how block specific ip address in Postfix
Hello. I saw in logs that some non existent mailbox from client domain
hosted on google tries send some mail to existing mailbox in this same
domain. Non existent mailbox is used from IP's:
94.102.49.198
149.56.173.68
and both are blacklisted.
I need to block these IP addresses in Postfix and also I would like to add
more blacklists to Postfix. I saw that Postfix uses zen.spamhaus.org:
reject_rbl_client zen.spamhaus.org
In log it looks like (webmas...@kamir-transport.pl doesn't exists on my
client who has mail service
hosted on google):
Nov 16 06:10:50 s1 amavis[29248]: (29248-11) Passed CLEAN
{RelayedOutbound}, LOCAL [127.0.0.1] -> <
bi...@kamir-transport.pl>, Message-ID: <
e3226b8dc45f88d341b1c40023a66...@www.kamir-transport.pl>, mail_id:
9IS02YCv7FyA, Hits: -1.901, size: 937, queued_as: 50F1513C675, 1045 ms
Nov 16 18:21:43 s1 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=, method=PLAIN,
rip=94.102.49.198, lip=54.38.202.128, session=
Today I have deployed working spf with hardfail, dkim and dmarc for this
domain. MX records points to google.
--
*Pozdrawiam / Best Regards*
*Piotr Bracha*
Re: how block specific ip address in Postfix
On 19.11.18 11:24, Poliman - Serwis wrote: Hello. I saw in logs that some non existent mailbox from client domain hosted on google tries send some mail to existing mailbox in this same domain. set smtpd_reject_unlisted_sender=yes this will reject mail from senders in your local domains, that do not exist. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
A bit stuck compiling Postfix on Mac Mojave.
This is my make script. make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include -DEF_COMMAND_DIR=\"/usr/local/sbin\" -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\" -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\" -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\" -DEF_MANPAGE_DIR=\"/usr/local/man\" -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" -DEF_QUEUE_DIR=\"/private/var/spool/postfix\" -DEF_README_DIR=\"/usr/share/doc/postfix\" -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\"' 'AUXLIBS=-L/usr/lib -lsasl2 -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib -ldb -lpcre -L/usr/lib' 'AUXLIBS_IUUC=-L/usr/local/Cellar/icu4c/62.1/lib -licuuc' 'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' 'AUXLIBS_PCRE=-L/usr/local/lib -lpcre' It’s falling over tls declatations near as I can tell. This is the fail part. Almost all the way through. cc -I. -I../../include -DHAS_MYSQL -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include -DEF_COMMAND_DIR=\"/usr/local/sbin\" -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\" -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\" -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\" -DEF_MANPAGE_DIR=\"/usr/local/man\" -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" -DEF_QUEUE_DIR=\"/private/var/spool/postfix\" -DEF_README_DIR=\"/usr/share/doc/postfix\" -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -DBIND_8_COMPAT -DNO_NETINFO -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM -DUSE_DYNAMIC_LIBS -DUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat -Wno-comment -g -O -I. -I../../include -DMACOSX -Wl,-rpath,/usr/lib/postfix -o smtpd smtpd.o smtpd_token.o smtpd_check.o smtpd_chat.o smtpd_state.o smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o smtpd_proxy.o smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o smtpd_expand.o smtpd_haproxy.o ../../lib/libpostfix-master.dylib ../../lib/libpostfix-tls.dylib ../../lib/libxsasl.a ../../lib/libmilter.a ../../lib/libpostfix-dns.dylib ../../lib/libpostfix-global.dylib ../../lib/libpostfix-util.dylib -L/usr/lib -lsasl2 -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib -ldb -lpcre -L/usr/lib -flat_namespace -lresolv Undefined symbols for architecture x86_64: "_ASN1_STRING_get0_data", referenced from: import-atom in libpostfix-tls.dylib "_EVP_MD_CTX_free", referenced from: import-atom in libpostfix-tls.dylib "_EVP_MD_CTX_new", referenced from: import-atom in libpostfix-tls.dylib "_EVP_PKEY_up_ref", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_delete", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_dup", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_free", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_new_null", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_num", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_pop_free", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_push", referenced from: import-atom in libpostfix-tls.dylib "_OPENSSL_sk_value", referenced from: import-atom in libpostfix-tls.dylib "_OpenSSL_version", referenced from: import-atom in libpostfix-tls.dylib "_OpenSSL_version_num", referenced from: import-atom in libpostfix-tls.dylib "_SSL_CTX_set_options", referenced from: import-atom in libpostfix-tls.dylib "_SSL_CTX_set_security_level", referenced from: import-atom in libpostfix-tls.dylib "_SSL_session_reused", referenced from: import-atom in libpostfix-tls.dylib "_SSL_set_options", referenced from: import-atom in libpostfix-tls.dylib "_SSL_set_security_level", referenced from: import-atom in libpostfix-tls.dylib "_TLS_client_method", referenced from: import-atom in libpostfix-tls.dylib "_TLS_method", referenced from: import-atom in libpostfix-tls.dylib "_TLS_server_method", referenced from: import-atom in libpostfix-tls.dylib "_X509_STORE_CTX_get0_cert", referenced from: import-atom in libpostfix-tls.dylib "_X509_STORE_CTX_get0_untrusted", referenced from: import-ato
Re: how block specific ip address in Postfix
On 19 Nov 2018, at 5:24, Poliman - Serwis wrote: Hello. I saw in logs that some non existent mailbox from client domain hosted on google tries send some mail to existing mailbox in this same domain. Non existent mailbox is used from IP's: 94.102.49.198 149.56.173.68 and both are blacklisted. I need to block these IP addresses in Postfix and also I would like to add more blacklists to Postfix. The most absolute and direct way to block specific IP addresses in Postfix is (if you are using postscreen) via postscreen_access_list: main.cf: postscreen_access_list = cidr:/etc/postfix/postscreen-access postscreen_blacklist_action = enforce postscreen-access: 94.102.49.198/32 REJECT 149.56.173.68/32 REJECT (Although I'd personally reject all of 94.102.48.0/20, as I've seen no evidence of that network operator generating anything but malicious traffic.) If you're using an antique version of Postfix or don't have postscreen enabled, you can instead do this: main.cf: smtpd_client_restrictions = [...], check_client_access=cidr/etc/postfix/ip-access, [...] /etc/postfix/ip-access: 94.102.49.198/32 REJECT 149.56.173.68/32 REJECT Note that the "smtpd_client_restrictions" restriction list probably will include other directives and that the order of directives in a restriction list determines which ones actually act: a "PERMIT" or "REJECT" from any directive causes Postfix to skip the rest of that list and "REJECT" causes it to skip the logically subsequent restriction lists.
Re: A bit stuck compiling Postfix on Mac Mojave.
On 19 Nov 2018, at 15:42, Robert Chalmers wrote: > > "_OpenSSL_version", referenced from: > import-atom in libpostfix-tls.dylib > ... > "_X509_up_ref", referenced from: > import-atom in libpostfix-tls.dylib > ld: symbol(s) not found for architecture x86_64 > clang: error: linker command failed with exit code 1 (use -v to see > invocation) > make: *** [smtpd] Error 1 > make: *** [update] Error 1 > make: *** [update] Error 2 > zeus:postfix-3.3.1 robert$ > > > Thanks for any ideasa. It looks like you've not given the correct voodoo to the compiler/linker to use some version of an openssl library. IIUC, Apple replaced OpenSSL (with LibreSSL?) a few years ago because of the Heartbleed bug. You might well be linking against that ssl library rather than the openssl one you expected. The MacOSX ssl library doesn't replicate all the variable names and function calls in OpenSSL.
Re: A bit stuck compiling Postfix on Mac Mojave.
