Re: bypass policy server in recipient_restrictions when subject contains string

2019-01-05 Thread Stefan Bauer 
Understood. Would it be possible to have header_checks in main.cf that send
mails with special subject with FILTER to smtp process that did not have
policy service as option

and all other mails (/.*/)

also with FILTER to smtp process with policy service?

this way i can bypass policy service with special subject.

Am Freitag, 4. Januar 2019 schrieb Bill Cole <
postfixlists-070...@billmail.scconsult.com>:
> On 4 Jan 2019, at 10:36, Stefan Bauer wrote:
>
>> Would it be possible to have FILTER as action in policy server
>
> Yes, but FILTER behaves as documented in the access(5) man page. The
first 5 words there describing what FILTER does are critical, but you
should read it all...
>
>> (in
>> recipient_restrictions) and send it to smtp process that uses
header_checks
>> do have mailroute based on subject?
>
> There can be NO WAY to exempt a message from policy that would apply at
RCPT time with facts that cannot be known until end-of-DATA time. Postfix
cannot modify the basic constraints of non-quantum causality or the arrow
of time or tell SMTP clients to re-order the fixed command sequence of SMTP.
>
> If you want to make any decisions about a message based on a header, you
must do that with a tool (header_checks, milter, content_filter, or
post-delivery backend) that has access to the message data because it
operates at end-of-DATA or after queueing.
>

Re: Content filter - reijnect message back into queue

2019-01-05 Thread Rafael Azevedo 
Can the reinjection port be other than 10025 ?

Re: Content filter - reijnect message back into queue

2019-01-05 Thread Matus UHLAR - fantomas 

On 05.01.19 08:37, Rafael Azevedo wrote:

Can the reinjection port be other than 10025 ?


it can be any port, but it has to be configured not to send mail back
to the filter not to create a loop.

there are other recommended options for such port, documented in filter
readme.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

Re: How to configure an infinite-retry for relay

2019-01-05 Thread Jan P. Kessler 
Hi,

> I have a situation where my primary/final MX server will be down for
> an indefinite period of time, possibly up to a week.  During that time
> I would like to have the secondary MX server to keep every message
> queued, and keep on retrying, without ever "timing out" and without
> sending any "undeliverable" notifications to the sender.

does it really have to be indefinite or would the following setting (on
the 2ndary MX) be sufficient?

 maximal_queue_lifetime = 30d

See http://www.postfix.org/postconf.5.html#maximal_queue_lifetime for
more information.

Cheers, Jan

Re: How to configure an infinite-retry for relay

2019-01-05 Thread Paul Goyette 

On Sat, 5 Jan 2019, Jan P. Kessler wrote:


Hi,


I have a situation where my primary/final MX server will be down for
an indefinite period of time, possibly up to a week.  During that time
I would like to have the secondary MX server to keep every message
queued, and keep on retrying, without ever "timing out" and without
sending any "undeliverable" notifications to the sender.


does it really have to be indefinite or would the following setting (on
the 2ndary MX) be sufficient?

 maximal_queue_lifetime = 30d

See http://www.postfix.org/postconf.5.html#maximal_queue_lifetime for
more information.


That looks exactly like what I need.  Thanks for the pointer.



+--+--++
| Paul Goyette | PGP Key fingerprint: | E-mail addresses:  |
| (Retired)| FA29 0E3B 35AF E8AE 6651 | paul at whooppee dot com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd dot org |
+--+--++

Re: bypass policy server in recipient_restrictions when subject contains string

2019-01-05 Thread Stefan Bauer 
Seems to have no effect for unknown reasons. policy service is not called.
Tried:

master.cf

tls_whitelist_check unix-   -   n   -   -   smtp
   -o header_checks=
   -o smtp_header_checks=
   -o smtpd_recipient_restrictions=check_policy_service,unix:private/policy
   -o sender_dependent_default_transport_maps=
   -o smtpd_relay_restrictions=

header_checks in main.cf:

/^Subject: .*/  FILTER tls_whitelist_check:

mail.log reports:

Jan  5 14:00:09 mx1 postfix/cleanup[31559]: 3FE0A8062A: filter: header
Subject: test from mail1.remote.tld[1.2.3.4]; from=
to= proto=ESMTP helo=: tls_whitelist_check:

mail gets delivered, but policy service is not used/called.

What am i missing?

