ETSI Registered Email implementations?

2016-04-06 Thread Ori Bani 
Greetings,

Does anyone know of any open source implementations of ETSI's
"Registered Email" standard (ETSI TS 102 640)? I think this is
different than Italy's "Certified Email" (RFC 6109).

I had a quick search of the archives, but nothing came up at all, and
Google searches don't turn up anything either for me. Is there
somewhere better to look?

Thanks

Need help with relay setup

2016-04-06 Thread John Stoffel 

Hi Guys,

I'm trying to replace an old Sun 5.8 box running Sendmail 8.12.x with
a newer RHEL 6 box running Postfix 2.6.6, which I know is unsupported
and I should upgrade.  But it's what comes from RedHat and it's what
I'm working with right now.

Anyway, I'm going nuts trying to make my crazy environment work
properly due to (possibly) conflicting requirements.

1. It's the outgoing mail server for the domain foo.bar.com (and
   legacy foo.com).  So it needs to masquerade @host.foo.bar.com into
   @foo.bar.com like usual.

1a. We also want to have it handle outgoing email for first.l...@other.com and
look lookups on how to rewrite envelope and message addresses into
first.l...@foo.bar.com.

2. It also handles incoming mail from our external spam filter:

   - looks at NIS aliases for where to forward email:
 - exchange (exmail1.foo.bar.com)
 - mailman  (mailman.foo.bar.com)
 - un-recognized email gets forwarded to lotus notes server 
(hdqmta.foo.bar.com).

There's no local delivery wanted or needed, it should all be looked up
in aliases and forwarded to the correct internal host.  

I've asked before for help on how I can do lookups using ldap against
Lotus Notes, because they have a million aliases on there, but no
complete standard.  Since the existing sendmail setup works just fine,
they don't want to make changes on their end.

So right now I have most of it working, but it's re-writing too
aggresively on the headers.  So when it does the fallback_transport to
hdqmta, it (seems!) to be not updating the address... now that I think
of it, maybe that's the problem!!

Question:

Can I force the fallback_transport to re-write, before using the
fallback, john.t...@foo.bar.com into john.t...@hdqmta.foo.bar.com?
Since I think that's the problem?

All I have in my legacy, ancient, crappy sendmail.cf is:

   DLhdqmta.foo.bar.com

Here's my postconf -n output, semi-sanitized.  Can someone tell me
what I'm doing wrong and how I can achieve my aims?  Do I need to have
two seperate postfix instances setup, one to handle the rewriting from
option 1a, with the other to do the rest?



alias_database = hash:/etc/aliases
alias_maps = nis:mail.aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
fallback_transport = smtp:[hdqmta.foo.bar.com]
html_directory = no
inet_interfaces = all
inet_protocols = all
local_header_rewrite_clients = static:all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = !exmail1.foo.bar.com !hdqmta.foo.bar.com
$myorigin
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain, foo.com
mydomain = foo.bar.com
myhostname = mailhost.foo.bar.com
mynetworks = 127.0.0.0/8, 209.243.0.0/16, 10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
transport_maps = hash:/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 450


I'm about to throw in the towel here and try to move to sendmail using
a completely new and updated setup, but that's a horror show in many
ways.

THanks,
John

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread chaouche yacine 
On Thursday, March 31, 2016 5:11 PM, Wietse Venema  wrote:

> Have to tried to run it by hand as user
> VMAIL, just like you configured in master.cf?
>
>Wietse


Yes, in fact, I have run it in 4 different ways. When I run maildropwrapper 
from the command line mail is delivered to the right Maildir, both as root and 
as vmail. When maildropwrapper is called by postfix it doesn't deliver mail to 
the right Maildir. 

1. calling maildirwrapper from the command line, as root

cat /var/vmail/maildropwrapper

#!/bin/bash
echo $(date) > /tmp/maildrop
echo running maildrop as "$(whoami)" with arguments "$@"  >> /tmp/maildrop 2>&1
args="$@"
echo "je suis toujours là" >> /tmp/maildrop
maildrop $args >> /tmp/maildrop 2>&1
echo " suis-je toujours là ?" >> /tmp/maildrop

root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 
/var/vmail/maildropwrapper -V 9 -d a.chaou...@algerian-radio.dz -w 80 
test mail
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new #

maildrop trace

root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # cat 
/tmp/maildrop 
Wed Apr 6 14:15:20 CET 2016
running maildrop as root with arguments -V 9 -d a.chaou...@algerian-radio.dz -w 
80
je suis toujours là
maildrop: authlib: groupid=1002
maildrop: authlib: userid=113
maildrop: authlib: logname=a.chaou...@algerian-radio.dz, home=/var/vmail/, 
mail=algerian-radio.dz/a.chaouche/
maildrop: Changing to /var/vmail/
Message envelope sender=MAILER-DAEMON
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized eof
maildrop: Attempting .mailfilter
maildrop: Delivery complete.
suis-je toujours là ?
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 

Mail delivered (file was created at 14:18)

root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # ls 
-rt | head -n 2
total 104K
-rw--- 1 vmail vmail  1 Mar 31 14:18 
1459430303.M654267P3399V0811I004402EC_0.messagerie,S=1
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 



2. calling maildirwrapper from the command line, as root, but changing to vmail 
inside the script (su)

cat /var/vmail/maildropwrapper

#!/bin/bash
echo $(date) > /tmp/maildrop
echo running maildrop as "$(whoami)" with arguments "$@"  >> /tmp/maildrop 2>&1
args="$@"
echo "je suis toujours là" >> /tmp/maildrop
su vmail -c "maildrop $args >> /tmp/maildrop 2>&1"
echo " suis-je toujours là ?" >> /tmp/maildrop

root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 
/var/vmail/maildropwrapper -V 9 -d a.chaou...@algerian-radio.dz -w 80
test mail
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 

Mail was delivered :


root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # ls 
-t | head -2
total 108K
-rw--- 1 vmail vmail 10 Apr  6 14:19 
1459948794.M288704P8101V0811I00441E4D_0.messagerie,S=10
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 

maildrop trace file :

vmail@messagerie:/root$ cat /tmp/maildrop
Wed Apr 6 14:19:49 CET 2016
running maildrop as root with arguments -V 9 -d a.chaou...@algerian-radio.dz -w 
80
je suis toujours là
maildrop: authlib: groupid=1002
maildrop: authlib: userid=113
maildrop: authlib: logname=a.chaou...@algerian-radio.dz, home=/var/vmail/, 
mail=algerian-radio.dz/a.chaouche/
maildrop: Changing to /var/vmail/
Message envelope sender=MAILER-DAEMON
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized eof
maildrop: Attempting .mailfilter
maildrop: Delivery complete.
suis-je toujours là ?
vmail@messagerie:/root$ 


3. calling maildropwrapper from the command line as user vmail 

vmail@messagerie:/var/vmail$ /var/vmail/maildropwrapper -V 9 -d 
a.chaou...@algerian-radio.dz 
test 
vmail@messagerie:/var/vmail$ 

