AW: header_checks not working

2015-03-13 Thread Krinninger, Reinhold 
Hello,

thanks for all the fast(!) and interesting responses.
I'm trying to use this proposal, looks for me to be best solution:


> Simplify...
>/^From: .*root@itu-smtp2\.br\.de/  WARN
>/^From: .*@itu-smtp2\.br\.de/  REJECT invalid hostname in From: header

>>
>> /^From: .*\@.*/ WARN

>/^From: / WARN

Now waiting for the next spamcampaign... :-)

Best Regards
Reinhold Krinninger
--
Bayerischer Rundfunk; Rundfunkplatz 1; 80335 München
Telefon: +49 89 590001; E-Mail: i...@br.de; Website: http://www.BR.de

Different smtp_helo_name depending on IP version

2015-03-13 Thread Mike Cardwell 
I'd like to send a different "smtp_helo_name" depending on if the outgoing
connection is IPv6 or IPv4. Is this possible in Postfix?

I just want my forward dns/reverse dns/helo to all match, but I have
less control over my RDNS than I need in order to do this and so I'm
wondering if I can get a quick fix from Postfix.

FWIW, in Exim I would do this by adding something like this to my
smtp transport:

helo_data = ${if isip4{$sending_ip_address}{my.ipv4.helo}{my.ipv6.helo}}

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4


signature.asc
Description: Digital signature

Bandwidth choke issue between remote offices and SMPT server.

2015-03-13 Thread jayesh shinde 
Title: netCORE is present at eTail Asia, CeBIT, ClickzLive & 3rd Email Marketing Summit

  





netCORE is present at










   
   IAMAI's 3rd Email Marketing Summit 
  12 March 2015
  Shangri-La's Eros Hotel, New Delhi

  Know more 

 
 





 
  
   
   eTail Asia 
  11-12 March 2015
  Marina Bay Sands, Singapore
  Book an appointment 

 
 


  


 
 
   
   CeBIT 
  16-20 March 2015
  Hannover, Germany
  Book an appointment 

 






 
 
   
   ClickZ Live 
  24-25 March 2015
  Grand Hyatt Jakarta
  Book an appointment

Re: Tracking down www-data email sender

2015-03-13 Thread Javier Alonso 
Hi,

The best you can do is use a sendmail wrapper like this
https://github.com/onlime/sendmail-wrapper

But if you want track it down, check the webserver log for this subdomain.
It will help you.

In addition you should check if the website is infected.

Malware detect: https://www.rfxn.com/projects/linux-malware-detect/

Javier Alonso

2015-03-12 11:01 GMT+01:00 Benny Pedersen :

> On March 12, 2015 5:14:12 AM Robin Rowe  wrote:
>
>  Suggestions? How do I track it down?
>>
>
> remove this email in wordpress, solved
>

Re: Bandwidth choke issue between remote offices and SMPT server.

2015-03-13 Thread Noel Jones 
On 3/13/2015 5:18 AM, jayesh shinde wrote:
> Hi ,
> 
> I am facing problem of bandwidth choke issue between remote location
> and SMPT server.
> Please giude for below. Want to know how the other busy servers are
> handling such issues.
> 
> scenario  :--
> -
> 1) I have centralize high traffic SMTP server with
> postfix-2.10.0-1.el6.x86_64  and different locations offices.
> 2) Branch users send the emails from different email clients like MS
> outlook or Thunderbird  etc ...
> 3) Currently we have set global 5 MB  message size restriction in
> postfix's main.cf .
>  If any one send email more than above 5 MB that get reject and
> end user get notification pop-up in email client.
> 
> Problem :--
> --
> 1) Some time few end users are sending more than 5 MB emails , which
> getting travel from Location office to Server and utilizing higher
> bandwidth.
> 2) Server reject the emails when complete email get transfer i.e 
> from email client to server.  But not before the actual mail transfer.
> 3) When many different location users send such higher size email
> traffic , the internet bandwidth is  either getting chock or
> utilizing very  high.
> 4) Some time such higher size emails get stuck in outbox of email
> clients , and after certain auto set "send/receive" interval the
> email client sending that email again to server.
> 
> Expecting solution :--
> ---
> 1) If any one send email more than 5 MB  , then  server must detect
> the mail size before the actual  mail transfer  from desktop or
> server .
>  And  base on that server must either  accept or reject the
> email with define rule set. The rule set could be either for
> email id or domain or IP.
> 
> 2)  I came to know that every email client don't send the "email
> size" information  in first mode of SMTP transaction  ( I am not
> sure about this. )
>  But if this is the case , then which are the standard email
> client which send the "email size" information in first SMTP
> transaction mode ?
> So that with some customized milter or 3rd party script the size
> base restriction policy can apply and issue can control
> 
> Is there any method / parameter in postfix config  by which I can
> control this situation  ?
> 
> Regards
> Jayesh Shinde
> 