Am Sa., 5. Jan. 2019 um 11:05 Uhr schrieb Stefan Bauer <
cubew...@googlemail.com>:

> Understood. Would it be possible to have header_checks in main.cf that
> send mails with special subject with FILTER to smtp process that did not
> have policy service as option
>
> and all other mails (/.*/)
>
> also with FILTER to smtp process with policy service?
>
> this way i can bypass policy service with special subject.
>
> Am Freitag, 4. Januar 2019 schrieb Bill Cole <
> postfixlists-070...@billmail.scconsult.com>:
> > On 4 Jan 2019, at 10:36, Stefan Bauer wrote:
> >
> >> Would it be possible to have FILTER as action in policy server
> >
> > Yes, but FILTER behaves as documented in the access(5) man page. The
> first 5 words there describing what FILTER does are critical, but you
> should read it all...
> >
> >> (in
> >> recipient_restrictions) and send it to smtp process that uses
> header_checks
> >> do have mailroute based on subject?
> >
> > There can be NO WAY to exempt a message from policy that would apply at
> RCPT time with facts that cannot be known until end-of-DATA time. Postfix
> cannot modify the basic constraints of non-quantum causality or the arrow
> of time or tell SMTP clients to re-order the fixed command sequence of SMTP.
> >
> > If you want to make any decisions about a message based on a header, you
> must do that with a tool (header_checks, milter, content_filter, or
> post-delivery backend) that has access to the message data because it
> operates at end-of-DATA or after queueing.
> >

Re: policy server, TLS only exeptions and restrictions

2019-01-05 Thread Benny Pedersen 

Stefan Bauer skrev den 2019-01-04 14:44:


master.cf [1] (snippet):
finance  unix -   -   n   -   -   smtp

smtp_tls_policy_maps=hash:/etc/postfix/tls/finance


add -o before smtp_tls

Re: bypass policy server in recipient_restrictions when subject contains string

2019-01-05 Thread Benny Pedersen 

Stefan Bauer skrev den 2019-01-05 14:08:


tls_whitelist_check unix-   -   n   -   -
 smtp
   -o header_checks=
   -o smtp_header_checks=
   -o
smtpd_recipient_restrictions=check_policy_service,unix:private/policy
   -o sender_dependent_default_transport_maps=
   -o smtpd_relay_restrictions=


smtpd cant be overrided in smtp master.cf :=)

it can, but it have no effect, sorry cant help more

Re: bypass policy server in recipient_restrictions when subject contains string

2019-01-05 Thread Stefan Bauer 
Thank you. That explains it!

Am Sa., 5. Jan. 2019 um 15:03 Uhr schrieb Benny Pedersen :

> Stefan Bauer skrev den 2019-01-05 14:08:
>
> > tls_whitelist_check unix-   -   n   -   -
> >  smtp
> >-o header_checks=
> >-o smtp_header_checks=
> >-o
> > smtpd_recipient_restrictions=check_policy_service,unix:private/policy
> >-o sender_dependent_default_transport_maps=
> >-o smtpd_relay_restrictions=
>
> smtpd cant be overrided in smtp master.cf :=)
>
> it can, but it have no effect, sorry cant help more
>

Re: How to configure an infinite-retry for relay

2019-01-05 Thread Benny Pedersen 

Jan P. Kessler skrev den 2019-01-05 13:10:


 maximal_queue_lifetime = 30d


if that time is gone on backup mx, what should postfix then do ?, 
hopefully not make a bounce

Re: Slowness after upgrading from postfix 2.x to 3.1.8

2019-01-05 Thread Benny Pedersen 

Christopher R. Gabriel skrev den 2019-01-04 15:23:


postfix01 data/spool are on tmpfs.


its unsafe to use tmpfs for spool dirs in postfix, tmpfs is okay only 
for content-filters, not in generic postfix

Re: Content filter - reijnect message back into queue

2019-01-05 Thread Rafael Azevedo 
> it can be any port, but it has to be configured not to send mail back
> to the filter not to create a loop.

this is what I'm trying to figure out: how to re-inject.
I'm reading The Book of Postfix as Viktor suggested. Hope to find some
answers soon.

Thanks!

Re: Content filter - reijnect message back into queue

2019-01-05 Thread Viktor Dukhovni 
> On Jan 5, 2019, at 11:12 AM, Rafael Azevedo  wrote:
> 
> this is what I'm trying to figure out: how to re-inject.

Working re-injection examples are shown in FILTER_README.
If you don't too creative with ad-hoc multiple instances,
and "postfix -c", they work as documented, but reading the
book should give you a better picture of how the pieces
fit together.  Good luck.

-- 
Viktor.

Re: bypass policy server in recipient_restrictions when subject contains string

2019-01-05 Thread Viktor Dukhovni 



> On Jan 5, 2019, at 8:08 AM, Stefan Bauer  wrote:
> 
> tls_whitelist_check unix-   -   n   -   -   smtp
>-o header_checks=
>-o smtp_header_checks=
>-o smtpd_recipient_restrictions=check_policy_service,unix:private/policy
>-o sender_dependent_default_transport_maps=
>-o smtpd_relay_restrictions=

Take a look at: http://www.postfix.org/OVERVIEW.html

Once you understand how mail flows through the system, you'll
see why the above is a non-starter.

