM, li...@rhsoft.net wrote: > Am 08.08.2014 um 13:18 schrieb Noel Jones: >> On 8/8/2014 4:58 AM, li...@rhsoft.net wrote: >>> dreamed about like below but dreams don't always become true :-) >>> >>> smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket >>> permit_dnswl_client list.dnswl.org >>> check_sender_access proxy:hash:/etc/postfix/disable-sender-contentfilter.cf >>> check_recipient_access >>> proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf >>> unix:/run/spamass-milter/spamass-milter.sock >> >> It is not possible for postfix to do conditional milters because >> postfix must connect to the milter at the beginning of the SMTP >> session, before any client/sender/recipient information is known. >> But some milters have their own settings per client/sender/recipient > > hmm - that would mean that even the cheap restrictions below > would not make a reject decision *before* the expensive > contentfilter and clamav are called? > > reject_non_fqdn_recipient > reject_non_fqdn_sender > reject_unknown_sender_domain > reject_unknown_recipient_domain > reject_unauth_destination > reject_invalid_hostname > Of course not. Envelope restrictions will drop the connection before DATA. -- Noel Jones
Re: More about "Allow only mu servers to send mail from my domain"
On 08 Aug 2014, at 14:53, Andre Luiz Paiz wrote: > I was trying to use check_sender_access as sugested here in the forum to > avoid this type of SPAMs. But it is not working. > check_sender_access works more like a blacklist and the spammers are ready > for that. It is not working because you are confusing the envelope from with the 'From:' header. The 'check_sender_access' restriction works for the envelope only, not on the headers, and the headers are basically untrustworthy and easily forged. > Notice that the message was sent from > from=www-d...@109.red-81-45-22.staticip.rima-tde.net > to=webmas...@iqm.unicamp.br [snip] > Inside the message, the FROM contains webmaster@mydomain... > Is there a way to create rules like check_sender_access but based on the > header inside the mail message instead of the server connection? > I cannot block messages with SPF, because here we have a lot of false > positives. SPF does not work because, like 'check_sender_access', it does only work on the envelope, not the headers. For basic header checks, you can use 'header_checks'; http://www.postfix.org/header_checks.5.html I suspect that what you really need is better blacklisting, though. There's generally no need to accept anything from generic hostnames such as '109.red-81-45-22.staticip.rima-tde.net', for example. Are you running postscreen? Using blacklists? Mvg, Joni
Re: verify database
Its says to rename or delete it and restart the postfix. It will rebuild. On Aug 8, 2014 8:03 AM, "richard lucassen" wrote: > > On Fri, 8 Aug 2014 07:56:24 -0400 > Rich wrote: > > > Do you mean remove the email? > > No, the entry of the recipient in the btree db. > > -- > ___ > It is better to remain silent and be thought a fool, than to speak > aloud and remove all doubt. > > +--+ > | Richard Lucassen, Utrecht| > +--+
Re: verify database
On Fri, 8 Aug 2014 10:32:18 -0400 Rich wrote: > Its says to rename or delete it and restart the postfix. It will > rebuild. He doesn't want to delete all the entries, only one of them. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: verify database
On Fri, 08 Aug 2014 08:43:23 -0500 Noel Jones wrote: > On 8/8/2014 6:36 AM, richard lucassen wrote: > > Is it possible to manage the verify database manually? E.g. remove a > > negative address entry? > > > > I forward mail to backend servers and when a backend server gives a > > "5xx no such user", the negative entry is stored 3 hours (default). > > I'd like to be able to remove such an entry manually. > > The default negative expire is 3 days, with a refresh time of 3 > hours. This might be too long for some folks. Normally it's not IMHO, but sometimes it's rather annoying. > If you often have problems with bad addresses turning into good > addresses, better to reduce the negative cache time to a few > minutes. This should still be sufficient to keep the backend from > being hammered with repeated bad addresses. > address_verify_negative_refresh_time = 10m > address_verify_negative_expire_time = 15m I already found that in the docs :) > It is possible to remove entries from the verify database manually, > but it's disruptive because you **must** stop postfix before > maintenance. > > - postfix stop > > - postmap -d u...@example.com btree:/path/to/verify_cache > > - postfix start Ok, that's what I was looking for. Thnx! R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| +--+
Re: More about "Allow only mu servers to send mail from my domain"