You'll need to use the traffic shaping features of your firewall.
Postfix does not do this by itself.


  -- Noel Jones

Re: Bandwidth choke issue between remote offices and SMPT server.

2015-03-13 Thread lst_hoe02 


Zitat von jayesh shinde :


Hi ,

I am facing problem of bandwidth choke issue between remote
location and SMPT server.
Please giude for below. Want to know how the other busy   servers are
handling such issues.

scenario  :--
-
1) I have centralize high traffic SMTP server with
postfix-2.10.0-1.el6.x86_64  and different locations offices.
2) Branch users send the emails from different email clients like   MS
outlook or Thunderbird  etc ...
3) Currently we have set global 5 MB  message size restriction in
postfix's main.cf .
     If any one send email more than above 5 MB that get reject
and end user get notification pop-up in email client.

Problem :--
--
1) Some time few end users are sending more than 5 MB emails ,   which
getting travel from Location office to Server and utilizing   higher
bandwidth.
2) Server reject the emails when complete email get transfer i.e 
from email client to server.  But not before the actual mail
transfer.
3) When many different location users send such higher size email
traffic , the internet bandwidth is  either getting chock or utilizing
very  high.
4) Some time such higher size emails get stuck in outbox of email
clients , and after certain auto set "send/receive" interval the
email client sending that email again to server.

Expecting solution :--
---
1) If any one send email more than 5 MB  , then  server must   detect
the mail size before the actual  mail transfer  from   desktop or
server .
 And  base on that server must either  accept or reject the
email with define rule set. The rule set could be either for
email id or domain or IP.



2)  I came to know that every email client don't send the "email
size" information  in first mode of SMTP transaction  ( I am not
sure about this. )
 But if this is the case , then which are the standard email
client which send the "email size" information in first SMTP
transaction mode ?
    So that with some customized milter or 3rd party script the
size base restriction policy can apply and issue can control




The server has no way of detecting the size of a mail it has not yet  
received. The server announces the size it is willing to accept and  
the client have to detect that it won't fit. That's the way SMTP works.
Unfortunately there are Clients around (Outlook!!) which doesn't check  
for size and don't respect a "no" (permanent failure) as a "no" and  
simply retransmit the same message over and over again.



Is there any method / parameter in postfix config  by which I can
control this situation  ?



No, you can only scan the log and block offending/stupid clients by  
firewall or access list from using SMTP to your server at all.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Different smtp_helo_name depending on IP version

2015-03-13 Thread Viktor Dukhovni 
On Fri, Mar 13, 2015 at 09:51:59AM +, Mike Cardwell wrote:

> I'd like to send a different "smtp_helo_name" depending on if the outgoing
> connection is IPv6 or IPv4. Is this possible in Postfix?

Not at present.

> FWIW, in Exim I would do this by adding something like this to my
> smtp transport:
> 
> helo_data = ${if isip4{$sending_ip_address}{my.ipv4.helo}{my.ipv6.helo}}

The smtp_helo_name in Postfix is evaluated long before the connection
to any particular MX host is made.

