Postfix instance not listening
Hi, I need a second pair of eyes on this. My postmulti instance as configured below is not listening and I can't figure out why ! As you can see below, "postfix-authrelay" is active : $ sudo postmulti -l - - y /etc/postfix postfix-authrelay mta y /etc/postfix-authrelay I've uploaded to main.cf to pastebin : http://pastebin.com/iVJCbU6T Same with my master.cf : http://pastebin.com/5NkTiRV8 You can see open ports here : http://pastebin.com/RXyhBzz1 Ideas most welcome ! Thanks !
Prevent Backscatter
Hello,
I am trying to reject instead of sending bounce message back when email
arrives to non existing account at domains hosted by my server.
This is my main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/domain.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#recipient_bcc_maps = mysql:/etc/postfix/sqlconf/recipient_bcc_maps.cf
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access $virtual_alias_maps,
reject_unauth_destination
myhostname = domain.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
resolve_numeric_domain = yes
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
/etc/postfix/sqlconf/virtual_mailbox_maps.cf
user= vmail
password= 123
dbname = mails
query = SELECT concat(u.username,'@',u.domain) FROM users u WHERE
u.username='%u' AND u.domain='%d' AND u.active='1' and u.type=0 UNION SELECT
n.address FROM users u LEFT JOIN next n ON n.id = u.id WHERE u.username='%u'
AND u.domain='%d' AND u.active='1';
hosts = 127.0.0.1
I tried adding reject_unverified_recipient under
smtpd_recipient_restrictions, but after entering non existing username at
existing domain, there was 1 second delay, and I still get "250 2.1.5 Ok"
message.
Regards,
Robin
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359.html
Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Prevent Backscatter
Is your server MX host for domains that are delivered to a different
mail server?
If not:
Set relay_domains to empty.
If yes:
DO Specify ONLY THOSE DOMAINS in relay_domains
DO specify ONLY THOSE recipients in relay_recipient_maps
DO NOT specify virtual (alias or mailbox) stuff in relay_domains
DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps
DO specify virtual alias DOMAINS in virtual_alias_DOMAINS.
Wietse
Postfix User:
> Hello,
>
> I am trying to reject instead of sending bounce message back when email
> arrives to non existing account at domains hosted by my server.
>
> This is my main.cf
>
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> biff = no
> append_dot_mydomain = no
> readme_directory = no
> smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
> smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
> smtpd_tls_key_file=/etc/ssl/private/domain.com.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> #recipient_bcc_maps = mysql:/etc/postfix/sqlconf/recipient_bcc_maps.cf
> virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
> virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
> virtual_transport = dovecot
> smtpd_relay_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_sender_access $virtual_alias_maps,
> reject_unauth_destination
> myhostname = domain.com
> mydestination = localhost
> relayhost =
> mynetworks = 127.0.0.0/8
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = ipv4
> dovecot_destination_recipient_limit = 1
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> broken_sasl_auth_clients = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> resolve_numeric_domain = yes
> message_size_limit = 10240
> milter_default_action = accept
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
>
> /etc/postfix/sqlconf/virtual_mailbox_maps.cf
>
> user= vmail
> password= 123
> dbname = mails
> query = SELECT concat(u.username,'@',u.domain) FROM users u WHERE
> u.username='%u' AND u.domain='%d' AND u.active='1' and u.type=0 UNION SELECT
> n.address FROM users u LEFT JOIN next n ON n.id = u.id WHERE u.username='%u'
> AND u.domain='%d' AND u.active='1';
> hosts = 127.0.0.1
>
> I tried adding reject_unverified_recipient under
> smtpd_recipient_restrictions, but after entering non existing username at
> existing domain, there was 1 second delay, and I still get "250 2.1.5 Ok"
> message.
>
> Regards,
> Robin
>
>
>
> --
> View this message in context:
> http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359.html
> Sent from the Postfix Users mailing list archive at Nabble.com.
>
Re: Getting smtpd restrictions right....