Mail was delivered : 

root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # ls 
-t | head -2
total 112K
-rw--- 1 vmail vmail  6 Apr  6 14:22 
1459948965.M511937P8110V0811I00441E4E_0.messagerie,S=6
root@messagerie[10.10.10.20] /var/vmail/algerian-radio.dz/a.chaouche/new # 

maildrop trace 

vmail@messagerie:/var/vmail$ cat /tmp/maildrop 
Wed Apr 6 14:22:42 CET 2016
running maildrop as vmail with arguments -V 9 -d a.chaou...@algerian-radio.dz
je suis toujours là
maildrop: authlib: groupid=1002
maildrop: authlib: userid=113
maildrop: authlib: logname=a.chaou...@algerian-radio.dz, home=/var/vmail/, 
mail=algerian-radio.dz/a.chaouche/
maildrop: Changing to /var/vmail/
Message envelope sender=MAILER-DAEMON
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized ;
Tokenized eof
maildrop: Attempting .mailfilter
maildrop: Delivery complete.
suis-je toujours là ?
vmail@messagerie:/var/vmail$ 


4. calling maildropwrapper through postfix

Here's master.cf : 

maildrop  unix  -   n   n   -   -   pipe
flags=DRhu user=vmail argv=/var/vmail/maildropwrapper -V9 -d $

Re: Need help with relay setup

2016-04-06 Thread Noel Jones 
On 4/6/2016 8:06 AM, John Stoffel wrote:
> Can I force the fallback_transport to re-write, before using the
> fallback, john.t...@foo.bar.com into john.t...@hdqmta.foo.bar.com?
> Since I think that's the problem?


Perhaps this is what you're missing:
http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
http://www.postfix.org/postconf.5.html#smtp_generic_maps

smtp_generic_maps can be used on a specific master.cf transport to
control rewriting to a specific destination.

# transport_maps
hdqmta.example.com  hdqmta

# generic_htqmta
@example.com  @hdqmta.example.com

# master.cf
# copy of standard smtp transport
hdqmta  unix  -   -   n   -   -   smtp
  -o smtp_generic_maps=hash:/etc/postfix/generic_htqmta




  -- Noel Jones

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread Wietse Venema 
chaouche yacine:
> vmail@messagerie:/var/vmail$ cat /tmp/maildrop 
> Wed Apr 6 14:26:45 CET 2016
> running maildrop as vmail with arguments -V9 -d a.chaou...@algerian-radio.dz
> je suis toujours l?
> ERR: authdaemon: s_connect() failed: Permission denied
> Invalid user specified.
> suis-je toujours l? ?
> vmail@messagerie:/var/vmail$ 

Well that is your problem.

Try disabling SeLinux/AppArmor/etc. security.

Wietse

cyrus saslauthd error handling

2016-04-06 Thread Benning, Markus 

Hi,

when i use a cyrus saslauthd:

pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/run/kokolores/mux

And the saslauthd is not running.
Then the socket /var/run/kokolores/mux does not exist and postfix 
returns


535 5.7.8 Error: authentication failed: generic failure

Shouldn't postfix return a temporary error in this case?

In xsasl_cyrus_server.c:

switch (sasl_status) {
case SASL_TRYAGAIN:
case SASL_UNAVAIL:
return XSASL_AUTH_TEMP;
default:
return (XSASL_AUTH_FAIL);
}

In sasl.h:

#define SASL_FAIL   -1   /* generic failure */

Could this one be added to the AUTH_TEMP case?

Maybe there are a few more error in sasl.h which indicate
service-side problems and should be handled with a temporary error.

#define SASL_NOMEM  -2   /* memory shortage failure */
#define SASL_BUFOVER-3   /* overflowed buffer */


 Markus

--
https://markusbenning.de/

Re: cyrus saslauthd error handling

2016-04-06 Thread Benning, Markus 

On 2016-04-06 16:19, Benning, Markus wrote:

In sasl.h:

#define SASL_FAIL   -1   /* generic failure */

Could this one be added to the AUTH_TEMP case?


Could it be that the libsasl uses SASL_FAIL also in case of a wrong 
password?

In this case i think it would be an error in libsasl.
It instead should return

#define SASL_UNAVAIL-24  /* remote authentication server unavailable 
*/


 Markus
--
https://markusbenning.de/

bad.psky.me RBL?

2016-04-06 Thread Quanah Gibson-Mount 
Is anyone familiar with this RBL and its quality?  Not a whole lot of info 
at .  Terms seem probably ok 
.


Thanks,
Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: Need help with relay setup

2016-04-06 Thread John Stoffel 
> "Noel" == Noel Jones  writes:

Noel> On 4/6/2016 8:06 AM, John Stoffel wrote:
>> Can I force the fallback_transport to re-write, before using the
>> fallback, john.t...@foo.bar.com into john.t...@hdqmta.foo.bar.com?
>> Since I think that's the problem?


Noel> Perhaps this is what you're missing:
Noel> http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
Noel> http://www.postfix.org/postconf.5.html#smtp_generic_maps

Noel> smtp_generic_maps can be used on a specific master.cf transport to
Noel> control rewriting to a specific destination.

Noel> # transport_maps
Noel> hdqmta.example.com  hdqmta

Noel> # generic_htqmta
Noel> @example.com  @hdqmta.example.com

Noel> # master.cf
Noel> # copy of standard smtp transport
Noel> hdqmta  unix  -   -   n   -   -   smtp
Noel>   -o smtp_generic_maps=hash:/etc/postfix/generic_htqmta


Thanks for the hints!  So I'm wondering if I need to do this for all
of my hosts?  But let me go back and expand on how things work, just
so we're on the same page and because I want to make sure I'm thinking
this through properly as well.

1. mail arrives, from anyway basically.
2. alias lookups happen, for example:  john.t...@foo.bar.com
   - no alias match, punt to hdqmta

   - alias match, say it goes to john.t...@exmail1.foo.bar.com
 - would I then have a generic_exmail1 file with just:

   @foo.bar.com @exmail1.foo.bar.com

   as well?

3. mail gets delivered properly...

Is this because I'm not using the local delivery agent, which knows
about NIS aliases, and also to then forward emails on to the new
envelope address?   And since I'm not using local delivery, I need to
be more explicit in my setup and handling?