On 19 Nov 2018, at 10:42, Robert Chalmers wrote: This is my make script. [...] -I/usr/local/include/openssl -I/usr/local/include/gnutls I don't think that can work. I know that the only reference to gnutls anywhere in the Postfix distribution is in the 2 TLS read-me files, both of which say: Do not use Gnu TLS So, maybe exposing the build to the gnutls headers might screw up your TLS-related symbols...
Re: A bit stuck compiling Postfix on Mac Mojave.
Yes, I only just put that gnutls in there... in desperation really! But I get the same error with or without. I figured it was some library thing... but finding the right one is a real problem. - Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers > On 19 Nov 2018, at 4:20 pm, Bill Cole > wrote: > >> On 19 Nov 2018, at 10:42, Robert Chalmers wrote: >> >> This is my make script. > [...] >> -I/usr/local/include/openssl -I/usr/local/include/gnutls > > I don't think that can work. I know that the only reference to gnutls > anywhere in the Postfix distribution is in the 2 TLS read-me files, both of > which say: > > Do not use Gnu TLS > > So, maybe exposing the build to the gnutls headers might screw up your > TLS-related symbols...
Re: A bit stuck compiling Postfix on Mac Mojave.
I think I’ve got the OpenSSL libraries correct, but not the TLD part. - Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers > On 19 Nov 2018, at 4:20 pm, Bill Cole > wrote: > >> On 19 Nov 2018, at 10:42, Robert Chalmers wrote: >> >> This is my make script. > [...] >> -I/usr/local/include/openssl -I/usr/local/include/gnutls > > I don't think that can work. I know that the only reference to gnutls > anywhere in the Postfix distribution is in the 2 TLS read-me files, both of > which say: > > Do not use Gnu TLS > > So, maybe exposing the build to the gnutls headers might screw up your > TLS-related symbols...
Re: A bit stuck compiling Postfix on Mac Mojave.
On Mon, Nov 19, 2018 at 03:42:51PM +, Robert Chalmers wrote:
> make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL
> -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl
> -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
> -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include
> -DEF_COMMAND_DIR=\"/usr/local/sbin\"
> -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\"
> -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\"
> -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\"
> -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\"
> -DEF_MANPAGE_DIR=\"/usr/local/man\"
> -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\"
> -DEF_QUEUE_DIR=\"/private/var/spool/postfix\"
> -DEF_README_DIR=\"/usr/share/doc/postfix\"
> -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\"' 'AUXLIBS=-L/usr/lib -lsasl2
> -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib -ldb -lpcre
> -L/usr/lib' 'AUXLIBS_IUUC=-L/usr/local/Cellar/icu4c/62.1/lib -licuuc'
> 'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm'
> 'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
Change the above to:
# There's no need to mention "-I/usr/local/include" multiple times.
#
set -- '-DUSE_TLS -I/usr/local/opt/openssl/include'
set -- "$@" '-I/usr/local/opt/icu4c/include'
set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
set -- '-DHAS_PCRE -I/usr/local/include'
set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-DDEF_SERVER_SASL_TYPE=\"dovecot\"'
CCARGS="$@"
# Do not use "-lprcre" in "AUXLIBS" when using "AUXLIBS_PCRE" for
# dynamic_maps=yes. There is no "AUXLIBS_IUUC", the libraries for
# Unicode support go into AUXLIBS, and include files into CCARGS.
# When using "-L/usr/local/opt/openssl/lib" for the homebrew
# OpenSSL libraries, also use "-I/usr/local/opt/openssl/include"
# for the corresponding headers. Do not use ".../include/openssl",
# rather use ".../include", because the OpenSSL headers are included
# as "",
#
set -- '-lsasl2'
set -- "$@" '-L/usr/local/opt/openssl/lib -lssl -lcrypto'
set -- "$@" '-L/usr/local/lib -ldb'
set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
AUXLIBS="$@"
# Do you also need overrides for:
#
#shlib_directory ?