-- 
Viktor.

SMTP filter using geo-localization

2019-01-05 Thread Philippe - Forums 

Hello,

I would like to filter SMTP access using geo-localization.

I have installed geoip-bin on my mailserver.

This tool works like nslookup with an IP (geoiplookup @IP) and give 
geographic informations about this IP and especially the country (FR, 
DE,...).


My purpose is to filter IPs out of my country to reject SMTP connection.


I must made a linux script, on bash (/usr/bin/policyd-geoip).

But I don't know how the script can tell to postfix if the IP is OK or 
KO.



For postfix configuration I think that I must do that:

* master.cf:

  policy-geoip unix - n n - 0 spawn

  user=nobody argv=/usr/bin/policyd-geoip

* main.cf:

check_policy_service unix:private/policy-geoip


If someone can help me for this "project".


--
##

Philippe - Forums

Re: SMTP filter using geo-localization

2019-01-05 Thread Matt Anton 
Hello,

A simpler solution would be using a cidr access map from 
 that match netblocks you allow in 
master.cf for submission (or smtps if using the legacy SMTPS service on port 
465) service with smtpd_client_restrictions, eg.:


Long form for postfix >= 3.0 only:
-o { smtpd_client_restrictions = permit_mynetworks check_client_access 
cidr:$config_directory/submission_access.cidr permit_sasl_authenticated reject }


Short form for previous postfix < 3.0:
-o 
smtpd_client_restrictions=permit_mynetworks,check_client_access,cidr:$config_directory/submission_access.cidr,permit_sasl_authenticated,reject}


submission_access.cidr map:

 OK
0.0.0.0/0   REJECT Submission not allowed from your country.

Be sure to update submission_access.cidr with a daily cronjob to have up to 
date netblocks then reload postfix to use the newly cidr map right away.

On 5 Jan 2019, at 22:26, Philippe - Forums wrote:

> Hello,
>
> I would like to filter SMTP access using geo-localization.
>
> I have installed geoip-bin on my mailserver.
>
> This tool works like nslookup with an IP (geoiplookup @IP) and give 
> geographic informations about this IP and especially the country (FR, DE,...).
>
> My purpose is to filter IPs out of my country to reject SMTP connection.
>
>
> I must made a linux script, on bash (/usr/bin/policyd-geoip).
>
> But I don't know how the script can tell to postfix if the IP is OK or KO.
>
>
> For postfix configuration I think that I must do that:
>
> * master.cf:
>
>   policy-geoip unix - n n - 0 spawn
>
>   user=nobody argv=/usr/bin/policyd-geoip
>
> * main.cf:
>
> check_policy_service unix:private/policy-geoip
>
>
> If someone can help me for this "project".
>
>
> -- 
> ##
>
> Philippe - Forums

-- 
matt [at] lv223.org
GPG key ID: 7D91A8CA


signature.asc
Description: OpenPGP digital signature

Re: SMTP filter using geo-localization

2019-01-05 Thread John Fawcett 
On 05/01/2019 22:26, Philippe - Forums wrote:
> Hello,
>
> I would like to filter SMTP access using geo-localization.
>
> I have installed geoip-bin on my mailserver.
>
> This tool works like nslookup with an IP (geoiplookup @IP) and give
> geographic informations about this IP and especially the country (FR,
> DE,...).
>
> My purpose is to filter IPs out of my country to reject SMTP connection.
>
>
> I must made a linux script, on bash (/usr/bin/policyd-geoip).
>
> But I don't know how the script can tell to postfix if the IP is OK or
> KO.
>
>
> For postfix configuration I think that I must do that:
>
> * master.cf:
>
>   policy-geoip unix - n n - 0 spawn
>
>   user=nobody argv=/usr/bin/policyd-geoip
>
> * main.cf:
>
> check_policy_service unix:private/policy-geoip
>
>
> If someone can help me for this "project".
>
>
You can find the info and an example policy script here:

http://www.postfix.org/SMTPD_POLICY_README.html

As for return values, "The policy server replies with any action that is
allowed in a Postfix SMTPD access(5)
 table."
(http://www.postfix.org/access.5.html)

I think you will want to reply with "dunno" for acceptable ips (so that
then other checks following the check_policy_service restriction will be
done, and with something like "reject" followed by some message such as
"ip not allowed" in the case you want to reject the ip. 

