Re: Disable submission on port 25

2018-03-04 Thread Wietse Venema 
Ben Lavender:
> Hello,
> 
> I?m looking to disable submission on port 25 and therefore have postfix 
> as a relay only server. Is this possible?

It used to be fairly common to put Postfix as a relay betweem
the Internet and a corporate network (read: Microsoft Exchange).

For the Postfix side see:
http:/www.postfix.org/STANDARD_CONFIGURATION_README.html
http:/www.postfix.org/ADDRESS_VERIFICATION_README.html

Without more info the quesion is difficult to answer.

Wietse

Re: ETRN use and Postfix configuration

2018-03-04 Thread LuKreme 
On Feb 27, 2018, at 18:29, J Doe  wrote:
> postscreen_discard_ehlo_keywords
>smtpd_discard_ehlo_keywords

Isn't ETRN a good thing? What's the benefit from disabling it?
-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: Disable submission on port 25

2018-03-04 Thread LuKreme 
On Mar 3, 2018, at 14:31, Ben Lavender  wrote:
> I’m looking to disable submission on port 25 and therefore have postfix as a 
> relay only server.

You SHOULD disable submission on port 25, but that doesn't mean you have to be 
a relay-only server. Put submission on port 587.

(Or disable submission entirely, of course)

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: ETRN use and Postfix configuration

2018-03-04 Thread Wietse Venema 
LuKreme:
> On Feb 27, 2018, at 18:29, J Doe  wrote:
> > postscreen_discard_ehlo_keywords
> >smtpd_discard_ehlo_keywords
> 
> Isn't ETRN a good thing? What's the benefit from disabling it?

Good if used by the right client (who needs this nowadays?), otherwise
ERTN it is a waste of scheduler resources.

Wietse

Re: ETRN use and Postfix configuration

2018-03-04 Thread J Doe 
Hi LuKreme,

> On Mar 4, 2018, at 8:44 AM, LuKreme  wrote:
> 
> Isn't ETRN a good thing? What's the benefit from disabling it?
> -- 
> My main job is trying to come up with new and innovative and effective ways 
> to reject even more mail. I'm up to about 97% now.
> 

It’s a good thing in that it is an improvement over the original TURN verb with 
some security as opposed to no security.

RFC 1985 (ETRN) makes two use cases for this:

**  Startup conditions
**  “..mail nodes that have transient connections to their service 
providers”

The last point is referring to when someone had a gateway SMTP server that used 
to periodically dial up an ISP and exchange e-mail with it, server to server.  
That was common in the 90’s (which is when the RFC was submitted), but you’d be 
pretty hard pressed to find that now.

Postfix supports fast ETRN [1], which has performance optimizations over what 
other implementations provide, but you have to explicitly configure it to use 
it.  From my original e-mail I learned from the list how to squelch the 
advertisement on EHLO and ensure that it was not configured, either.

Sources:

[1] http://www.postfix.org/ETRN_README.html

compile postfix 3.x from source on freebsd 11.x [patch]

2018-03-04 Thread no@s...@mgedv.net 
hi wietse & postfix-folks, thanks for the best MX out there - still!
feel free to apply this patch if reqd.

--- ./src/util/sys_defs.h.orig  2017-02-02 02:31:15.0 +0100
+++ ./src/util/sys_defs.h   2017-04-03 15:57:19.205806000 +0200
@@ -30,6 +30,7 @@
 #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
 || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
 || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \
+|| defined(FREEBSD11) \
 || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
 || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
 || defined(OPENBSD5) || defined(OPENBSD6) \
--- makedefs.orig   2017-02-12 16:32:10.0 +0100
+++ makedefs2017-04-03 15:56:15.710429000 +0200
@@ -284,6 +284,15 @@
: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
: ${PLUGIN_LD="${CC} -shared"}
;;
+  FreeBSD.11*) SYSTYPE=FREEBSD11
+   : ${CC=cc}
+   : ${SHLIB_SUFFIX=.so}
+   : ${SHLIB_CFLAGS=-fPIC}
+   : ${SHLIB_LD="${CC} -shared"' -Wl,-soname,${LIB}'}
+   : ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
+   : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
+   : ${PLUGIN_LD="${CC} -shared"}
+   ;;
  DragonFly.*)  SYSTYPE=DRAGONFLY
;;
   OpenBSD.2*)  SYSTYPE=OPENBSD2

Re: compile postfix 3.x from source on freebsd 11.x [patch]

2018-03-04 Thread Wietse Venema 
no@s...@mgedv.net:
> hi wietse & postfix-folks, thanks for the best MX out there - still!
> feel free to apply this patch if reqd.

Thanks. I gather that there are no changes in the behaviof of
libraries or kernel. I'd like to download and install FreeBSD11 in
a VM, but that will have to wait until electrical power is restored.

