RE: Spammer rejected, but resends every 10 minutes. Any way to prevent this

[L . P . H . van Belle]

Or why not use and SPF like this in the dns. 

your.domain.tld  TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all 
exp:explain.your.domain.tld” 
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s designated 
mail servers.”

Now these never reaches your server, saving cpu cycles etc. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 14 maart 2018 4:46
> Aan: Postfix users
> Onderwerp: Re: Spammer rejected, but resends every 10 
> minutes. Any way to prevent this
> 
> On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:
> 
> > OR: if you don't get any legitimate mail from Hunan, Chongqing, or 
> > Hong Kong you can probably safely block 113.240.0.0/12 from 
> talking at 
> > all to your SMTP port (or just the /13 to limit it to Hunan.)
> 
> OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 
> listed via its 
> PBL component.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
> 

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

[Bill Cole]

On 14 Mar 2018, at 6:28 (-0400), L.P.H. van Belle wrote:


Or why not use and SPF like this in the dns.

your.domain.tld		 TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx 
-all exp:explain.your.domain.tld”
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s 
designated mail servers.”


Now these never reaches your server, saving cpu cycles etc.


1. That only effects mail FROM your domain, which you can controlled 
much more directly for your own MTA in your own MTA.

2. It's redundant: '+mx -all' has the same operational meaning.
3. The syntax (trailing 'exp:' ) will pointlessly challenge SPF 
implementations, as it is rarely used and essentially useless.
4. It recommends to others that they use Zen in a manner that it is 
unfit for.

5. For many domains, "+mx -all" is unsuitable in both parts.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Not receiving mail from some legitimate domains

[jlftl]

Alright, using postconf debug_peer_list appears to have identified the issue:

Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-enceladus..net
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-PIPELINING
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-SIZE 104857600
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-ETRN
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-STARTTLS
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-ENHANCEDSTATUSCODES
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-8BITMIME
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250 DSN
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: watchdog_pat: 0x564edfaa6dc0
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
n5.nabble.com[162.253.133.81]: MAIL FROM: SIZE=3488
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command first

I modified the following:

main.cf - smtpd_tls_security_level = encrypt CHANGED TO may
master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may

Mail from (in this case nabble) is now delivered properly.  I'm hopeful that
this is my root issue...I will need to continue to monitor.

Thank you all very much for your help!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Not receiving mail from some legitimate domains

[Matus UHLAR - fantomas]

On 14.03.18 07:55, jlftl wrote:

Alright, using postconf debug_peer_list appears to have identified the issue:

Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
n5.nabble.com[162.253.133.81]: MAIL FROM: SIZE=3488
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command first

I modified the following:

main.cf - smtpd_tls_security_level = encrypt CHANGED TO may



master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may


1. there's no need to configure the same option in master.cf than in the
main.cf, it's required when you want to change them.

2. submission and smtps SHOULD have "-o smtpd_tls_security_level = encrypt",
clients should be required to both authentize and encrypt.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: Not receiving mail from some legitimate domains

[Viktor Dukhovni]

> On Mar 14, 2018, at 11:06 AM, Matus UHLAR - fantomas  
> wrote:
> 
> 1. there's no need to configure the same option in master.cf than in the
> main.cf, it's required when you want to change them.
> 
> 2. submission and smtps SHOULD have "-o smtpd_tls_security_level = encrypt",
> clients should be required to both authentize and encrypt.

Just should point that SPACEs around the "=" sign in master.cf option overrides
don't do what you might naively expect.  The correct syntax is:

-o smtpd_tls_security_level=encrypt

without SPACE characters around "=".

-- 
Viktor.

Re: Not receiving mail from some legitimate domains

[jlftl]

Matus UHLAR - fantomas wrote
> On 14.03.18 07:55, jlftl wrote:
>>Alright, using postconf debug_peer_list appears to have identified the
issue:
>>
>>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
>>n5.nabble.com[162.253.133.81]: MAIL FROM:<

> bounces@.nabble

> > SIZE=3488
>>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
>>n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command
first
>>
>>I modified the following:
>>
>>main.cf - smtpd_tls_security_level = encrypt CHANGED TO may
> 
>>master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may
> 
> 1. there's no need to configure the same option in master.cf than in the
> main.cf, it's required when you want to change them.
> 
> 2. submission and smtps SHOULD have "-o smtpd_tls_security_level =
> encrypt",
> clients should be required to both authentize and encrypt.
> 
> -- 
> Matus UHLAR - fantomas, 

> uhlar@

>  ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Christian Science Programming: "Let God Debug It!".

