[pfx] RFC logs_check
Hi, Apologies if this a silly suggestion. I have hunted high and low for a thing that would be simple for someone who is simple. I get the impression from the usual sources such as stackexchange that there is no easy or rather simple answer. Whilst I have spotted 'spawn' as a possibility of invoking an external script I get the impression that I will fail because I have already failed. Mot knowing much it looks like I would have to write my own message handler in python or some other language. That's well above my intelligence grade so, just an idea... Would it be possible to have a logs_check thing that might for example contain unknown unavailable user=<> cyberresilience binaryedge censys-scanner.com shadowserver.org stretchoid.com measurement.com shodan.io Whereby when Postfix matches the words it would write to a logfile and includes an IP address it would call an external script with that IP address and the associated word so I could immediately drop the IP address into IPTables as a block with a simple script? I realise stuff like failtoban is available but when I look at it the wrong way, or in any way, it falls over and it only looks at logfiles every so often and last time I broke my Pi I had to install rsyslog or somesuch to get the logfiles back. Try not to be nice to me because if you are I will request other stuff for simple minded people such as myself. Bob 2024-07-21T05:05:05.938615+01:00 soon8M4 postfix/smtpd[13218]: connect from 7858c0f2.tidalcoinage.internet-measurement.com[104.248.203.191] 2024-07-21T05:05:12.065049+01:00 soon8M4 postfix/smtpd[13218]: disconnect from 7858c0f2.tidalcoinage.internet-measurement.com[104.248.203.191] ehlo=1 starttls=1 quit=1 commands=3 2024-07-23T12:38:19.390340+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from exquisite.monitoring.internet-measurement.com[87.236.176.212] 2024-07-23T12:38:56.352464+01:00 soon8M4 postfix/smtps/smtpd[18433]: disconnect from exquisite.monitoring.internet-measurement.com[87.236.176.212] ehlo=1 quit=1 commands=2 2024-07-23T12:38:57.506055+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from sweet.monitoring.internet-measurement.com[87.236.176.224] 2024-07-23T12:38:57.526744+01:00 soon8M4 postfix/smtps/smtpd[18433]: SSL_accept error from sweet.monitoring.internet-measurement.com[87.236.176.224]: Connection reset by peer 2024-07-23T12:38:57.527208+01:00 soon8M4 postfix/smtps/smtpd[18433]: lost connection after CONNECT from sweet.monitoring.internet-measurement.com[87.236.176.224] 2024-07-23T12:38:57.527465+01:00 soon8M4 postfix/smtps/smtpd[18433]: disconnect from sweet.monitoring.internet-measurement.com[87.236.176.224] commands=0/0 2024-07-23T12:39:30.556637+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from valiant.monitoring.internet-measurement.com[87.236.176.228] 2024-07-23T12:39:30.575828+01:00 soon8M4 postfix/smtps/smtpd[18433]: SSL_accept error from valiant.monitoring.internet-measurement.com[87.236.176.228]: lost connection 2024-07-23T12:39:30.576228+01:00 soon8M4 postfix/smtps/smtpd[18433]: lost connection after CONNECT from valiant.monitoring.internet-measurement.com[87.236.176.228] 2024-07-23T12:39:30.576475+01:00 soon8M4 postfix/smtps/smtpd[18433]: disconnect from valiant.monitoring.internet-measurement.com[87.236.176.228] commands=0/0 2024-07-23T12:40:03.610083+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from special.monitoring.internet-measurement.com[87.236.176.219] 2024-07-23T12:40:03.631712+01:00 soon8M4 postfix/smtps/smtpd[18433]: SSL_accept error from special.monitoring.internet-measurement.com[87.236.176.219]: lost connection 2024-07-23T12:40:03.632105+01:00 soon8M4 postfix/smtps/smtpd[18433]: lost connection after CONNECT from special.monitoring.internet-measurement.com[87.236.176.219] 