#meta_directory ?
#
make -f Makefile.init shared=yes dynamicmaps=yes \
config_directory=/usr/local/etc/postfix \
command_directory=/usr/local/sbin \
daemon_directory=/usr/local/libexec/postfix \
queue_directory=var/spool/postfix \
data_directory=/var/lib/postfix \
html_directory=/usr/share/doc/postfix/html \
manpage_directory=/usr/local/man \
readme_directory=/usr/share/doc/postfix \
mailq_path=/usr/local/bin/mailq \
newaliases_path=/usr/local/bin/newaliases \
sendmail_path=/usr/local/sbin/sendmail \
"CCARGS=${CCARGS}" \
"AUXLIBS=${AUXLIBS}" \
'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' \
'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
--
Viktor.
Re: A bit stuck compiling Postfix on Mac Mojave.
Viktor Dukhovni: > Change the above to: > > # There's no need to mention "-I/usr/local/include" multiple times. > # > set -- '-DUSE_TLS -I/usr/local/opt/openssl/include' > set -- "$@" '-I/usr/local/opt/icu4c/include' Please don't hard-code ICU pathnames. EAI support is enabled by default when the "icu-config" command is found. Postfix uses 'icu-config --cppflags' to locate header files, and 'icu-config --ldflags' to locate libraries. Now, if Apple decided not to install "icu-config", then they are not helping developers. Wietse
Re: A bit stuck compiling Postfix on Mac Mojave.
Thanks Viktor. I have a compile…
I’ve had to make a couple of very small changes.
The queue directory is missing the “/“ in front of var. and I added in the
sasl2 stuff. I’m rebuilding this so that I’m not having to use macports - only
Homebrew things, and the native Apple libraries in the case of SASL. I can’t
locate any others for now that I feel will work. There probably is, but it’s an
ongoing project.
I have a running Postfix with all the stuff like dovecot, spamassassin etc etc.
so this is going to be the postfix replacement.
Thank you so much for your help. Brilliant. I was getting quite lost in my
Makefile collection.
I’m presuming I can stuff all this into a shell script?
This is my version.
set -- '-DUSE_TLS -I/usr/local/opt/openssl/include'
set -- "$@" '-I/usr/local/opt/icu4c/include'
set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
set -- '-DHAS_PCRE -I/usr/local/include'
set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-DDEF_SERVER_SASL_TYPE=\"dovecot\"
-I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl'
CCARGS="$@"
set -- '-lsasl2'
set -- "$@" '-L/usr/local/opt/openssl/lib -lssl -lcrypto'
set -- "$@" '-L/usr/local/lib -ldb'
set -- "$@" '-L/usr/lib -lsasl2'
set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
AUXLIBS="$@"
make -f Makefile.init shared=yes dynamicmaps=yes \
config_directory=/usr/local/etc/postfix \
command_directory=/usr/local/sbin \
daemon_directory=/usr/local/libexec/postfix \
queue_directory=/var/spool/postfix \
data_directory=/var/lib/postfix \
html_directory=/usr/share/doc/postfix/html \
manpage_directory=/usr/local/man \
readme_directory=/usr/share/doc/postfix \
mailq_path=/usr/local/bin/mailq \
newaliases_path=/usr/local/bin/newaliases \
sendmail_path=/usr/local/sbin/sendmail \
"CCARGS=${CCARGS}" \
"AUXLIBS=${AUXLIBS}" \
'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' \
'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
=
> On 19 Nov 2018, at 17:16, Viktor Dukhovni wrote:
>
> On Mon, Nov 19, 2018 at 03:42:51PM +, Robert Chalmers wrote:
>
>> make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL
>> -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl
>> -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
>> -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include
>> -DEF_COMMAND_DIR=\"/usr/local/sbin\"
>> -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\"
>> -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\"
>> -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\"
>> -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\"
>> -DEF_MANPAGE_DIR=\"/usr/local/man\"
>> -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\"
>> -DEF_QUEUE_DIR=\"/private/var/spool/postfix\"
>> -DEF_README_DIR=\"/usr/share/doc/postfix\"
>> -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\"' 'AUXLIBS=-L/usr/lib -lsasl2
>> -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib -ldb -lpcre
>> -L/usr/lib' 'AUXLIBS_IUUC=-L/usr/local/Cellar/icu4c/62.1/lib -licuuc'
>> 'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm'
>> 'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
>
> Change the above to:
>
> # There's no need to mention "-I/usr/local/include" multiple times.