Thanks,
John

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread chaouche yacine 
On Wednesday, April 6, 2016 3:24 PM, Wietse Venema  wrote:


>Try disabling SeLinux/AppArmor/etc. security.
>
>

>   Wietse

Thanks Wietse. They don't seem to be installed though. sestatus is not available


root@messagerie[10.10.10.20] /etc/apparmor.d # sestatus
-bash: sestatus: command not found
root@messagerie[10.10.10.20] /etc/apparmor.d # 

policycoreutils isn't installed : 


root@messagerie-secours[10.10.10.19] ~ # dpkg -s policycoreutils
Package `policycoreutils' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
root@messagerie-secours[10.10.10.19] ~ #

apparmor also not installed :

root@messagerie-secours[10.10.10.19] ~ # dpkg -s apparmor
Package `apparmor' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
root@messagerie-secours[10.10.10.19] ~ #

Re: Need help with relay setup

2016-04-06 Thread Noel Jones 
On 4/6/2016 10:11 AM, John Stoffel wrote:
>> "Noel" == Noel Jones  writes:
> 
> Noel> On 4/6/2016 8:06 AM, John Stoffel wrote:
>>> Can I force the fallback_transport to re-write, before using the
>>> fallback, john.t...@foo.bar.com into john.t...@hdqmta.foo.bar.com?
>>> Since I think that's the problem?
> 
> 
> Noel> Perhaps this is what you're missing:
> Noel> http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
> Noel> http://www.postfix.org/postconf.5.html#smtp_generic_maps
> 
> Noel> smtp_generic_maps can be used on a specific master.cf transport to
> Noel> control rewriting to a specific destination.
> 
> Noel> # transport_maps
> Noel> hdqmta.example.com  hdqmta
> 
> Noel> # generic_htqmta
> Noel> @example.com  @hdqmta.example.com
> 
> Noel> # master.cf
> Noel> # copy of standard smtp transport
> Noel> hdqmta  unix  -   -   n   -   -   smtp
> Noel>   -o smtp_generic_maps=hash:/etc/postfix/generic_htqmta
> 
> 
> Thanks for the hints!  So I'm wondering if I need to do this for all
> of my hosts?  But let me go back and expand on how things work, just
> so we're on the same page and because I want to make sure I'm thinking
> this through properly as well.
> 
> 1. mail arrives, from anyway basically.
> 2. alias lookups happen, for example:  john.t...@foo.bar.com
>- no alias match, punt to hdqmta
> 
>- alias match, say it goes to john.t...@exmail1.foo.bar.com
>  - would I then have a generic_exmail1 file with just:
> 
>@foo.bar.com @exmail1.foo.bar.com
> 
>as well?

Yes, if this is a different server that expects the address to be
@exmail1...


> 
> 3. mail gets delivered properly...
> 
> Is this because I'm not using the local delivery agent, which knows
> about NIS aliases, and also to then forward emails on to the new
> envelope address?   And since I'm not using local delivery, I need to
> be more explicit in my setup and handling?

This is just to rewrite an address from one form to another during
smtp delivery.


  -- Noel Jones


> 
> Thanks,
> John
>

Re: bad.psky.me RBL?

2016-04-06 Thread lst_hoe02 


Zitat von Quanah Gibson-Mount :

Is anyone familiar with this RBL and its quality?  Not a whole lot  
of info at .  Terms seem probably ok  
.


If there isn't a lot of info, expect the worst. You should always be  
aware that you "outsource" at least parts of the ham/spam decision and  
you really should be careful about that.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

postscreen cache size & db type?

2016-04-06 Thread jasonsu 
In my logs I see postscreen cache cleanups

postfix/postscreen[18826]: cache 
btree:/var/lib/postfix/postscreen_cache full cleanup: retained=224 dropped=12 
entries

It looks like it's happening because they're 'full' at the time.

Under "CACHE CONTROLS" & "RESOURCE CONTROLS" @ 
http://www.postfix.org/postscreen.8.html, I don't see a param to increase the 
cache size.

Does the cache need to b increased, so performance doesn't suffer?
What's the parameter to control that?

Also in the docs I see

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

Is there any advantage/harm in using lmdb here, instead of btree?  I'm already 
using lmdb as default DB type for most other !pcre tables.

Jason

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread Viktor Dukhovni 
On Wed, Apr 06, 2016 at 01:38:46PM +, chaouche yacine wrote:

> maildrop  unix  -   n   n   -   -   pipe
> flags=DRhu user=vmail argv=/var/vmail/maildropwrapper -V9 -d ${recipient}

http://www.postfix.org/pipe.8.html

   user=username:groupname
  Execute the external command with the user ID and  group  ID  of
  the  specified  username.   The software refuses to execute com-
  mands with root privileges, or with the privileges of  the  mail
  system owner. If groupname is specified, the corresponding group
  ID is used instead of the group ID of username.

Note, that pipe(8) is not the "login" program and does not execute
programs with all the group memberships of the specified user.
Only the primary group, or the explicitly selected "groupname" is
available.

-- 
Viktor.

Re: bad.psky.me RBL?

2016-04-06 Thread Quanah Gibson-Mount 

--On Wednesday, April 06, 2016 6:36 PM +0200 lst_ho...@kwsoft.de wrote:



Zitat von Quanah Gibson-Mount :


Is anyone familiar with this RBL and its quality?  Not a whole lot
of info at .  Terms seem probably ok
.


If there isn't a lot of info, expect the worst. You should always be
aware that you "outsource" at least parts of the ham/spam decision and
you really should be careful about that.


Right, thus me asking if anyone has any info/experience with it. ;)  A 
customer enabled it in their environment and is happy with the results so 
far, but I'd want more information before doing so myself or making any 
type of general recommendation about it.


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: postscreen cache size & db type?

2016-04-06 Thread Noel Jones 
On 4/6/2016 10:38 AM, jaso...@mail-central.com wrote:
> In my logs I see postscreen cache cleanups
> 
>   postfix/postscreen[18826]: cache 
> btree:/var/lib/postfix/postscreen_cache full cleanup: retained=224 dropped=12 
> entries
> 
> It looks like it's happening because they're 'full' at the time.

They are removed because they are expired.

> 
> Under "CACHE CONTROLS" & "RESOURCE CONTROLS" @ 
> http://www.postfix.org/postscreen.8.html, I don't see a param to increase the 
> cache size.
> 

There is no limit on the cache size, and the default
postscreen_*_ttl values should be reasonable for the vast majority
of sites.

> Does the cache need to b increased, so performance doesn't suffer?
> What's the parameter to control that?

No.

> 
> Also in the docs I see
> 
>   postscreen_cache_map (default: btree:$data_directory/postscreen_cache)
> 
> Is there any advantage/harm in using lmdb here, instead of btree?  I'm 
> already using lmdb as default DB type for most other !pcre tables.

Access latency is the important part.  Slow access to the cache will
limit the number of connections postfix can service.
btree is suggested because it's fast and supports the features needed.
I don't use lmdb, so I can't really answer if it's suitable for the
postscreen cache.



  -- Noel Jones

Re: postscreen cache size & db type?

2016-04-06 Thread jasonsu 
On Wed, Apr 6, 2016, at 09:12 AM, Noel Jones wrote:
> > postfix/postscreen[18826]: cache 
> > btree:/var/lib/postfix/postscreen_cache full cleanup: retained=224 
> > dropped=12 entries
> > 
> > It looks like it's happening because they're 'full' at the time.
> They are removed because they are expired.

Ok, so it's "full cleanup" of postscreen_cache, NOT a cleanup of 
"postscreen_cache fuill"

> There is no limit on the cache size, and the default
> postscreen_*_ttl values should be reasonable for the vast majority
> of sites.

Makes sense now.

> > Is there any advantage/harm in using lmdb here, instead of btree?  I'm 
> > already using lmdb as default DB type for most other !pcre tables.
> 
> Access latency is the important part.  Slow access to the cache will
> limit the number of connections postfix can service.
> btree is suggested because it's fast and supports the features needed.
> I don't use lmdb, so I can't really answer if it's suitable for the
> postscreen cache.