We'd have to introduce an smtp_helo_name6 parameter that defaults
to smtp_helo_name and use that when connecting to IPv6 hosts.

That hypothetical parameter and associated code do not currently
exist.

-- 
Viktor.

RE: Bandwidth choke issue between remote offices and SMPT server.

2015-03-13 Thread Michael Fox 
 



I am facing problem of bandwidth choke issue between remote location and
SMPT server. 
Please giude for below. Want to know how the other busy servers are handling
such issues. 

Jayesh, this is what QoS/prioritization are for on your routers.  The
specifics will depend on what type of router/firewall you have (and beyond
the scope of this list).  But generally, set your email traffic to a lower
priority.  Your interactive traffic will be much more consistent and your
email traffic will never know the difference.

 

Michael

Re: SMTP AUTH issue

2015-03-13 Thread Emmanuel Fusté 

Le 11/03/2015 16:54, Emmanuel Fusté a écrit :

Le 11/03/2015 16:39, Viktor Dukhovni a écrit :

On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:


Hello,

On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:

535 5.7.8 Error: authentication failed: Connection lost to authentication server
Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL 
CRAM-MD5 authentication failed: Connection lost to authentication server

Ok, I have an i/o load problem with this server, but a 535 error code is too 
much, I was expecting a 454 error code as stated in RFC2554.

A complete solution would require handling similar problems for
Cyrus SASL, but I never got a meaningful response to:

  http://archives.neohapsis.com/archives/postfix/2008-12/0405.html
  https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html

You could try the patch below and report your results (presumably
for Dovecot).  It would be nice to have confirmation for Cyrus
also.


Thank you !

Will test and report the result asap.

Regards,
Emmanuel.

Ok work as expected ! Thank you.
But to be complete, we should change XSASL_AUTH_FAIL -> XSASL_AUTH_TEMP 
in xsasl_dovecot_server_first (last and perhaps first occurrence too), 
in xsasl_dovecot_server_next (last occurrence) .

Isn't it ?

Emmanuel.

master.cf service documentation

2015-03-13 Thread Kurt Roeckx 
Hi,

I've been looking for documentation about what the various
services in master.cf do.  I can't seem to find any documentation
for that.  I can guess what a few of those do because the command
they run is documented.  But it's not always clear what it means
exactly.

>From examples I've seen, it seems you can create your own
services, but it's unclear to me how those get "created", and when
they get used.


Kurt

Re: SMTP AUTH issue

2015-03-13 Thread Viktor Dukhovni 
On Fri, Mar 13, 2015 at 05:14:24PM +0100, Emmanuel Fust? wrote:

> >>You could try the patch below and report your results (presumably
> >>for Dovecot).  It would be nice to have confirmation for Cyrus
> >>also.
> >
> >Will test and report the result asap.
>
> Ok work as expected ! Thank you.
>
> But to be complete, we should change XSASL_AUTH_FAIL -> XSASL_AUTH_TEMP in
> xsasl_dovecot_server_first (last and perhaps first occurrence too), in
> xsasl_dovecot_server_next (last occurrence) .

Yeah, just the additional I/O failures:

diff --git a/src/xsasl/xsasl_dovecot_server.c b/src/xsasl/xsasl_dovecot_server.c
index 95dd923..fe2c42b 100644
--- a/src/xsasl/xsasl_dovecot_server.c
+++ b/src/xsasl/xsasl_dovecot_server.c
@@ -686,7 +686,7 @@ int xsasl_dovecot_server_first(XSASL_SERVER *xp, const 
char *sasl_method,
 
if (i == 1) {
vstring_strcpy(reply, "Can't connect to authentication server");
-   return XSASL_AUTH_FAIL;
+   return XSASL_AUTH_TEMP;
}
 
/*
@@ -714,7 +714,7 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *xp, 
const char *request,
"CONT\t%u\t%s\n", server->last_request_id, request);
 if (vstream_fflush(server->impl->sasl_stream) == VSTREAM_EOF) {
vstring_strcpy(reply, "Connection lost to authentication server");
-   return XSASL_AUTH_FAIL;
+   return XSASL_AUTH_TEMP;
 }
 return xsasl_dovecot_handle_reply(server, reply);
 }

-- 
Viktor.