> #
> set -- '-DUSE_TLS -I/usr/local/opt/openssl/include'
> set -- "$@" '-I/usr/local/opt/icu4c/include'
> set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
> set -- '-DHAS_PCRE -I/usr/local/include'
> set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL
> -DDEF_SERVER_SASL_TYPE=\"dovecot\"'
> CCARGS="$@"
>
> # Do not use "-lprcre" in "AUXLIBS" when using "AUXLIBS_PCRE" for
> # dynamic_maps=yes. There is no "AUXLIBS_IUUC", the libraries for
> # Unicode support go into AUXLIBS, and include files into CCARGS.
> # When using "-L/usr/local/opt/openssl/lib" for the homebrew
> # OpenSSL libraries, also use "-I/usr/local/opt/openssl/include"
> # for the corresponding headers. Do not use ".../include/openssl",
> # rather use ".../include", because the OpenSSL headers are included
> # as "",
> #
> set -- '-lsasl2'
> set -- "$@" '-L/usr/local/opt/openssl/lib -lssl -lcrypto'
> set -- "$@" '-L/usr/local/lib -ldb'
> set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
> AUXLIBS="$@"
>
> # Do you also need overrides for:
> #
> #shlib_directory ?
> #meta_directory ?
> #
> make -f Makefile.init shared=yes dynamicmaps=yes \
>config_directory=/usr/local/etc/postfix \
>command_directory=/usr/local/sbin \
>daemon_directory=/usr/local/libexec/postfix \
>queue_directory=var/spool/postfix \
>data_directory=/var/lib/postfix \
>html_directory=/usr/share/doc/postfix/html \
>manpage_directory=/usr/local
Re: A bit stuck compiling Postfix on Mac Mojave.
sorry Wietse, you’ve lost me there. What does your statement mean in relation to the commands of Viktor that now build it? thanks Robert > On 19 Nov 2018, at 19:33, Wietse Venema wrote: > > Viktor Dukhovni: >> Change the above to: >> >> # There's no need to mention "-I/usr/local/include" multiple times. >> # >> set -- '-DUSE_TLS -I/usr/local/opt/openssl/include' >> set -- "$@" '-I/usr/local/opt/icu4c/include' > > Please don't hard-code ICU pathnames. EAI support is > enabled by default when the "icu-config" command is found. > > Postfix uses 'icu-config --cppflags' to locate header files, and > 'icu-config --ldflags' to locate libraries. > > Now, if Apple decided not to install "icu-config", then they are > not helping developers. > > Wietse
Re: A bit stuck compiling Postfix on Mac Mojave.
opps. Viktor. In my slight rework enthusiasm I’ve gone and put -lsasl2 in
twice… no matter I’ll fix it.
robert
> On 19 Nov 2018, at 17:16, Viktor Dukhovni wrote:
>
> On Mon, Nov 19, 2018 at 03:42:51PM +, Robert Chalmers wrote:
>
>> make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL
>> -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl
>> -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
>> -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include
>> -DEF_COMMAND_DIR=\"/usr/local/sbin\"
>> -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\"
>> -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\"
>> -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\"
>> -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\"
>> -DEF_MANPAGE_DIR=\"/usr/local/man\"
>> -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\"
>> -DEF_QUEUE_DIR=\"/private/var/spool/postfix\"
>> -DEF_README_DIR=\"/usr/share/doc/postfix\"
>> -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\"' 'AUXLIBS=-L/usr/lib -lsasl2
>> -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib -ldb -lpcre
>> -L/usr/lib' 'AUXLIBS_IUUC=-L/usr/local/Cellar/icu4c/62.1/lib -licuuc'
>> 'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm'
>> 'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
>
> Change the above to:
>
> # There's no need to mention "-I/usr/local/include" multiple times.