IIUC, lmdb is based on / derived from btree.

The in-memory  (http://symas.com/mdb/inmem/) & on-disk benchmarks 
(http://symas.com/mdb/ondisk/)) suggest LMDB's performance, and latency 
(https://symas.com/getting-down-and-dirty-with-lmdb-qa-with-symas-corporations-howard-chu-about-symass-lightning-memory-mapped-database/)
 are significantly better than most.

Boils down to whether lmdb: can/should be used in this parameter instance. I'll 
wait to hear from others on it.

Thanks

Jason

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread chaouche yacine 
 
 
  On Wednesday, April 6, 2016 4:42 PM, Viktor Dukhovni 
 wrote:
>On Wed, Apr 06, 2016 at 01:38:46PM +, chaouche yacine wrote:

>
>> maildrop  unix  -  n  n  -  -  pipe
>> flags=DRhu user=vmail argv=/var/vmail/maildropwrapper -V9 -d ${recipient}
> 
> 
>    http://www.postfix.org/pipe.8.html
> 
>  user=username:groupname
>  Execute the external command with the user ID and  group  ID  of
>  the  specified  username.  The software refuses to execute com-
>  mands with root privileges, or with the privileges of  the  mail
>  system owner. If groupname is specified, the corresponding group
>  ID is used instead of the group ID of username.
> 
>Note, that pipe(8) is not the "login" program and does not execute
>programs with all the group memberships of the specified user.
>Only the primary group, or the explicitly selected "groupname" is
>available.
> 
>-- 
>    Viktor.
Thanks Viktor. I tried running it as vmail:daemon and honestly I had no idea 
what would that do. The program could finally connect to the socket, as the 
strace shows : 

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/courier/authdaemon/socket"}, 
110) = 0
but it still failed to deliver the email, this time for another error : 

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/courier/authdaemon/socket"}, 
110) \
= 0
fcntl(3, F_SETFL, O_RDONLY) = 0
select(4, NULL, [3], NULL, {10, 0}) = 1 (out [3], left {9, 98})
write(3, "PRE . login a.chaouche@algerian-"..., 41) = 41
select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {29, 999402})
read(3, "UID=113\nGID=1002\nHOME=/var/vmail"..., 8191) = 157
write(2, "maildrop: authlib: groupid=", 27maildrop: authlib: groupid=) = 27
write(2, "1002\0", 51002^@)   = 5
write(2, "\n", 1)   = 1
setgroups(1, [1002])    = -1 EPERM (Operation not permitted)
setgid(1002)    = -1 EPERM (Operation not permitted)
dup(2)  = 4
fcntl(4, F_GETFL)   = 0x8401 (flags 
O_WRONLY|O_APPEND|O_LARGEFILE)
close(4)    = 0
write(2, "setgid: Operation not permitted\n", 32setgid: Operation not 
permitted) = 32
close(2)    = 0
close(1)    = 0
exit_group(1)

I thought that since vmail is part of the daemon group the linux file 
permission checking subsystem (or whatever that is) would allow the vmail user 
to access that directory because he is a member of the daemon group. I still 
don't understand why the groupid is important to set and I understand this is a 
topic that is outside of postfix.

I ended up changing master.cf back as it was before (just user=vmail) and 
changing the file permissions of the directory /var/run/courier/authdaemon like 
this :
root@messagerie[10.10.10.20] /var/run/courier # chmod o+xr authdaemon/

So now I have 

root@messagerie[10.10.10.20] /var/run/courier # ls
total 16K
drwxr-xr-x 2 daemon daemon 100 Apr  5 14:22 authdaemon
-rw-r--r-- 1 root   root 5 Apr  5 14:22 imapd.pid
-rw--- 1 root   root 0 Mar  7 16:39 imapd.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 imapd-ssl.pid
-rw--- 1 root   root 0 Mar  7 16:39 imapd-ssl.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 pop3d.pid
-rw--- 1 root   root 0 Mar  7 16:39 pop3d.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 pop3d-ssl.pid
-rw--- 1 root   root 0 Mar  7 16:39 pop3d-ssl.pid.lock
root@messagerie[10.10.10.20] /var/run/courier # 


(authdaemon is world readable and executable)

Now maildrop finally works but at the cost of exposing this directory to the 
world. I will be sending an e-mail to the cyrus mailing list and probably cc to 
courier-imap for maildrop support to request comments about this.

postfix docs re "SPF Support"?

2016-04-06 Thread jasonsu 
Since pypolicyd-spf has been causing me lots of problems (upstream is helping 
on it at launchpad), I decided to look for a more reliable alternative just in 
case.

The Postfix Add-Ons page (http://www.postfix.org/addon.html) says

Note: Postfix already ships with SPF support, in the form of a plug-in 
policy daemon. This is the preferred integration model, at least until SPF is 
mandated by standards.

Looking for that at

Postfix feature overview
http://www.postfix.org/features.html

Main features
Junk mail control
...
Postfix 2.1 SPF plug-in

Which takes you to

http://www.postfix.org/SMTPD_POLICY_README.html

where the only mention of SPF is

Another example of policy delegation is the SPF policy server at 
http://www.openspf.org/Software.

Visiting

http://www.openspf.org/Software

re-points to

This package has moved to https://launchpad.net/pypolicyd-spf/

which is obviously ADD-ON software.

Unless I missed it, neither openspf nor pypolicyd is even mentioned at 
http://www.postfix.org/addon.html.

This is a pretty confusing runaround through the docs :-(

IS pypolicyd-spf the SPF support that Postfix supposedly already ships with?

Or is it something else?


Jason

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread chaouche yacine 
Ok so after reading the previous answer from courier-imap I ended up setting a 
setuid bit on the maildrop binary so that it is executed with root privileges. 
The authdaemon directory was stripped of its world readable and executable 
permissions.

Thank you all !
 

On Wednesday, April 6, 2016 5:32 PM, chaouche yacine 
 wrote:
 

  
 
  On Wednesday, April 6, 2016 4:42 PM, Viktor Dukhovni 
 wrote:
>On Wed, Apr 06, 2016 at 01:38:46PM +, chaouche yacine wrote:

>
>> maildrop  unix  -  n  n  -  -  pipe
>> flags=DRhu user=vmail argv=/var/vmail/maildropwrapper -V9 -d ${recipient}
> 
> 
>    http://www.postfix.org/pipe.8.html
> 
>  user=username:groupname
>  Execute the external command with the user ID and  group  ID  of
>  the  specified  username.  The software refuses to execute com-
>  mands with root privileges, or with the privileges of  the  mail
>  system owner. If groupname is specified, the corresponding group
>  ID is used instead of the group ID of username.
> 
>Note, that pipe(8) is not the "login" program and does not execute
>programs with all the group memberships of the specified user.
>Only the primary group, or the explicitly selected "groupname" is
>available.
> 
>-- 
>    Viktor.
Thanks Viktor. I tried running it as vmail:daemon and honestly I had no idea 
what would that do. The program could finally connect to the socket, as the 
strace shows : 