Wietse

> --- ./src/util/sys_defs.h.orig  2017-02-02 02:31:15.0 +0100
> +++ ./src/util/sys_defs.h   2017-04-03 15:57:19.205806000 +0200
> @@ -30,6 +30,7 @@
>  #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
>  || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
>  || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \
> +|| defined(FREEBSD11) \
>  || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
>  || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
>  || defined(OPENBSD5) || defined(OPENBSD6) \
> --- makedefs.orig   2017-02-12 16:32:10.0 +0100
> +++ makedefs2017-04-03 15:56:15.710429000 +0200
> @@ -284,6 +284,15 @@
> : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
> : ${PLUGIN_LD="${CC} -shared"}
> ;;
> +  FreeBSD.11*) SYSTYPE=FREEBSD11
> +   : ${CC=cc}
> +   : ${SHLIB_SUFFIX=.so}
> +   : ${SHLIB_CFLAGS=-fPIC}
> +   : ${SHLIB_LD="${CC} -shared"' -Wl,-soname,${LIB}'}
> +   : ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
> +   : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
> +   : ${PLUGIN_LD="${CC} -shared"}
> +   ;;
>   DragonFly.*)  SYSTYPE=DRAGONFLY
> ;;
>OpenBSD.2*)  SYSTYPE=OPENBSD2
> 
>

Re: compile postfix 3.x from source on freebsd 11.x [patch]

2018-03-04 Thread Herbert J. Skuhra 
On Sun, 04 Mar 2018 19:06:52 +0100,
"no@s...@mgedv.net"  wrote:
> 
> hi wietse & postfix-folks, thanks for the best MX out there - still!
> feel free to apply this patch if reqd.

These changes are part of the FreeBSD port for years.




--
Herbert

Re: compile postfix 3.x from source on freebsd 11.x [patch]

2018-03-04 Thread Postfix User 
On Sun, 4 Mar 2018 19:06:52 +0100, no@s...@mgedv.net stated:

>hi wietse & postfix-folks, thanks for the best MX out there - still!
>feel free to apply this patch if reqd.
>
>--- ./src/util/sys_defs.h.orig  2017-02-02 02:31:15.0 +0100
>+++ ./src/util/sys_defs.h   2017-04-03 15:57:19.205806000 +0200
>@@ -30,6 +30,7 @@
> #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
> || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
> || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \
>+|| defined(FREEBSD11) \
> || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
> || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
> || defined(OPENBSD5) || defined(OPENBSD6) \
>--- makedefs.orig   2017-02-12 16:32:10.0 +0100
>+++ makedefs2017-04-03 15:56:15.710429000 +0200
>@@ -284,6 +284,15 @@
>: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
>: ${PLUGIN_LD="${CC} -shared"}
>;;
>+  FreeBSD.11*) SYSTYPE=FREEBSD11
>+   : ${CC=cc}
>+   : ${SHLIB_SUFFIX=.so}
>+   : ${SHLIB_CFLAGS=-fPIC}
>+   : ${SHLIB_LD="${CC} -shared"' -Wl,-soname,${LIB}'}
>+   : ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
>+   : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
>+   : ${PLUGIN_LD="${CC} -shared"}
>+   ;;
>  DragonFly.*)  SYSTYPE=DRAGONFLY
>;;
>   OpenBSD.2*)  SYSTYPE=OPENBSD2
>

Maybe I am missing something; however, I have been running Postfix
3.4-(whatever) on FreeBSD-11 and above since it was released.

Re: compile postfix 3.x from source on freebsd 11.x [patch]

2018-03-04 Thread Herbert J. Skuhra 
On Sun, 04 Mar 2018 21:31:44 +0100,
Postfix User  wrote:
 
> Maybe I am missing something; however, I have been running Postfix
> 3.4-(whatever) on FreeBSD-11 and above since it was released.

You either built the postfix port (which already includes these
changes) or installed a package? Otherwise you will see:

ATTENTION:
ATTENTION: Unknown system type: FreeBSD 11.1-STABLE
ATTENTION:
*** Error code 1

--
Herbert

Re: postwhite? (why not?)

2018-03-04 Thread Bill Cole 

On 3 Mar 2018, at 14:25, J Doe wrote:

Should I then continue to use postscreen for the zombie detection but 
then move my DNSRBL entries to smtpd restrictions ?


Apologies for belabouring the point - I’m just not understanding.


Not all DNSBLs are equivalent. SOME are suited for use in postscreen as 
absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL configuration 
should be designed to only block IPs that *only* send spam. There are 
DNSBLs designed to be hyper-sensitive, to not give any sender a free 
pass, and to generate occasional collateral damage. There are DNSBLs 
designed to be used in complex anti-spam systems and NOT as a unilateral 
basis for blocking. Those sorts of DNSBL should not be used in 
postscreen with a score at or above postscreen_dnsbl_threshold.