Quoting DTNX Postmaster : On 08 Aug 2014, at 14:53, Andre Luiz Paiz wrote: I was trying to use check_sender_access as sugested here in the forum to avoid this type of SPAMs. But it is not working. check_sender_access works more like a blacklist and the spammers are ready for that. It is not working because you are confusing the envelope from with the 'From:' header. The 'check_sender_access' restriction works for the envelope only, not on the headers, and the headers are basically untrustworthy and easily forged. On my check_sender_access I registered webmas...@iqm.unicamp.br as REJECT. So in my case this from it is the envelop, correct? You are saying that I should register the www-d...@109.red-81-45-22.staticip.rima-tde.net on check_sender_access? Notice that the message was sent from from=www-d...@109.red-81-45-22.staticip.rima-tde.net to=webmas...@iqm.unicamp.br [snip] Inside the message, the FROM contains webmaster@mydomain... Is there a way to create rules like check_sender_access but based on the header inside the mail message instead of the server connection? I cannot block messages with SPF, because here we have a lot of false positives. SPF does not work because, like 'check_sender_access', it does only work on the envelope, not the headers. For basic header checks, you can use 'header_checks'; http://www.postfix.org/header_checks.5.html I suspect that what you really need is better blacklisting, though. There's generally no need to accept anything from generic hostnames such as '109.red-81-45-22.staticip.rima-tde.net', for example. Are you running postscreen? Using blacklists? I use Spamassassin and PolicyD (Cluebringer). The access control in PolicyD checks the header or envelope? Don´t know about postscreen, Can you please give an example of how it should work? Mvg, Joni Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp !DSPAM:9303,53e4dca823581248319621! Thanks Andre
Re: Postfix removes content from a file
On Fri, Aug 8, 2014 at 12:51 PM, Ramesh wrote: Hi > Showing message in body with max 1000 lines in a file, more than 1000 lines > attaching as bin file. Not here (gmail web), not with thunderbird. Just tested with a 1 lines text file and /usr/bin/mail (freebsd). -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: More about "Allow only mu servers to send mail from my domain"
On 08 Aug 2014, at 16:45, Andre Luiz Paiz wrote: > Quoting DTNX Postmaster : > >> On 08 Aug 2014, at 14:53, Andre Luiz Paiz wrote: >> >>> I was trying to use check_sender_access as sugested here in the forum to >>> avoid this type of SPAMs. But it is not working. >>> check_sender_access works more like a blacklist and the spammers are ready >>> for that. >> >> It is not working because you are confusing the envelope from with the >> 'From:' header. The 'check_sender_access' restriction works for the envelope >> only, not on the headers, and the headers are basically untrustworthy and >> easily forged. > > On my check_sender_access I registered webmas...@iqm.unicamp.br as REJECT. So > in my case this from it is the envelop, correct? You are saying that I should > register the www-d...@109.red-81-45-22.staticip.rima-tde.net on > check_sender_access? That would work, but only for that specific sender. So it's generally not a very effective way to block spam, as it only covers one address on a single host. It can be decent as a temporary measure, though. >> SPF does not work because, like 'check_sender_access', it does only work on >> the envelope, not the headers. For basic header checks, you can use >> 'header_checks'; >> >> http://www.postfix.org/header_checks.5.html >> >> I suspect that what you really need is better blacklisting, though. There's >> generally no need to accept anything from generic hostnames such as >> '109.red-81-45-22.staticip.rima-tde.net', for example. >> >> Are you running postscreen? Using blacklists? > > I use Spamassassin and PolicyD (Cluebringer). The access control in PolicyD > checks the header or envelope? > Don´t know about postscreen, Can you please give an example of how it should > work? Did you read the 'header_checks' documentation? Have you used the Postfix documentation in general? Like, for example, if you search for 'postscreen' here; http://www.postfix.org/documentation.html It will lead you to; http://www.postfix.org/POSTSCREEN_README.html As for SpamAssassin and PolicyD, they are not part of Postfix; refer to their respective documentation for their specific features. Mvg, Joni
Re: milter and restriction classes
Am 08.08.2014 um 16:19 schrieb Noel Jones: > On 8/8/2014 8:56 AM, li...@rhsoft.net wrote: >> Am 08.08.2014 um 13:18 schrieb Noel Jones: >>> On 8/8/2014 4:58 AM, li...@rhsoft.net wrote: dreamed about like below but dreams don't always become true :-) smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket permit_dnswl_client list.dnswl.org check_sender_access proxy:hash:/etc/postfix/disable-sender-contentfilter.cf check_recipient_access proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf unix:/run/spamass-milter/spamass-milter.sock >>> >>> It is not possible for postfix to do conditional milters because >>> postfix must connect to the milter at the beginning of the SMTP >>> session, before any client/sender/recipient information is known. >>> But some milters have their own settings per client/sender/recipient >> >> hmm - that would mean that even the cheap restrictions below >> would not make a reject decision *before* the expensive >> contentfilter and clamav are called? >> >> reject_non_fqdn_recipient >> reject_non_fqdn_sender >> reject_unknown_sender_domain >> reject_unknown_recipient_domain >> reject_unauth_destination >> reject_invalid_hostname >> > Of course not. Envelope restrictions will drop the connection > before DATA well, but the same way "permit_dnswl_client list.dnswl.org" could happen before the milter/session and skip it for that smtp session so one could setup "dnswl-milter1.domain.tld", "dnswl-milter2.domain.tld" and feed the inhouse whitlist servers with specific data smtpd_milters = permit_dnswl_client dnswl-milter-av.domain.tld unix:/run/clamav-milter/clamav-milter.socket permit_dnswl_client dnswl-milter-contentfilter.domain.tld unix:/run/spamass-milter/spamass-milter.sock