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/courier/authdaemon/socket"}, 
110) = 0
but it still failed to deliver the email, this time for another error : 

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/courier/authdaemon/socket"}, 
110) \
= 0
fcntl(3, F_SETFL, O_RDONLY) = 0
select(4, NULL, [3], NULL, {10, 0}) = 1 (out [3], left {9, 98})
write(3, "PRE . login a.chaouche@algerian-"..., 41) = 41
select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {29, 999402})
read(3, "UID=113\nGID=1002\nHOME=/var/vmail"..., 8191) = 157
write(2, "maildrop: authlib: groupid=", 27maildrop: authlib: groupid=) = 27
write(2, "1002\0", 51002^@)   = 5
write(2, "\n", 1)   = 1
setgroups(1, [1002])    = -1 EPERM (Operation not permitted)
setgid(1002)    = -1 EPERM (Operation not permitted)
dup(2)  = 4
fcntl(4, F_GETFL)   = 0x8401 (flags 
O_WRONLY|O_APPEND|O_LARGEFILE)
close(4)    = 0
write(2, "setgid: Operation not permitted\n", 32setgid: Operation not 
permitted) = 32
close(2)    = 0
close(1)    = 0
exit_group(1)

I thought that since vmail is part of the daemon group the linux file 
permission checking subsystem (or whatever that is) would allow the vmail user 
to access that directory because he is a member of the daemon group. I still 
don't understand why the groupid is important to set and I understand this is a 
topic that is outside of postfix.

I ended up changing master.cf back as it was before (just user=vmail) and 
changing the file permissions of the directory /var/run/courier/authdaemon like 
this :
root@messagerie[10.10.10.20] /var/run/courier # chmod o+xr authdaemon/

So now I have 

root@messagerie[10.10.10.20] /var/run/courier # ls
total 16K
drwxr-xr-x 2 daemon daemon 100 Apr  5 14:22 authdaemon
-rw-r--r-- 1 root   root 5 Apr  5 14:22 imapd.pid
-rw--- 1 root   root 0 Mar  7 16:39 imapd.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 imapd-ssl.pid
-rw--- 1 root   root 0 Mar  7 16:39 imapd-ssl.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 pop3d.pid
-rw--- 1 root   root 0 Mar  7 16:39 pop3d.pid.lock
-rw-r--r-- 1 root   root 5 Apr  5 14:22 pop3d-ssl.pid
-rw--- 1 root   root 0 Mar  7 16:39 pop3d-ssl.pid.lock
root@messagerie[10.10.10.20] /var/run/courier # 


(authdaemon is world readable and executable)

Now maildrop finally works but at the cost of exposing this directory to the 
world. I will be sending an e-mail to the cyrus mailing list and probably cc to 
courier-imap for maildrop support to request comments about this.

Re: postfix docs re "SPF Support"?

2016-04-06 Thread Noel Jones 
On 4/6/2016 11:31 AM, jaso...@mail-central.com wrote:
> Since pypolicyd-spf has been causing me lots of problems (upstream is helping 
> on it at launchpad), I decided to look for a more reliable alternative just 
> in case.
> 
> The Postfix Add-Ons page (http://www.postfix.org/addon.html) says
> 
>   Note: Postfix already ships with SPF support, in the form of a plug-in 
> policy daemon. This is the preferred integration model, at least until SPF is 
> mandated by standards.
...
> IS pypolicyd-spf the SPF support that Postfix supposedly already ships with?
> 
> Or is it something else?



A third-party policy daemon or milter is required for SPF.  Postfix
ships with support for these external third-party programs.

Postfix does not include nor officially recommend any particular
add-on SPF policy or milter.



  -- Noel Jones

Re: bad.psky.me RBL?

2016-04-06 Thread Noel Jones 
On 4/6/2016 10:52 AM, Quanah Gibson-Mount wrote:
> --On Wednesday, April 06, 2016 6:36 PM +0200 lst_ho...@kwsoft.de wrote:
> 
>>
>> Zitat von Quanah Gibson-Mount :
>>
>>> Is anyone familiar with this RBL and its quality?  Not a whole lot
>>> of info at .  Terms seem probably ok
>>> .
>>
>> If there isn't a lot of info, expect the worst. You should always be
>> aware that you "outsource" at least parts of the ham/spam decision
>> and
>> you really should be careful about that.
> 
> Right, thus me asking if anyone has any info/experience with it. ;) 
> A customer enabled it in their environment and is happy with the
> results so far, but I'd want more information before doing so myself
> or making any type of general recommendation about it.
> 
> --Quanah
> 


You can test this RBL in smtpd_*_restrictions by using warn_if_reject.

You can test this RBL in postscreen by using a weight of *0.

Test rejections will be logged, but will not reject mail.



  -- Noel Jones

Re: postfix docs re "SPF Support"?

2016-04-06 Thread jasonsu 


On Wed, Apr 6, 2016, at 10:20 AM, Noel Jones wrote:
> A third-party policy daemon or milter is required for SPF.  Postfix
> ships with support for these external third-party programs.
> 
> Postfix does not include nor officially recommend any particular
> add-on SPF policy or milter.

If that's true, that language should be included in the docs.  Would make life 
easier. Thanks.

Also, at least making mention of the openspf & policyd-spf on the ADD-ONS page 
would be good.

Re: bad.psky.me RBL?

2016-04-06 Thread Quanah Gibson-Mount 
--On Wednesday, April 06, 2016 1:23 PM -0500 Noel Jones 
 wrote:



On 4/6/2016 10:52 AM, Quanah Gibson-Mount wrote:

--On Wednesday, April 06, 2016 6:36 PM +0200 lst_ho...@kwsoft.de wrote:



Zitat von Quanah Gibson-Mount :


Is anyone familiar with this RBL and its quality?  Not a whole lot
of info at .  Terms seem probably ok
.


If there isn't a lot of info, expect the worst. You should always be
aware that you "outsource" at least parts of the ham/spam decision
and
you really should be careful about that.


Right, thus me asking if anyone has any info/experience with it. ;)
A customer enabled it in their environment and is happy with the
results so far, but I'd want more information before doing so myself
or making any type of general recommendation about it.

--Quanah




You can test this RBL in smtpd_*_restrictions by using warn_if_reject.

You can test this RBL in postscreen by using a weight of *0.

Test rejections will be logged, but will not reject mail.


Thanks Noel!  Postscreen it is. :)

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

what error is being reported back to sender, and how to avoid reporting back internal server ports?

2016-04-06 Thread jasonsu 
I added SPF and header_checks to my Postfix setup.

I'm following the message path, and have a couple questions about what error 
gets reported back to the sender.