On 1/19/2017 11:49 PM, SH Development wrote: > I have a server running Xeams for spam filtering, and another server running > Postfix 2.6.6. Both servers are on the same network behind a firewall. > Haven’t had any problems until recently when Xeams tech support pointed out > that my Xeams server is showing as an open relay, but my Postfix server is > not. They are telling me it’s because my Postfix server config is broken by > not rejecting invalid user addresses passed through from Xeams. > > Sure enough, if I telnet from any machine on the same network as the Postfix > server, it accepts email to any user, real or not. However, from any other > machine outside that network, it rejects invalid addresses it as it should. > I have tried some variations with the mynetworks but that seems to break > other things. > > I need to close this hole up. I don’t think it’s been abused as of yet, but > it’s only a matter of time. > You'll need describe your mail flow and the problem in more detail, including logs of the unwanted behavior. Does postfix have a list of valid user? I don't see where you've defined mynetworks. Does all internet mail flow through your Xeams server? Does postfix see that mail as coming from the local network (rather than from the original IP)? >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject The final "reject" here and repeated in the other smtpd_*_restrictions prevents postfix from accepting *any* mail not authenticated or not from mynetworks. -- Noel Jones > Attached is the postconf -n output. > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > html_directory = no > inet_interfaces = all > inet_protocols = ipv4 > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 3072 > mydestination = $myhostname, localhost, localhost.localdomain > mydomain = starionhost.net > myhostname = mail.starionhost.net > newaliases_path = /usr/bin/newaliases.postfix > proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps > $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains > $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps > $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks > $virtual_mailbox_limit_maps > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination reject > smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination reject > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_tls_CAfile = /etc/pki/tls/cert.pem > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem > smtpd_use_tls = yes > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, > mysql:/etc/postfix/mysql-virtual_email2email.cf > virtual_gid_maps = static:5000 > virtual_mailbox_base = /home/vmail > virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf > virtual_transport = dovecot > virtual_uid_maps = static:5000 > > Jeff > >
Re: Postfix instance not listening
> On Jan 20, 2017, at 6:29 AM, Tim Smith > wrote: > > Hi, > > I need a second pair of eyes on this. > > My postmulti instance as configured below is not listening and I can't > figure out why ! > > I've uploaded to main.cf to pastebin : > http://pastebin.com/iVJCbU6T Even a cursory look at that output shows: ## ## INSTANCE CONFIG ### ## myhostname = my.example.com mydomain = example.com myorigin = $mydomain # No inet services master_service_disable = inet Is "No inet services" really so unclear? -- Viktor.
Re: Getting smtpd restrictions right....
Postfix I assumed got it’s valid users from the same place Dovecot is getting it, the mySQL database. In the postconf -n I posted, it may not have shown the mynetworks as I have gone from trying different things to leaving it at default. It was probably at default when I generated it. I have tried making mynetworks local host only which results in client unauthorized errors when receiving mail. Any change I’ve made to mynetworks has resulted in incoming mail being rejected. I’m sure I’m missing something here. All incoming mail from the outside world flows through Xeams. All outgoing mail from our users goes through Dovecot and Postfix. On the repeated “reject”, are you saying that this is unnecessary? My understanding was in setting it that way was that directives are matched from the beginning of the line and by having a final “reject” it would catch any anomalies that might make it through the first tests. Not an expert by any means just following some advice I probably received at one time. Jeff > On Jan 20, 2017, at 9:05 AM, Noel Jones wrote: > > On 1/19/2017 11:49 PM, SH Development wrote: >> I have a server running Xeams for spam filtering, and another server running >> Postfix 2.6.6. Both servers are on the same network behind a firewall. >> Haven’t had any problems until recently when Xeams tech support pointed out >> that my Xeams server is showing as an open relay, but my Postfix server is >> not. They are telling me it’s because my Postfix server config is broken by >> not rejecting invalid user addresses passed through from Xeams. >> >> Sure enough, if I telnet from any machine on the same network as the Postfix >> server, it accepts email to any user, real or not. However, from any other >> machine outside that network, it rejects invalid addresses it as it should. >> I have tried some variations with the mynetworks but that seems to break >> other things. >> >> I need to close this hole up. I don’t think it’s been abused as of yet, but >> it’s only a matter of time. >> > > You'll need describe your mail flow and the problem in more detail, > including logs of the unwanted behavior. > > Does postfix have a list of valid user? > > I don't see where you've defined mynetworks. > > Does all internet mail flow through your Xeams server? Does postfix > see that mail as coming from the local network (rather than from the > original IP)? > >>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination reject > > The final "reject" here and repeated in the other > smtpd_*_restrictions prevents postfix from accepting *any* mail not > authenticated or not from mynetworks. > > > > > -- Noel Jones > >> Attached is the postconf -n output. >> >> alias_database = hash:/etc/aliases >> alias_maps = hash:/etc/aliases >> broken_sasl_auth_clients = yes >> command_directory = /usr/sbin >> config_directory = /etc/postfix >> daemon_directory = /usr/libexec/postfix >> data_directory = /var/lib/postfix >> debug_peer_level = 2 >> html_directory = no >> inet_interfaces = all >> inet_protocols = ipv4 >> mail_owner = postfix >> mailq_path = /usr/bin/mailq.postfix >> manpage_directory = /usr/share/man >> message_size_limit = 3072 >> mydestination = $myhostname, localhost, localhost.localdomain >> mydomain = starionhost.net >> myhostname = mail.starionhost.net >> newaliases_path = /usr/bin/newaliases.postfix >> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps >> $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains >> $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps >> $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks >> $virtual_mailbox_limit_maps >> queue_directory = /var/spool/postfix >> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES >> sample_directory = /usr/share/doc/postfix-2.6.6/samples >> sendmail_path = /usr/sbin/sendmail.postfix >> setgid_group = postdrop >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject >> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_authenticated_header = yes >> smtpd_sasl_path = private/auth >> smtpd_sasl_type = dovecot >> smtpd_tls_CAfile = /etc/pki/tls/cert.pem >> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem >> smtpd_use_tls = yes >> unknown_local_recipient_reject_code = 550 >> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, >> mysql:/etc/postfix/mysql-virtual_email2email.cf >> virtual_gid_maps = static:5000 >> virtual_mailbox_base = /home/vmail >> virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf >> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf >> virtual_
Re: Getting smtpd restrictions right....
You didn't answer the all-important question about what IP postfix sees for mail arriving from the Xeams server, nor did you provide the requested logging. I'll assume postfix sees the Xeams IP. That's bad; it prevents postfix from making any decisions about the source of the mail. The solution is to remove the Xeams IP from mynetworks, and get rid of the silly 'reject' at the end of your restrictions. Something like: mynetworks = !ip.of.xe.ams lo.ca.ln.et/mask 127.0.0.1 and your restrictions should look like (remove your smtpd_client_restrictions entry) smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination -- Noel Jones On 1/20/2017 10:53 AM, SH Development wrote: > Postfix I assumed got it’s valid users from the same place Dovecot is getting > it, the mySQL database. > > In the postconf -n I posted, it may not have shown the mynetworks as I have > gone from trying different things to leaving it at default. It was probably > at default when I generated it. I have tried making mynetworks local host > only which results in client unauthorized errors when receiving mail. Any > change I’ve made to mynetworks has resulted in incoming mail being rejected. > I’m sure I’m missing something here. > > All incoming mail from the outside world flows through Xeams. All outgoing > mail from our users goes through Dovecot and Postfix. > > On the repeated “reject”, are you saying that this is unnecessary? My > understanding was in setting it that way was that directives are matched from > the beginning of the line and by having a final “reject” it would catch any > anomalies that might make it through the first tests. > > Not an expert by any means just following some advice I probably received at > one time. > > Jeff > > >> On Jan 20, 2017, at 9:05 AM, Noel Jones wrote: >> >> On 1/19/2017 11:49 PM, SH Development wrote: >>> I have a server running Xeams for spam filtering, and another server >>> running Postfix 2.6.6. Both servers are on the same network behind a >>> firewall. Haven’t had any problems until recently when Xeams tech support >>> pointed out that my Xeams server is showing as an open relay, but my >>> Postfix server is not. They are telling me it’s because my Postfix server >>> config is broken by not rejecting invalid user addresses