Re: postfix functional testing

2018-10-02 Thread Илья Шипицин 
вт, 2 окт. 2018 г. в 4:24, Wietse Venema :

>  ???:
> > Hello,
> >
> > we have pretty complicated setup. when we change something, we can break
> > something else.  however, we can describe "what must work".
>
> In the case of email, this is usually tested by sending email and
> monitoring one or more destination mailboxes, to determine if the
> message is delivered in the expected time and with the expected
> content.
>
> > is there a way of describing configuration testing like
> >
> https://openresty.gitbooks.io/programming-openresty/content/testing/test-nginx.html
> > ?
>
> SMTP is a store-and-forward protocol, therefore server responses
> alone cover only a small part of a complete email transaction.
>

I understand that HTTP and SMTP are different (while HTTP borrowed a lot
from SMTP, like return status codes).
what I did already is "sendmail -bt" (become test) mode. it allows to test
some aspects of smtp rules (not many, mostly address manipulation).

what I would like to test are

1) some IP are allowed to relay, some are not allowed (i'd like to specify
several IP addresses and see "relay allowed" or "relay not allowed")
2) some domains should be delivered via LMTP, i.e. locally (I'd like to
specify both local and remote addresses and see what happens)
3) DKIM signature is added to certain domains (via milter), I'd like to
send test messages and see


well, at least "3)" can be tested via real use letters. not clear how to
test "1)" and "2)"

we did break overall config when changed "something". we do not want to
break again.


>
> Wietse
>

Re: postfix functional testing

2018-10-02 Thread Patrick Ben Koetter 
* Илья Шипицин :
> вт, 2 окт. 2018 г. в 4:24, Wietse Venema :
> 
> >  ???:
> > > Hello,
> > >
> > > we have pretty complicated setup. when we change something, we can break
> > > something else.  however, we can describe "what must work".
> >
> > In the case of email, this is usually tested by sending email and
> > monitoring one or more destination mailboxes, to determine if the
> > message is delivered in the expected time and with the expected
> > content.
> >
> > > is there a way of describing configuration testing like
> > >
> > https://openresty.gitbooks.io/programming-openresty/content/testing/test-nginx.html
> > > ?
> >
> > SMTP is a store-and-forward protocol, therefore server responses
> > alone cover only a small part of a complete email transaction.
> >
> 
> I understand that HTTP and SMTP are different (while HTTP borrowed a lot
> from SMTP, like return status codes).
> what I did already is "sendmail -bt" (become test) mode. it allows to test
> some aspects of smtp rules (not many, mostly address manipulation).
> 
> what I would like to test are
> 
> 1) some IP are allowed to relay, some are not allowed (i'd like to specify
> several IP addresses and see "relay allowed" or "relay not allowed")
> 2) some domains should be delivered via LMTP, i.e. locally (I'd like to
> specify both local and remote addresses and see what happens)
> 3) DKIM signature is added to certain domains (via milter), I'd like to
> send test messages and see
> 
> well, at least "3)" can be tested via real use letters. not clear how to
> test "1)" and "2)"

For 1) and 2) read into XCLIENT. We use it for functional testing all the
time. For 3) send the message to another (local) instance and let it verify,
then parse the log.


p@rick



-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: postfix functional testing

2018-10-02 Thread Илья Шипицин 
wow. we do use XCLIENT already.
but I did not consider it for testing purpose.

you made my day :)

вт, 2 окт. 2018 г. в 12:46, Patrick Ben Koetter :

> * Илья Шипицин :
> > вт, 2 окт. 2018 г. в 4:24, Wietse Venema :
> >
> > >  ???:
> > > > Hello,
> > > >
> > > > we have pretty complicated setup. when we change something, we can
> break
> > > > something else.  however, we can describe "what must work".
> > >
> > > In the case of email, this is usually tested by sending email and
> > > monitoring one or more destination mailboxes, to determine if the
> > > message is delivered in the expected time and with the expected
> > > content.
> > >
> > > > is there a way of describing configuration testing like
> > > >
> > >
> https://openresty.gitbooks.io/programming-openresty/content/testing/test-nginx.html
> > > > ?
> > >
> > > SMTP is a store-and-forward protocol, therefore server responses
> > > alone cover only a small part of a complete email transaction.
> > >
> >
> > I understand that HTTP and SMTP are different (while HTTP borrowed a lot
> > from SMTP, like return status codes).
> > what I did already is "sendmail -bt" (become test) mode. it allows to
> test
> > some aspects of smtp rules (not many, mostly address manipulation).
> >
> > what I would like to test are
> >
> > 1) some IP are allowed to relay, some are not allowed (i'd like to
> specify
> > several IP addresses and see "relay allowed" or "relay not allowed")
> > 2) some domains should be delivered via LMTP, i.e. locally (I'd like to
> > specify both local and remote addresses and see what happens)
> > 3) DKIM signature is added to certain domains (via milter), I'd like to
> > send test messages and see
> >
> > well, at least "3)" can be tested via real use letters. not clear how to
> > test "1)" and "2)"
>
> For 1) and 2) read into XCLIENT. We use it for functional testing all the
> time. For 3) send the message to another (local) instance and let it
> verify,
> then parse the log.
>
>
> p@rick
>
>
>
> --
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>

Authenticating 'From' header to match envelope

2018-10-02 Thread Johannes Bauer 
Hi list,

I'm having an issue with my Postfix configuration: Currently I've it set
up so that one authentication SASL login (e.g., m...@foo.com) supports
multiple virtual email addresses (e.g., m...@foo.com but also
f...@foo.com, b...@foo.com).