Re: SMTP AUTH issue

2015-03-13 Thread Emmanuel Fusté 

Le 13/03/2015 17:14, Emmanuel Fusté a écrit :

Le 11/03/2015 16:54, Emmanuel Fusté a écrit :

Le 11/03/2015 16:39, Viktor Dukhovni a écrit :

On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:


Hello,

On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:

535 5.7.8 Error: authentication failed: Connection lost to authentication server
Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL 
CRAM-MD5 authentication failed: Connection lost to authentication server

Ok, I have an i/o load problem with this server, but a 535 error code is too 
much, I was expecting a 454 error code as stated in RFC2554.

A complete solution would require handling similar problems for
Cyrus SASL, but I never got a meaningful response to:

   http://archives.neohapsis.com/archives/postfix/2008-12/0405.html
   https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html

You could try the patch below and report your results (presumably
for Dovecot).  It would be nice to have confirmation for Cyrus
also.


Thank you !

Will test and report the result asap.

Regards,
Emmanuel.

Ok work as expected ! Thank you.
But to be complete, we should change XSASL_AUTH_FAIL -> XSASL_AUTH_TEMP
in xsasl_dovecot_server_first (last and perhaps first occurrence too),
in xsasl_dovecot_server_next (last occurrence) .
Isn't it ?

Emmanuel.

Ok, what do you think about this one ?
I added XSASL_AUTH_TEMP in case of crashed / stopped dovecot auth server 
too.


Emmanuel.

diff -r -u postfix-2.11.0.orig/src/smtpd/smtpd_sasl_glue.c 
postfix-2.11.0/src/smtpd/smtpd_sasl_glue.c
--- postfix-2.11.0.orig/src/smtpd/smtpd_sasl_glue.c 2013-12-24 
21:55:03.0 +0100
+++ postfix-2.11.0/src/smtpd/smtpd_sasl_glue.c  2015-03-13 14:19:54.0 
+0100
@@ -316,8 +316,12 @@
 state->namaddr, sasl_method,
 STR(state->sasl_reply));
/* RFC 4954 Section 6. */
-   smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
-STR(state->sasl_reply));
+   if (status == XSASL_AUTH_TEMP)
+   smtpd_chat_reply(state, "454 4.7.0 Temporary authentication 
failure: %s",
+STR(state->sasl_reply));
+   else
+   smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: 
%s",
+STR(state->sasl_reply));
return (-1);
 }
 /* RFC 4954 Section 6. */
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl_cyrus_server.c 
postfix-2.11.0/src/xsasl/xsasl_cyrus_server.c
--- postfix-2.11.0.orig/src/xsasl/xsasl_cyrus_server.c  2015-03-13 
18:01:50.0 +0100
+++ postfix-2.11.0/src/xsasl/xsasl_cyrus_server.c   2015-03-13 
14:19:54.0 +0100
@@ -477,7 +477,13 @@
if (sasl_status == SASL_NOUSER) /* privacy */
sasl_status = SASL_BADAUTH;
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
-   return (XSASL_AUTH_FAIL);
+   switch (sasl_status) {
+   case SASL_TRYAGAIN:
+   case SASL_UNAVAIL:
+   return XSASL_AUTH_TEMP;
+   default:
+   return (XSASL_AUTH_FAIL);
+   }
 }
 }
 
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl_dovecot_server.c 
postfix-2.11.0/src/xsasl/xsasl_dovecot_server.c
--- postfix-2.11.0.orig/src/xsasl/xsasl_dovecot_server.c2011-11-17 
22:53:25.0 +0100
+++ postfix-2.11.0/src/xsasl/xsasl_dovecot_server.c 2015-03-13 
17:43:34.0 +0100
@@ -580,7 +580,7 @@
 }
 
 vstring_strcpy(reply, "Connection lost to authentication server");
-return XSASL_AUTH_FAIL;
+return XSASL_AUTH_TEMP;
 }
 