passed through >>> from Xeams. >>> >>> Sure enough, if I telnet from any machine on the same network as the >>> Postfix server, it accepts email to any user, real or not. However, from >>> any other machine outside that network, it rejects invalid addresses it as >>> it should. I have tried some variations with the mynetworks but that seems >>> to break other things. >>> >>> I need to close this hole up. I don’t think it’s been abused as of yet, >>> but it’s only a matter of time. >>> >> >> You'll need describe your mail flow and the problem in more detail, >> including logs of the unwanted behavior. >> >> Does postfix have a list of valid user? >> >> I don't see where you've defined mynetworks. >> >> Does all internet mail flow through your Xeams server? Does postfix >> see that mail as coming from the local network (rather than from the >> original IP)? >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject >> >> The final "reject" here and repeated in the other >> smtpd_*_restrictions prevents postfix from accepting *any* mail not >> authenticated or not from mynetworks. >> >> >> >> >> -- Noel Jones >> >>> Attached is the postconf -n output. >>> >>> alias_database = hash:/etc/aliases >>> alias_maps = hash:/etc/aliases >>> broken_sasl_auth_clients = yes >>> command_directory = /usr/sbin >>> config_directory = /etc/postfix >>> daemon_directory = /usr/libexec/postfix >>> data_directory = /var/lib/postfix >>> debug_peer_level = 2 >>> html_directory = no >>> inet_interfaces = all >>> inet_protocols = ipv4 >>> mail_owner = postfix >>> mailq_path = /usr/bin/mailq.postfix >>> manpage_directory = /usr/share/man >>> message_size_limit = 3072 >>> mydestination = $myhostname, localhost, localhost.localdomain >>> mydomain = starionhost.net >>> myhostname = mail.starionhost.net >>> newaliases_path = /usr/bin/newaliases.postfix >>> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps >>> $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains >>> $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps >>> $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks >>> $virtual_mailbox_limit_maps >>> queue_directory = /var/spool/postfix >>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES >>> sample_directory = /usr/share/doc/postfix-2.6.6/samples >>> sendmail_path = /usr/sbin/sendmail.postfix >>> setgid_group = postdrop >>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination reject >
Re: Postfix instance not listening
Viktor, I'm sorry I'm obviously not as perfect as you. Obviously, given your level of godly perfection, you've never suffered from "config file blindness" you know after starting a whole bunch of them for a while suddenly the obvious gets hidden. Thanks a bunch
Re: Postfix instance not listening
Tim Smith: > Viktor, > > I'm sorry I'm obviously not as perfect as you. Sorry, I appreciate that tone matters, but we're not really hostile here. > Obviously, given your level of godly perfection, you've never suffered > from "config file blindness" you know after starting a whole bunch of > them for a while suddenly the obvious gets hidden. I can't speak for Viktor, but I surely have gotten lost with alien systems. I always recommend to start simple, and add things once one is more familiar with the workings of the system. Wietse
Re: Postfix instance not listening
> On Jan 20, 2017, at 3:18 PM, Wietse Venema wrote: > >> Obviously, given your level of godly perfection, you've never suffered >> from "config file blindness" you know after starting a whole bunch of >> them for a while suddenly the obvious gets hidden. > > I can't speak for Viktor, but I surely have gotten lost with alien > systems. I always recommend to start simple, and add things once one > is more familiar with the workings of the system. In my view creating a description of a problem for someone else's eyes is a golden opportunity to solve it for yourself. Specifically, as one gathers up the requisite details for the problem description, one should take the time to carefully read and think about the data one is posting. The shift of mindset from tinkering to describing to someone else can be illuminating, and compiling all the evidence in a single place can pull one out of a rut. I this, case with the problem setting clearly highlighted and commented in the first half-dozen lines of the posted configuration, the OP had clearly forsaken all hope and effort to make further progress. So my critique of giving up is not solely addressed to the OP. Learn to do a close reading of the information you post. Include as much as possible in the message body, fold long lines from main/master.cf or logs with leading whitespace on continuation lines, ... doing this not only makes the problem description more readable, it slows you down and helps you read what you're posting. There's method to my madness. Since nobody else had answered the OP's message which was a few hours old by the time I got to it, even though I happened to cause offense, I did provide a solution, and the correct response is either a (secretly grudging) thanks or just silence. -- Viktor.