After postscreen PASS, I check for SPF, then hand off to Amavis preque for DKIM

psint pass - - n - - smtpd
  -o receive_override_options=no_address_mappings
  -o syslog_name=postfix/psint
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_proxy_filter=127.0.0.1:13001
  -o 
smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination,check_policy_service,unix:private/policyd-spf

Amavis returns, submits to DMARC, then passes to Amavis postqueue for A/V

[127.0.0.1]:13002 inet n - n - - smtpd
  -o content_filter=amavis:[127.0.0.1]:13003
  -o syslog_name=postfix/prequeue
  -o mynetworks=127.0.0.0/8
  -o non_smtpd_milters=inet:127.0.0.1:8893
  -o receive_override_options=no_unknown_recipient_checks
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=
  -o smtpd_end_of_data_restrictions=
  -o smtpd_etrn_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_milters=inet:127.0.0.1:8893
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_relay_restrictions=permit_mynetworks,reject
  -o smtpd_sender_restrictions=

I turned on header checks

main.cf
header_checks = pcre:${config_directory}/header_checks.pcre

header_checks.pcre
/^(To|From|Cc|Reply-To):.*carmen_garcia*/i   REJECT

So, I expect that mail with any sender/recipient that includes "carmen_garcia" 
will get REJECTed

My logs show it does

Apr  5 04:29:11 mail01 postfix/psint/smtpd[9355]: NOQUEUE: 
client=vps.capacit.cl[45.79.11.29]
Apr  5 04:29:11 mail01 postfix/prequeue/smtpd[9362]: connect from 
localhost[127.0.0.1]
Apr  5 04:29:11 mail01 postfix/prequeue/smtpd[9362]: 3qgDTM6nLdz31QN: 
client=localhost[127.0.0.1], orig_client=vps.capacit.cl[45.79.11.29]
Apr  5 04:29:11 mail01 postfix/cleanup[9364]: 3qgDTM6nLdz31QN: reject: 
header To: ja...@hotmail.com, christophe.eb...@freesbee.fr, 
goldent...@imageshack.us,?  linda...@hotmail.com, gabrumun...@gmail.com, 
carmen_garcia1...@yahoo.com,? andre...@gmail.com, smwilliams...@breathe.co from 
vps.capacit.cl[45.79.11.29]; from= 
to= proto=ESMTP helo=: 5.7.1
Apr  5 04:29:11 mail01 postfix/prequeue/smtpd[9362]: disconnect from 
localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=5/6
Apr  5 04:29:11 mail01 postfix/psint/smtpd[9355]: proxy-reject: 
END-OF-MESSAGE: 550 5.7.1 id=02796-15 - Rejected by next-hop MTA on relaying, 
from MTA(smtp:[127.0.0.1]:13002): 550 5.7.1; from= 
to= proto=ESMTP helo=
Apr  5 04:29:12 mail01 postfix/psint/smtpd[9355]: disconnect from 
vps.capacit.cl[45.79.11.29] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=6/7

What's the sending server getting back here? Is the 550 REJECT message being 
delivered to the sending server? Or only to my internal server doing the 
handoff?

If it's seeing the 550, how can I stop exposing/reporting back "from 
MTA(smtp:[127.0.0.1]:13002):" ?  If it's just internal to my setup, then I 
don't care.

Jason

Re: How to log output from whatever pipe runs ?

2016-04-06 Thread Wietse Venema 
[Same program, same UID, different results depending on whether
the program runs under postfix pipe(8) or as "su user -c command"]

Wietse:
>Try disabling SeLinux/AppArmor/etc. security.

chaouche yacine:
> Thanks Wietse. They don't seem to be installed though. 

Next, have a look at the permissions of the saslauthd socket AND
of its parent directories. Are the directories mode 755, is the
socket mode 644? If it is group-restricted then that may not work.

One difference between running things as "su user -c command" and
running under Postfix pipe(8) is that Postfix does not set the
secondary groups.

Wietse

Re: ETSI Registered Email implementations?

2016-04-06 Thread Ori Bani 
> Does anyone know of any open source implementations of ETSI's
> "Registered Email" standard (ETSI TS 102 640)? I think this is
> different than Italy's "Certified Email" (RFC 6109).

Is this on anyone's radar? Is there a better place to discuss?

Re: Need help with relay setup

2016-04-06 Thread John Stoffel 
> "Noel" == Noel Jones  writes:

Noel> On 4/6/2016 10:11 AM, John Stoffel wrote:
>>> "Noel" == Noel Jones  writes:
>> 
Noel> On 4/6/2016 8:06 AM, John Stoffel wrote:
 Can I force the fallback_transport to re-write, before using the
 fallback, john.t...@foo.bar.com into john.t...@hdqmta.foo.bar.com?
 Since I think that's the problem?
>> 
>> 
Noel> Perhaps this is what you're missing:
Noel> http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
Noel> http://www.postfix.org/postconf.5.html#smtp_generic_maps
>> 
Noel> smtp_generic_maps can be used on a specific master.cf transport to
Noel> control rewriting to a specific destination.
>> 
Noel> # transport_maps
Noel> hdqmta.example.com  hdqmta
>> 
Noel> # generic_htqmta
Noel> @example.com  @hdqmta.example.com
>> 
Noel> # master.cf
Noel> # copy of standard smtp transport
Noel> hdqmta  unix  -   -   n   -   -   smtp
Noel> -o smtp_generic_maps=hash:/etc/postfix/generic_htqmta
>> 
>> 
>> Thanks for the hints!  So I'm wondering if I need to do this for all
>> of my hosts?  But let me go back and expand on how things work, just
>> so we're on the same page and because I want to make sure I'm thinking
>> this through properly as well.
>> 
>> 1. mail arrives, from anyway basically.
>> 2. alias lookups happen, for example:  john.t...@foo.bar.com
>> - no alias match, punt to hdqmta
>> 
>> - alias match, say it goes to john.t...@exmail1.foo.bar.com
>> - would I then have a generic_exmail1 file with just:
>> 
>> @foo.bar.com @exmail1.foo.bar.com
>> 
>> as well?

Noel> Yes, if this is a different server that expects the address to be
Noel> @exmail1...


>> 
>> 3. mail gets delivered properly...
>> 
>> Is this because I'm not using the local delivery agent, which knows
>> about NIS aliases, and also to then forward emails on to the new
>> envelope address?   And since I'm not using local delivery, I need to
>> be more explicit in my setup and handling?

Noel> This is just to rewrite an address from one form to another during
Noel> smtp delivery.


Ok, so I think I did what you said I should but it's not working.
Probably because I did NOT setup:

   smtp_generic_maps = hash:/etc/postfix/generic

because it's not really clear what I need there, since do my lookups
via NIS aliases, and thne forward to the location specified.

So right now what happens is:

   mail -> mailhost-new (postfix) -> hdqmta -> mailhost (orig) -> hdqmta
-> back to me via Lotus notes forward.

See how it's going a double loop, where the old mailhost is re-writing
the envelope properly.  According to the headers, postfix is doing the
masquerading.  I've setup my /etc/postfix transport_maps like this:

#
# Added to make lotus notes and exchange happy
#
hdqmta.foo.bar.com  hdqmta
exmail1.foo.bar.com exmail1


But it's not working.  I've setup stuff like you suggested in master.cf:

#
# TAEC
#
hdqmtaunix  -   -   n   -   -   smtp
-o smtp_generic_maps=hash:/etc/postfix/generic_hdqmta
exmail1   unix  -   -   n   -   -   smtp
-o smtp_generic_maps=hash:/etc/postfix/generic_exmail1

But I do NOT have the smtp_generic_maps setup at all, because I need
to re-write @foo.bar.com to @hdqmta.foo.bar.com or
@exmail1.foo.bar.com depending on transport.  Gah!!!