John

Re: SMTP filter using geo-localization

2019-01-05 Thread Matthew McGehrin 

Hello,

Another solution is to use reject_rbl_client. Dnsbl.bit.nl maintains a 
RBL by country code that is updated weekly. GeoIP data is sometimes 
unreliable and can become stale.


See also:

https://noc.bit.nl/dnsbl/ascc/

"This zone contains data regarding the ISO3166 countrycode and BGP 
Autonomous System for any given IPv4 or IPv6 address. Every wednesday, 
RIR allocation statistics are downloaded for the RIPE, ARIN, APNIC, 
LACNIC and AFRINIC regions and this data is combined with a route-dump 
of the default free zone, as seen from AS12859."


IE:

 reject_rbl_client cn.ascc.dnsbl.bit.nl

Jan  5 16:52:42 c3p0 postfix/smtpd[54656]: NOQUEUE: reject: RCPT from 
unknown[223.72.236.134]: 554 5.7.1 Service unavailable; Client host 
[223.72.236.134] blocked using cn.ascc.dnsbl.bit.nl; AS=56048 CC=CN 
URL=http://noc.bit.nl/dnsbl/ / AS=9808 CC=CN 
URL=http://noc.bit.nl/dnsbl/; from= 
to= proto=ESMTP helo=


Matthew

On 1/5/2019 4:15 PM, Matt Anton wrote:

Hello,

A simpler solution would be using a cidr access map from 
 that match netblocks you allow in 
master.cf for submission (or smtps if using the legacy SMTPS service on port 465) 
service with smtpd_client_restrictions, eg.:

Turn off command pipelining for a domain

2019-01-05 Thread Lefteris Tsintjelis 
Is there a possible way to turn off command pipelining completely for a 
whole domain based on DNS? The pipelining-firewalling of yahoo.com seems 
to be broken quite often.


Something like:

yahoo.com   pipelining

Re: Turn off command pipelining for a domain

2019-01-05 Thread Benny Pedersen 

Lefteris Tsintjelis skrev den 2019-01-06 03:24:

Is there a possible way to turn off command pipelining completely for
a whole domain based on DNS? The pipelining-firewalling of yahoo.com
seems to be broken quite often.

Something like:

yahoo.com   pipelining


no logs, no problem

:)

Re: Turn off command pipelining for a domain

2019-01-05 Thread John Fawcett 
On 06/01/2019 03:24, Lefteris Tsintjelis wrote:
> Is there a possible way to turn off command pipelining completely for
> a whole domain based on DNS? The pipelining-firewalling of yahoo.com
> seems to be broken quite often.
>
> Something like:
>
> yahoo.com    pipelining

I think you're looking for

smtp_discard_ehlo_keyword_address_maps if you want to ignore pipelining
offered by remote servers.

smtpd_discard_ehlo_keyword_address_maps and
postscreen_discard_ehlo_keyword_address_maps to not advertise pipelining
for incoming email.

Only thing is that you'll have to specify ip addresses not domain names,
since dns lookups are not available for these maps.

John

Re: Turn off command pipelining for a domain

2019-01-05 Thread Lefteris Tsintjelis 

On 6/1/2019 4:48 π.μ., John Fawcett wrote:

Only thing is that you'll have to specify ip addresses not domain names,
since dns lookups are not available for these maps.


The remote servers of yahoo is mostly the problem. I rarely see this 
issue with any other servers but it usually applies to the whole domain 
whenever I see it, possibly because of their broken SMTP firewalls.

Re: [Partially solved] Re: Address rewriting not working

2019-01-05 Thread Celejar 
On Fri, 4 Jan 2019 15:20:08 -0500
Viktor Dukhovni  wrote:

> > On Jan 4, 2019, at 2:56 PM, Celejar  wrote:
> > 
> > And I'm using 3.1.8, where the rewriting isn't acceptable to my mail
> > provider, and this feature isn't available ;) So I guess I'm stuck,
> > unless I can upgrade Postfix?
> 
> Your other option, if possible, is to inject email into Postfix
> with the "From:" header already constructed the way you want.
> Postfix only adds "From:" headers when missing.
> 
> You could also use a PCRE REPLACE rule in smtp_header_checks:
> 
>   # Replace some legacy "address (display name)" forms with a
>   # more modern "display name " form.
>   /^From:\s*([^\s<>]+)\s+\(([^"]*)\)\s*$/ REPLACE From: "$2" <$1>

Thanks much - this seems to be working.

> The server that's accepting "From: display name "
> and rejecting "From: address (display name)" is not blameless
> It should be able to process either form.

Of course. It's just that I have higher expectations of quality open
source software than I do of a commercial mail provider ;)

Thanks again for all the help,

Celejar