> #
> set -- '-DUSE_TLS -I/usr/local/opt/openssl/include'
> set -- "$@" '-I/usr/local/opt/icu4c/include'
> set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
> set -- '-DHAS_PCRE -I/usr/local/include'
> set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL
> -DDEF_SERVER_SASL_TYPE=\"dovecot\"'
> CCARGS="$@"
>
> # Do not use "-lprcre" in "AUXLIBS" when using "AUXLIBS_PCRE" for
> # dynamic_maps=yes. There is no "AUXLIBS_IUUC", the libraries for
> # Unicode support go into AUXLIBS, and include files into CCARGS.
> # When using "-L/usr/local/opt/openssl/lib" for the homebrew
> # OpenSSL libraries, also use "-I/usr/local/opt/openssl/include"
> # for the corresponding headers. Do not use ".../include/openssl",
> # rather use ".../include", because the OpenSSL headers are included
> # as "",
> #
> set -- '-lsasl2'
> set -- "$@" '-L/usr/local/opt/openssl/lib -lssl -lcrypto'
> set -- "$@" '-L/usr/local/lib -ldb'
> set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
> AUXLIBS="$@"
>
> # Do you also need overrides for:
> #
> #shlib_directory ?
> #meta_directory ?
> #
> make -f Makefile.init shared=yes dynamicmaps=yes \
>config_directory=/usr/local/etc/postfix \
>command_directory=/usr/local/sbin \
>daemon_directory=/usr/local/libexec/postfix \
>queue_directory=var/spool/postfix \
>data_directory=/var/lib/postfix \
>html_directory=/usr/share/doc/postfix/html \
>manpage_directory=/usr/local/man \
>readme_directory=/usr/share/doc/postfix \
>mailq_path=/usr/local/bin/mailq \
>newaliases_path=/usr/local/bin/newaliases \
>sendmail_path=/usr/local/sbin/sendmail \
>"CCARGS=${CCARGS}" \
>"AUXLIBS=${AUXLIBS}" \
>'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' \
>'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'
>
> --
> Viktor.
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
Re: A bit stuck compiling Postfix on Mac Mojave.
it seems icu-config is gone from Mojave. however, pkg-config is there. According to the icu project docs, Note: icu-config is deprecated, and no longer recommended for production use. Please use pkg-config files or other options. http://userguide.icu-project.org/howtouseicu#TOC-pkg-config robert > On 19 Nov 2018, at 19:33, Wietse Venema wrote: > > Viktor Dukhovni: >> Change the above to: >> >> # There's no need to mention "-I/usr/local/include" multiple times. >> # >> set -- '-DUSE_TLS -I/usr/local/opt/openssl/include' >> set -- "$@" '-I/usr/local/opt/icu4c/include' > > Please don't hard-code ICU pathnames. EAI support is > enabled by default when the "icu-config" command is found. > > Postfix uses 'icu-config --cppflags' to locate header files, and > 'icu-config --ldflags' to locate libraries. > > Now, if Apple decided not to install "icu-config", then they are > not helping developers. > > Wietse Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers
Re: A bit stuck compiling Postfix on Mac Mojave.