Thank you for the clarification; you are correct, I changed submission back
to "encrypt" and am still able to receive properly.  I should have made one
change at a time.  Thank you!

Viktor, thank you, the spaces around "=" were a typo on my part; in
master.cf the line is properly formatted as   -o
smtpd_tls_security_level=encrypt

Thank you all again.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: local data error while talking to smtp

[luistkd4]

Hi everyone the error is in the my.cnf with the following parameter:
init_connect='SET wait_timeout = 30'

Thanks!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Which user lookup wins?

[@lbutlr]

When postfix checks for a local user it looks at any local user (like 
/home/fred), I assume by checking /etc/passwd or similar (I have local users 
who can receive mail who are not mentioned in any /etc/postfix/* file, so 
postfix knows about them from somewhere outside of postfix’s config file) and 
then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one 
“wins”? Can I simply add user@$mydomain to the sql maps and they will trigger, 
or do I have to do something to tell postfix not to use the local home for that 
user first? (Not literally $mydomain, obvs).

Is it possible to prevent delivery to a local user and force the local domain 
to be resoled through virtual_mailbox_domains and virtual_alias_maps or does 
this require disabling local delivery to the entire $mydomain at once? Or, can 
I trick it by using virtual?

user@$mydomain  user@.tld

So, if I have u...@example.com and u...@example.net and .net is handled in 
mysql through virtual_mailbox* and u...@example.com has mail put in /home/user 
because example.com is $mydomain how would I set postfix up so that even though 
/home/user is the user’s home folder, their mail would be in 
virtual_mailbox_base only and handled via MySQL? (And yes, I realize the user’s 
mail would not be available via a shell login, that is rather the point).

What I currently have that seems relevant:

virtual_alias_maps =
hash:$config_directory/virtual
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_alias_domains = kreme.com
virtual_gid_maps = static:89
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = 
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_uid_maps = static:89
virtual_transport = dovecot

Hopefully I explained this question well enough.

Re: Which user lookup wins?

[Wietse Venema]

@lbutlr:
> When postfix checks for a local user it looks at any local user (like =
> /home/fred), I assume by checking /etc/passwd or similar (I have local =
> users who can receive mail who are not mentioned in any /etc/postfix/* =
> file, so postfix knows about them from somewhere outside of postfix=E2=80=99=
> s config file) and then it also checks for virtual_mailbox_domains and =
> virtual_alias_maps, yes?

The Postfix SMTP server always looks in virtual_alias_maps. Then,
it looks in the tables that depend on the address class of the
recipient domain. For that, I suggest that you look at
http://www.postfix.org/ADDRESS_CLASSS_README.html

Wietse

Re: question about envelop from.

[John]

Too complicated? How could this be improved?

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, 
aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
smtp_tls_protocols = !SSLv2, !SSLv3

smtpd_sasl_auth_enable = no

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols

Re: question about envelop from.

[Viktor Dukhovni]

> On Mar 14, 2018, at 10:48 PM, John  wrote:
> 
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane

Fine.

> smtp_tls_ciphers = high

OK, but medium is perhaps sufficient.

> smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, 
> kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT

With "high" or "medium" you don't need to exclude "EXPORT" or "LOW".
You're also misspelling some of the cipher names, they are case-sensitive.
Try:

   smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, 
kDHd, kDHr

You can exclude RC4 and 3DES, but it is not essential, and some very
small number of systems will now only be able to receive from you in
the clear.


> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high

Where did you get the idea that "high" was a TLS protocol version?

> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_ciphers = high

I would also suggest "medium" here.

> smtpd_tls_eecdh_grade = auto

This requires (and is recommended for) Postfix 3.2 or later.

> smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers

Not necessarily a good idea.  The server should perhaps be more
liberal.

-- 
Viktor.

Re: Which user lookup wins?

[@lbutlr]

On 14 Mar 2018, at 18:14, Wietse Venema  wrote:
> The Postfix SMTP server always looks in virtual_alias_maps.


Oh good, that makes things easier.

>  I suggest that you look at
> http://www.postfix.org/ADDRESS_CLASSS_README.html

Thank you for the link, but I get "Not Found

The requested URL /ADDRESS_CLASSS_README.html was not found on this server.”

Oh, wait a minute, there’s an extra S up there. Did you type that from memory?

I’m impressed.



-- 
'I thought we could do it without anyone getting hurt. By using our
brains.' 'Can't. History don't work like that. Blood first, then
brains.' 'Mountains of skulls,' said Truckle. 'There's got to be a
better way than fighting,' said Mr Saveloy. 'Yep. Lots of 'em. Only
none of 'em work.'