Once authenticated with m...@foo.com, the envelope sender ("MAIL FROM")
is restricted to only the permissible variants.

However, as I've now painfully found out, when in Thunderbird someone
uses the "Custom From Address" feature, it doesn't change the envelope
sender, but only the actual "From" header field. This means, I have the
following situation:

Auth: m...@foo.com
Envelope from: m...@foo.com
Header 'From': anyth...@goes.com

One of my customers used a gmail address in the header "From", sent an
email to @hotmail.com and now my mailserver is permablocked at Microsoft
for bad reputation.

How can I ensure in the future that the same checks are applied to the
Header "From" field that are also applied to the evelope "From" field?

Thanks,
Johannes

Re: postfix functional testing

2018-10-02 Thread Wietse Venema 
 ???:
> ??, 2 ???. 2018 ?. ? 4:24, Wietse Venema :
> 
> >  ???:
> > > Hello,
> > >
> > > we have pretty complicated setup. when we change something, we can break
> > > something else.  however, we can describe "what must work".
> >
> > In the case of email, this is usually tested by sending email and
> > monitoring one or more destination mailboxes, to determine if the
> > message is delivered in the expected time and with the expected
> > content.
> >
> > > is there a way of describing configuration testing like
> > >
> > https://openresty.gitbooks.io/programming-openresty/content/testing/test-nginx.html
> > > ?
> >
> > SMTP is a store-and-forward protocol, therefore server responses
> > alone cover only a small part of a complete email transaction.
> >
> 
> I understand that HTTP and SMTP are different (while HTTP borrowed a lot
> from SMTP, like return status codes).
> what I did already is "sendmail -bt" (become test) mode. it allows to test
> some aspects of smtp rules (not many, mostly address manipulation).

Perhaps you mean 'sendmail -bv', as discussed in the example at the
end of ADDRESS_REWRITING_README. Postfix has no 'sendmail -bt' feature.

> what I would like to test are
> 
> 1) some IP are allowed to relay, some are not allowed (i'd like to specify
> several IP addresses and see "relay allowed" or "relay not allowed")

That's what Postfix has the XCLIENT feature is for.

> 2) some domains should be delivered via LMTP, i.e. locally (I'd like to
> specify both local and remote addresses and see what happens)

Set up a 'local' and 'remote' mailbox.  Or run the system in a VM
or container, and you have full control over all its network therefore
can simulate any environment.

> 3) DKIM signature is added to certain domains (via milter), I'd like to
> send test messages and see

Set up a mailbox and examine the result...

> well, at least "3)" can be tested via real use letters. not clear how to
> test "1)" and "2)"
> 
> we did break overall config when changed "something". we do not want to
> break again.

Wietse

Re: Authenticating 'From' header to match envelope

2018-10-02 Thread Wietse Venema 
Johannes Bauer:
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Use an external content filter. BTW this email will be delivered
with Envelope from = owner-postfix-us...@postfix.org, and from
Header 'From' = my email address. Just so you know.

Wietse

Re: Authenticating 'From' header to match envelope

2018-10-02 Thread Ralph Seichter 
On 02.10.2018 12:48, Johannes Bauer wrote:

> Once authenticated with m...@foo.com, the envelope sender ("MAIL
> FROM") is restricted to only the permissible variants. [...]
>
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Educating the customers would be my first step. Then, you could use
milter-regex (http://www.benzedrine.ch/milter-regex.html) or similar in
your authenticated submission process:

  # /etc/submission-milter-regex.conf
  reject "No impersonations please"
  envfrom /@gmail.com>/i

  reject "Missing 'From' header or domain mismatch"
  not ( envfrom /@foo.com>/i and header /^From$/i /@foo.com/i )

I cannot test this right now, but it should work. Note that users can
evade check #2 by using headers like

  From: "t...@foo.com" 

but that would be malice, and reason to kick your customer's backside.

-Ralph

check if envelope from and from is the same

2018-10-02 Thread Stefan Bauer 
Hi,

we're running a small smtp send only service for authenticated users only.
Even though we only accept allowed combinations of authenticated user and
pre-defined envelope from addresses with access_maps, some smartasses
started to spoof From: addresses so we got bad reputation at receiver sites.

Is this a good idea to check if envelope from and from matches and if so,
howto do it in postfix?

thank you

Stefan

Re: check if envelope from and from is the same

2018-10-02 Thread Ralph Seichter 
On 02.10.18 21:17, Stefan Bauer wrote:

> Is this a good idea to check if envelope from and from matches and if
> so, howto do it in postfix?

Seriously? A "howto" has been posted on this very mailing list a few
hours ago. Mailing list archives are so useful...

-Ralph