Viktor Dukhovni: > Change the above to: > > # There's no need to mention "-I/usr/local/include" multiple times. > # > set -- '-DUSE_TLS -I/usr/local/opt/openssl/include' > set -- "$@" '-I/usr/local/opt/icu4c/include' On 19 Nov 2018, at 19:33, Wietse Venema wrote: > Please don't hard-code ICU pathnames. EAI support is > enabled by default when the "icu-config" command is found. > > Postfix uses 'icu-config --cppflags' to locate header files, and > 'icu-config --ldflags' to locate libraries. > > Now, if Apple decided not to install "icu-config", then they are > not helping developers. Robert Chalmers: > sorry Wietse, you?ve lost me there. > > What does your statement mean in relation to the commands of Viktor > that now build it? It says please don't hard-code ICU pathnames. Wietse
Re: A bit stuck compiling Postfix on Mac Mojave.
On Mon, Nov 19, 2018 at 07:43:06PM +, Robert Chalmers wrote: > sorry Wietse, you’ve lost me there. > > What does your statement mean in relation to the commands of Viktor that now > build it? To get unicode enabled automatically, add: /usr/local/opt/icu4c/bin to your PATH, and then the Postfix "makedefs" script will find the appropriate icu4c headers and libraries. You can then remove the explicit settings for ICU from CCARGS and AUXLIBS. While "icu-config" is "deprecated", for the moment it still works. -- Viktor.
Re: A bit stuck compiling Postfix on Mac Mojave.
Thanks Victor, understood. - Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers > On 19 Nov 2018, at 8:53 pm, Viktor Dukhovni > wrote: > >> On Mon, Nov 19, 2018 at 07:43:06PM +, Robert Chalmers wrote: >> >> sorry Wietse, you’ve lost me there. >> >> What does your statement mean in relation to the commands of Viktor that now >> build it? > > To get unicode enabled automatically, add: > >/usr/local/opt/icu4c/bin > > to your PATH, and then the Postfix "makedefs" script will find the > appropriate icu4c headers and libraries. You can then remove the > explicit settings for ICU from CCARGS and AUXLIBS. > > While "icu-config" is "deprecated", for the moment it still works. > > -- >Viktor.
Re: how block specific ip address in Postfix
2018-11-19 16:57 GMT+01:00 Bill Cole < postfixlists-070...@billmail.scconsult.com>: > On 19 Nov 2018, at 5:24, Poliman - Serwis wrote: > > Hello. I saw in logs that some non existent mailbox from client domain >> hosted on google tries send some mail to existing mailbox in this same >> domain. Non existent mailbox is used from IP's: >> 94.102.49.198 >> 149.56.173.68 >> and both are blacklisted. >> I need to block these IP addresses in Postfix and also I would like to add >> more blacklists to Postfix. >> > > The most absolute and direct way to block specific IP addresses in Postfix > is (if you are using postscreen) via postscreen_access_list: > > main.cf: > postscreen_access_list = cidr:/etc/postfix/postscreen-access > postscreen_blacklist_action = enforce > > > postscreen-access: > 94.102.49.198/32 REJECT > 149.56.173.68/32 REJECT > > (Although I'd personally reject all of 94.102.48.0/20, as I've seen no > evidence of that network operator generating anything but malicious > traffic.) > > If you're using an antique version of Postfix or don't have postscreen > enabled, you can instead do this: > > main.cf: > smtpd_client_restrictions = [...], > check_client_access=cidr/etc/postfix/ip-access, > [...] > > > /etc/postfix/ip-access: > 94.102.49.198/32 REJECT > 149.56.173.68/32 REJECT > > Note that the "smtpd_client_restrictions" restriction list probably will > include other directives and that the order of directives in a restriction > list determines which ones actually act: a "PERMIT" or "REJECT" from any > directive causes Postfix to skip the rest of that list and "REJECT" causes > it to skip the logically subsequent restriction lists. > > > Thank you for answers. I use Postfix -> mail_version = 3.1.0 -- *Pozdrawiam / Best Regards* *Piotr Bracha*
spf and dmarc settings
Hello! I have mail-related question. What will happen if I set SPF to "soft fail" but in DMARC I set "strict" to SPF Identifier Alignment - the "aspf" tag. -- *Pozdrawiam / Best Regards* *Piotr Bracha*