Sorry if I'm being dense here, I know I'm trying to do something
that's not quite the normal thing here.

Would it be smarter for me to split up things into multiple relay
servers instead?  Dunno...

John

Re: Need help with relay setup

2016-04-06 Thread Noel Jones 
On 4/6/2016 3:34 PM, John Stoffel wrote:
>> "Noel" == Noel Jones  writes:

> masquerading.  I've setup my /etc/postfix transport_maps like this:
> 
> #
> # Added to make lotus notes and exchange happy
> #
> hdqmta.foo.bar.com  hdqmta
> exmail1.foo.bar.com exmail1
> 
> 
> But it's not working.  I've setup stuff like you suggested in master.cf:
> 
> #
> # TAEC
> #
> hdqmtaunix  -   -   n   -   -   smtp
>   -o smtp_generic_maps=hash:/etc/postfix/generic_hdqmta
> exmail1   unix  -   -   n   -   -   smtp
>   -o smtp_generic_maps=hash:/etc/postfix/generic_exmail1
> 
> But I do NOT have the smtp_generic_maps setup at all, because I need
> to re-write @foo.bar.com to @hdqmta.foo.bar.com or
> @exmail1.foo.bar.com depending on transport.  Gah!!!


I'm going to step out on a limb here and guess it's not working
because you didn't set up the rewriting.

That's why you use different maps, attached to the specific
transport. Each map does the rewriting needed for that destination.

> 
> Sorry if I'm being dense here, I know I'm trying to do something
> that's not quite the normal thing here.
> 
> Would it be smarter for me to split up things into multiple relay
> servers instead?  Dunno...

That would work too, but you would have the same problem if you
didn't rewrite.



  -- Noel Jones

Plus addressing on Sentora using Postfix

2016-04-06 Thread Philip McGaw 
I am running Ubuntu Ubuntu 14.04.4 LTS “Trusty” and "postconf -d | grep 
mail_version” gives me “mail_version = 2.11.0”.

I have installed Sentora (http://sentora.org) which sets most of the 
configuration up for Postfix up, I have made some changes to allow me to use 
certificates for IMAP and SMTP SSL 
(https://skippy.org.uk/lets-encrypt-postfix-and-dovecot/),

My postfix config file is http://pastebin.com/vqBWhNM9, and Postfix master 
process configuration file is http://pastebin.com/1AUPiLSd.

I am trying to send an email to s...@skippy.org.uk and site+t...@skippy.org.uk 
(sending from an iCloud account), it works to s...@skippy.org.uk, the lines 
from mail.log are as follows:

> Mar 11 17:48:07 njoror postfix/smtpd[32706]: connect from 
> mr11p26im-asmtp004.me.com[17.110.86.109]
> Mar 11 17:48:07 njoror postfix/smtpd[32706]: Anonymous TLS connection 
> established from mr11p26im-asmtp004.me.com[17.110.86.109]: TLSv1.2 with 
> cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Mar 11 17:48:08 njoror postfix/smtpd[32706]: 1BAF055AB6: 
> client=mr11p26im-asmtp004.me.com[17.110.86.109]
> Mar 11 17:48:08 njoror postfix/cleanup[32710]: 1BAF055AB6: 
> message-id=<90594925-c294-4a38-8275-c23da55a9...@icloud.com>
> Mar 11 17:48:08 njoror postfix/qmgr[32599]: 1BAF055AB6: 
> from=, size=1513, nrcpt=1 (queue active)
> Mar 11 17:48:08 njoror postfix/pipe[32605]: 1BAF055AB6: 
> to=, relay=dovecot, delay=0.43, 
> delays=0.34/0.01/0/0.09, dsn=4.1.1, status=SOFTBOUNCE (user unknown)
> Mar 11 17:48:08 njoror postfix/smtpd[32706]: disconnect from 
> mr11p26im-asmtp004.me.com[17.110.86.109]

vs

> Mar 11 17:49:23 njoror postfix/smtpd[32706]: connect from 
> mr11p26im-asmtp004.me.com[17.110.86.109]
> Mar 11 17:49:23 njoror postfix/smtpd[32706]: Anonymous TLS connection 
> established from mr11p26im-asmtp004.me.com[17.110.86.109]: TLSv1.2 with 
> cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Mar 11 17:49:24 njoror postfix/smtpd[32706]: 33D2355AB9: 
> client=mr11p26im-asmtp004.me.com[17.110.86.109]
> Mar 11 17:49:24 njoror postfix/cleanup[32710]: 33D2355AB9: 
> message-id=<2456dc97-4e3a-4a91-b3a0-cafe056f1...@icloud.com>
> Mar 11 17:49:24 njoror postfix/qmgr[32599]: 33D2355AB9: 
> from=, size=1249, nrcpt=1 (queue active)
> Mar 11 17:49:25 njoror postfix/smtpd[32706]: disconnect from 
> mr11p26im-asmtp004.me.com[17.110.86.109]
> Mar 11 17:49:26 njoror postfix/pipe[32605]: 33D2355AB9: 
> to=, relay=dovecot, delay=1.8, delays=0.63/0/0/1.2, 
> dsn=2.0.0, status=sent (delivered via dovecot service)
> Mar 11 17:49:26 njoror postfix/qmgr[32599]: 33D2355AB9: removed


Looking at the lines from mail.log it looks like it thinks there should be a 
user called site+t...@skippy.org.uk, this has been puzzling me for a while, I 
was wondering if any one on here could see what was wrong, and what I needed to 
change, Looking at a few examples and online guides I thought I had covered all 
the bases.


signature.asc
Description: Message signed with OpenPGP using GPGMail

False positives from header_checks

2016-04-06 Thread Cedric Knight 
The documentation for header_checks includes an example to "block
attachments with bad file name extensions", and I expect many
installations have a similar rule to cut down on malware.  This reads:

  /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
   hlp|ht[at]|
   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
   vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
 REJECT Attachment name "$2" may not end with ".$4"

Unfortunately, this can now block valid email from iPhone/iOS/ithing
users.  The second ".*" can span multiple parameters.  This shows up in
logs when searching for "x-apple-part-url" as follows:

postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
application/vnd.ms-publisher;??name="redacted
redacted.pub";??x-apple-part-url="abcd1234-1234-5678--123412341...@yahoo.com"

What Apple has done seems legal under RFC 2045 but may make some of
their users' email undeliverable.

Rules can be amended to limit to "token" or "quoted-string" versions of
the filename like this:

  /^Content-(Disposition|Type).*name\s*=\s*
   ("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
   ((?:\.|=2E)(
   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
   hlp|ht[at]|
   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
   vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
 REJECT Attachment name $2$3 may not end with ".$4"

A separate security point is that this doesn't actually block "bad"
extensions if the Content-Type name is base64 encoded and the filename
parameter in the Content-Disposition is percent-encoded.