 /* is_valid_base64 - input sanitized */
@@ -637,7 +637,7 @@
 for (i = 0; i < 2; i++) {
if (!server->impl->sasl_stream) {
if (xsasl_dovecot_server_connect(server->impl) < 0)
-   return (0);
+   return XSASL_AUTH_TEMP;
}
/* send the request */
server->last_request_id = ++server->impl->request_id_counter;
@@ -668,7 +668,7 @@
 
if (i == 1) {
vstring_strcpy(reply, "Can't connect to authentication server");
-   return XSASL_AUTH_FAIL;
+   return XSASL_AUTH_TEMP;
}
 
/*
@@ -696,7 +696,7 @@
"CONT\t%u\t%s\n", server->last_request_id, request);
 if (vstream_fflush(server->impl->sasl_stream) == VSTREAM_EOF) {
vstring_strcpy(reply, "Connection lost to authentication server");
-   return XSASL_AUTH_FAIL;
+   return XSASL_AUTH_TEMP;
 }
 return xsasl_dovecot_handle_reply(server, reply);
 }
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl.h 
postfix-2.11.0/src/xsasl/xsasl.h
--- postfix-2.11.0.orig/src/xsasl/xsasl.h   2009-04-19 01:39:16.0 
+0200
+++ postfix-2.11.0/src/xsasl/xsasl.h2015-03-13 14:19:54.0 +0100
@@ -121,6 +121,7 @@
 #define XSASL_AUTH_DONE3   /* Authentication completed */
 #define XSASL_AUTH_FORM4   /

Asymmetric mail limits?

2015-03-13 Thread Brainslug 
Hi,

my mail server is configured to accept incoming email for local users and to
relay outbound email to an off-site mail server.

Is it possible to configure postfix to accept all incoming email regardless
of size but decline all outgoing email exceeding a predefined size limit? If
I set message_size_limit in main.cf, it is applied to both, incoming and
outgoing email, which is not what I need.


Thanks for your help!




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Asymmetric-mail-limits-tp75684.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Asymmetric mail limits?

2015-03-13 Thread Viktor Dukhovni 
On Fri, Mar 13, 2015 at 01:46:07PM -0700, Brainslug wrote:

> Is it possible to configure postfix to accept all incoming email regardless
> of size but decline all outgoing email exceeding a predefined size limit?

You'll need to use separate smtpd(8) listener for the outbound mail
and an associated cleanup service for that smtpd(8), both with
appropriate message_size_limit values.  Minimally separate master.cf
entries, better a separate Postfix instance (MULTI_INSTANCE_README),
or even a separate machine.

The separate smtpd can "message_size_limit" to the desired limit,
while the main.cf limit is set much higher.  That way clients that
understand ESMTP "SIZE" won't waste time sending large mails only
to see them rejected.

> If I set message_size_limit in main.cf, it is applied to both, incoming and
> outgoing email, which is not what I need.

Add a master.cf override for just the smtpd(8) with the lower than
global limit, and its associated cleanup service.  However, a
separate Postfix intance for outbound mail is better in the long-run.

-- 
Viktor.

Re: postscreen vs. fail2ban

2015-03-13 Thread Istvan Prosinger 

Hi Wietse,

One benefit of using fail2ban (for me) is a definitely cleaner mail log 
for these cases.


Regards,
Istvan


On 12.3.2015 2:30, Wietse Venema wrote:

Michael Fox:

I haven't implemented postscreen yet, but plan to.  So this question is for
the postscreen experts here.

As I understand it from the documentation, postscreen protects postfix from
having to deal with most attack vectors, including higher volume attacks.
So, does it make sense to also use something like fail2ban to block IPs that
postscreen (or postfix) logs repeatedly as offenders?  Or is postscreen
sufficient to protect posfix?


I would not bother, except in extreme cases where the same IP address
makes thousands and thousands of connections.

Wietse