Re: Postfix instance not listening
Mostly directed at the OP: I'm mostly a lurker here but I've learned a lot here. The tone of this list is mostly "teach a man to fish", not "give a man a fish" (from the old saying "give a man a fish and you feed him for a day; teach a man to fish and you feed him for life". To that end, answers tend to point out and explain how to solve the problem so that the questioner learns. Just providing the answer does not promote learning. Or to build on the adage above, giving the solution merely solves today's problem; teaching how Postfix works solves the future problems as well. -- Larry Stone lston...@stonejongleux.com
Re: Prevent Backscatter
Thanks for the reply,
Just made the changes you suggested. I set relay_domains to empty, because
all domains are served by the same server. Again I sent a message to non
existing account, and I am still getting "250 2.1.5 Ok" instead of a reject
message.
This is my current main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/mailingdesk.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/mailingdesk.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/mailingdesk.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_alias_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
relay_domains =
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access $virtual_alias_maps,
reject_unauth_destination,
reject_unverified_recipient
myhostname = mailingdesk.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
#smtpd_tls_auth_only = yes
resolve_numeric_domain = yes
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88369.html
Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Prevent Backscatter
On 1/20/2017 3:01 PM, Postfix User wrote: > Thanks for the reply, > > Just made the changes you suggested. I set relay_domains to empty, because > all domains are served by the same server. Again I sent a message to non > existing account, and I am still getting "250 2.1.5 Ok" instead of a reject > message. > I'm sure someone here can help, but we'll need more information. To get help with a problem, please see: http://www.postfix.org/DEBUG_README.html#mail In particular, show "postconf -n" output, postfix log entries demonstrating the problem, and describe your test procedure. -- Noel Jones
Re: Prevent Backscatter
On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote: > check_sender_access $virtual_alias_maps, You are creating an open relay, don't do that. > #smtpd_tls_auth_only = yes This is _not_ the postconf -n output we where asking for. Bastian -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate unknown
Re: Prevent Backscatter
My test procedure follows
telnet domain.com 25
ehlo me
mail from:
rcpt to:
At this point I get "Ok" message, and I can continue writing the body of the
e-mail. Because account doesn't exist, Postfix sends bounce notification
back to sender address.
This is the output of postconf -n
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_sender_access $virtual_alias_maps, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88372.html
Sent from the Postfix Users mailing list archive at Nabble.com.
logging username
My logs are fullfilled with this: Jan 20 20:05:26 linzer postfix/smtpd[22308]: warning: hostname c942452695-cloudp ro-214859053.cloudatcost.com does not resolve to address 167.88.40.162: Name or service not known Jan 20 20:05:26 linzer postfix/smtpd[22308]: connect from unknown[167.88.40.162] Jan 20 20:05:28 linzer postfix/smtpd[22308]: warning: unknown[167.88.40.162]: SA SL login authentication failed: authentication failure Jan 20 20:05:29 linzer postfix/smtpd[22308]: lost connection after AUTH from unk nown[167.88.40.162] Jan 20 20:05:29 linzer postfix/smtpd[22308]: disconnect from unknown[167.88.40.1 62] Is there any way to know what username was used in these attempts. (An existing one every time or they are choosen from a dictionary?) Gabor -- The Meaning of Life of Brian