Hope this is useful to some.

CK

Re: False positives from header_checks

2016-04-06 Thread Laz C. Peterson 
This is great information.

It's very odd ... Apple has been responsible for the foundation of quite a few 
RFC's but in our experience has actually made it difficult for our software to 
both comply with the RFC as well as Apple's client software.

Thank you Cedric.

~ Laz Peterson
Paravis, LLC

> On Apr 6, 2016, at 3:28 PM, Cedric Knight  wrote:
> 
> The documentation for header_checks includes an example to "block
> attachments with bad file name extensions", and I expect many
> installations have a similar rule to cut down on malware.  This reads:
> 
>  /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
>   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
>   hlp|ht[at]|
>   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
>   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
>   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
>   vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
> REJECT Attachment name "$2" may not end with ".$4"
> 
> Unfortunately, this can now block valid email from iPhone/iOS/ithing
> users.  The second ".*" can span multiple parameters.  This shows up in
> logs when searching for "x-apple-part-url" as follows:
> 
> postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
> application/vnd.ms-publisher;??name="redacted
> redacted.pub";??x-apple-part-url="abcd1234-1234-5678--123412341...@yahoo.com"
> 
> What Apple has done seems legal under RFC 2045 but may make some of
> their users' email undeliverable.
> 
> Rules can be amended to limit to "token" or "quoted-string" versions of
> the filename like this:
> 
>  /^Content-(Disposition|Type).*name\s*=\s*
>   ("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
>   ((?:\.|=2E)(
>   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
>   hlp|ht[at]|
>   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
>   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
>   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
>   vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
> REJECT Attachment name $2$3 may not end with ".$4"
> 
> A separate security point is that this doesn't actually block "bad"
> extensions if the Content-Type name is base64 encoded and the filename
> parameter in the Content-Disposition is percent-encoded.
> 
> Hope this is useful to some.
> 
> CK
> 
>

Re: False positives from header_checks

2016-04-06 Thread Curtis Villamizar 

Since pcre evaluates in order you could add

/^Content-(Disposition|Type).*;??x-apple-part-url="[^"]+"$/x  DUNNO


before the pcre that does the rejection.

Since "." is commonly "%2E" you could also change the "\." in the RE to 
"(\.|%2E)".

That doesn't solve base64 encoding.

Disclaimer: I haven't tried this.

Curtis

On 04/06/16 22:02, Laz C. Peterson wrote:

This is great information.

It's very odd ... Apple has been responsible for the foundation of quite a few 
RFC's but in our experience has actually made it difficult for our software to 
both comply with the RFC as well as Apple's client software.

Thank you Cedric.

~ Laz Peterson
Paravis, LLC


On Apr 6, 2016, at 3:28 PM, Cedric Knight  wrote:

The documentation for header_checks includes an example to "block
attachments with bad file name extensions", and I expect many
installations have a similar rule to cut down on malware.  This reads:

  /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
   hlp|ht[at]|
   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
   vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
 REJECT Attachment name "$2" may not end with ".$4"

Unfortunately, this can now block valid email from iPhone/iOS/ithing
users.  The second ".*" can span multiple parameters.  This shows up in
logs when searching for "x-apple-part-url" as follows:

postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
application/vnd.ms-publisher;??name="redacted
redacted.pub";??x-apple-part-url="abcd1234-1234-5678--123412341...@yahoo.com"

What Apple has done seems legal under RFC 2045 but may make some of
their users' email undeliverable.

Rules can be amended to limit to "token" or "quoted-string" versions of
the filename like this:

  /^Content-(Disposition|Type).*name\s*=\s*
   ("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
   ((?:\.|=2E)(
   ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
   hlp|ht[at]|
   inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
   \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
   ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
   vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
 REJECT Attachment name $2$3 may not end with ".$4"

A separate security point is that this doesn't actually block "bad"
extensions if the Content-Type name is base64 encoded and the filename
parameter in the Content-Disposition is percent-encoded.

Hope this is useful to some.

CK

Re: postfix docs re "SPF Support"?

2016-04-06 Thread Scott Kitterman 
On Wednesday, April 06, 2016 09:31:24 AM jaso...@mail-central.com wrote:
> Since pypolicyd-spf has been causing me lots of problems (upstream is
> helping on it at launchpad), I decided to look for a more reliable
> alternative just in case.
> 
> The Postfix Add-Ons page (http://www.postfix.org/addon.html) says
> 
>   Note: Postfix already ships with SPF support, in the form of a plug-in
> policy daemon. This is the preferred integration model, at least until SPF
> is mandated by standards.
> 
> Looking for that at
> 
>   Postfix feature overview
>   http://www.postfix.org/features.html
> 
>   Main features
>   Junk mail control
>   ...
>   Postfix 2.1 SPF plug-in
> 
> Which takes you to
> 
>   http://www.postfix.org/SMTPD_POLICY_README.html
> 
> where the only mention of SPF is
> 
>   Another example of policy delegation is the SPF policy server at
> http://www.openspf.org/Software.
> 
> Visiting
> 
>   http://www.openspf.org/Software
> 
> re-points to
> 
>   This package has moved to https://launchpad.net/pypolicyd-spf/
> 
> which is obviously ADD-ON software.
> 
> Unless I missed it, neither openspf nor pypolicyd is even mentioned at
> http://www.postfix.org/addon.html.
> 
> This is a pretty confusing runaround through the docs :-(
> 
> IS pypolicyd-spf the SPF support that Postfix supposedly already ships with?
> 
> Or is it something else?

It's complicated.

Back in 2004/5 when SPF was first being developed, there were third party 
patches to postfix developed for SPF.  The policy interface as introduced in 
postfix2.1 to allow, among other things, SPF checks to be done without patching 
postfix.  At that time, the postfix source included a sample policy server 
(written in perl) to do that along with some others to do other things like 
greylisting.

Somewhat later, I improved the sample and rather than periodically updating 
the version postfix was shipping, the pointer to 
http://www.openspf.org/Software was added in it's place and for many years the 
source was hosted there.  Later I wanted things like a bug tracker and a 
modern version control system so I moved it to 
https://launchpad.net/postfix-policyd-spf-perl (the python implementation was 
never shipped with postfix - I 
started it because what I wanted to do with an SPF policy server  far 
outstripped my limited Perl skills).

Postfix, today, ships an interface that allows SPF checking.  You can also, as 
someone else mentioned, use milters (the milter interface wasn't introduced 
until postfix 2.3).  It doesn't directly ship the plug in needed to do the 
check.  pypolicyd-spf is a more advanced descendant of the one that postfix did 
used to ship.  There are many others.

The most important thing is that people shouldn't be trying to use direct 
patches to postfix that are over a decade old, designed for postfix about a 
dozen releases ago, and don't even support the experimental RFC (RFC 4408) 
version of SPF, let alone the standards track RFC (RFC 7208).  People still do 
though and they should stop.

Scott K