Re: milter and restriction classes
On 8/8/2014 11:06 AM, li...@rhsoft.net wrote: > Am 08.08.2014 um 16:19 schrieb Noel Jones: >> On 8/8/2014 8:56 AM, li...@rhsoft.net wrote: >>> Am 08.08.2014 um 13:18 schrieb Noel Jones: On 8/8/2014 4:58 AM, li...@rhsoft.net wrote: > dreamed about like below but dreams don't always become true :-) > > smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket > permit_dnswl_client list.dnswl.org > check_sender_access > proxy:hash:/etc/postfix/disable-sender-contentfilter.cf > check_recipient_access > proxy:hash:/etc/postfix/disable-rcpt-contentfilter.cf > unix:/run/spamass-milter/spamass-milter.sock It is not possible for postfix to do conditional milters because postfix must connect to the milter at the beginning of the SMTP session, before any client/sender/recipient information is known. But some milters have their own settings per client/sender/recipient >>> >>> hmm - that would mean that even the cheap restrictions below >>> would not make a reject decision *before* the expensive >>> contentfilter and clamav are called? >>> >>> reject_non_fqdn_recipient >>> reject_non_fqdn_sender >>> reject_unknown_sender_domain >>> reject_unknown_recipient_domain >>> reject_unauth_destination >>> reject_invalid_hostname >>> >> Of course not. Envelope restrictions will drop the connection >> before DATA > > well, but the same way "permit_dnswl_client list.dnswl.org" could > happen before the milter/session and skip it for that smtp session > Sorry, that's not possible. -- Noel Jones
Re: access maps for smtpd_client_event_limit_exceptions
On Fri, Jul 25, 2014 at 05:22:58PM -0400, Wietse Venema wrote: > Will Yardley: > > Ah, but in my case, I am using '.domain.tld' vs. 'domain.tld', so I > > guess my original question really was, does .domain.tld match subdomains > > for $mynetworks / $smtpd_client_event_limit_exceptions when specified in > > that way? > > In the case of mynetworks, it depends on the presence or absence of > "mynetworks" in the parent_domain_matches_subdomains parameter value. > > In the case of smtpd_client_event_limit_exceptions, it depends on > the presence or absence of "smtpd_client_event_limit_exceptions" > in the parent_domain_matches_subdomains parameter value (Postfix > 2.12 as of today). Earlier Postfix versions behave as if > "smtpd_client_event_limit_exceptions" is not present. Sorry for the late response, and sorry to be obtuse. But doesn't parent_domain_matches_subdomains (whether or not it applies to smtpd_client_event_limit_exceptions) only refer to whether 'example.com' is treated as if you had '.example.com'? In this case, I have '.example.com' (with leading dot), so wouldn't it be treated as matching subdomains regardless of $parent_domain_matches_subdomains, or am I misunderstanding the docs about $parent_domain_matches_subdomains? To put it differently, *with* an explicit leading dot, does $mynetworks match all subdomains? w
Re: Postfix removes content from a file
On 8 Aug 2014, at 6:51, Ramesh wrote: Showing message in body with max 1000 lines in a file, more than 1000 lines attaching as bin file. any suggestions to resolve this? Fix whatever program you are running as "mail" that is not the one you were running in the past. That program is definitely not any part of Postfix. On *BSD systems and MacOS, /usr/bin/mail is a descendant of the ancient BSD mail program and behaves as that always has and as the AT&T Unix mail did before it. On Linux it can be a wide variety of programs, some of them horrid messes, some of them acting very much like BSD mail. If you have a PATH environment variable which does not get you to /usr/bin/mail when you run 'mail' then you might be running something that is perfectly justified in behaving strangely. As you have failed to offer the most basic information about your system and have given an imprecise assertion of the command you are running, it is unlikely that anyone on this list will put in the effort to guess at the myriad combinations of possible omissions and errors in what you have said about your problem and search through them all to find what 'mail' program might be mangling your mail. Postfix simply does not EVER do what you've described, so even with a complete and accurate description of your problem you would stand only a slight chance of getting a useful solution from this list.