2024-07-23T12:40:03.632377+01:00 soon8M4 postfix/smtps/smtpd[18433]: disconnect from special.monitoring.internet-measurement.com[87.236.176.219] commands=0/0 2024-07-23T12:40:36.665039+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from optimistic.monitoring.internet-measurement.com[87.236.176.236] 2024-07-23T12:40:36.666309+01:00 soon8M4 postfix/smtps/smtpd[18433]: SSL_accept error from optimistic.monitoring.internet-measurement.com[87.236.176.236]: -1 2024-07-23T12:40:36.666866+01:00 soon8M4 postfix/smtps/smtpd[18433]: lost connection after CONNECT from optimistic.monitoring.internet-measurement.com[87.236.176.236] 2024-07-23T12:40:36.667064+01:00 soon8M4 postfix/smtps/smtpd[18433]: disconnect from optimistic.monitoring.internet-measurement.com[87.236.176.236] commands=0/0 2024-07-23T12:41:09.725483+01:00 soon8M4 postfix/smtps/smtpd[18433]: connect from talented.monitoring.internet-measurement.com[87.236.176.227] 2024-07-23T12:41:09.744651+01:00 soon8M4 postfix/smtps/smtpd[18433]: SSL_accept error from talented.monitoring.internet-measurement.com[87.236.176.227]: lost connection 2024-07-23T12:41:09.745147+01:00 soon8M4 postfix/smtps/smtpd[18433]: lost connection a
[pfx] Re: RFC logs_check
Yo! Thanks for the suggestion and the links. Unfotunately as per, https://fail2ban.readthedocs.io/en/latest/filters.html and my previous moan. Fail2Ban is retro-active and tries to deal with all of the everything... https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filters and if someone decides that my operating system does not need logfiles, perhaps to save write wear on my Micro SD, it would be a bit lost. As I have suggested I am more than thick so having tried Fail2Ban a couple of times I gave up. Mea Culpa. In part I suppose that's why I used RFC in the title because if Postfix is Postfix and considers something like this other mail server implementations might think "that's a good idea" or I am a nutter. I am at the level where I don't understand header_checks but can reject so I don't end up with stuff in my inbox but even header_checks appears to have an extended language of its own that is beyond me... Prototype /hotmail/ REJECT "Shove Your SEO/APP Spam" EXCEPT /mywife,mykid,hmrc/ I guess I am saying that I am simple and don't need to deal with SuperUser stuff including having to intstall other stuff that has to take my guess as to what it is dealing with in a differently wierd way. Bob On Wed, 2024-07-24 at 00:05 +0200, r.barc...@habmalnefrage.de wrote: > Hi, > > You could use a custom Fail2Ban regular expression to ban IP > addresses that cause Postfix log entries containing certain domain > names. > > See > https://en.wikipedia.org/wiki/Fail2ban > https://fail2ban.readthedocs.io/en/latest/filters.html > > Yours, > Reg > > > Gesendet: Dienstag, 23. Juli 2024 um 23:14 Uhr > > Von: "Bob via Postfix-users" > > An: postfix-users@postfix.org > > Betreff: [pfx] RFC logs_check > > > > Hi, > > > > Apologies if this a silly suggestion. I have hunted high and low > > for a > > thing that would be simple for someone who is simple. I get the > > impression from the usual sources such as stackexchange that there > > is > > no easy or rather simple answer. > > > > Whilst I have spotted 'spawn' as a possibility of invoking an > > external > > script I get the impression that I will fail because I have already > > failed. Mot knowing much it looks like I would have to write my own > > message handler in python or some other language. > > > > That's well above my intelligence grade so, just an idea... > > > > Would it be possible to have a logs_check thing that might for > > example > > contain > > > > unknown > > unavailable > > user=<> > > cyberresilience > > binaryedge > > censys-scanner.com > > shadowserver.org > > stretchoid.com > > measurement.com > > shodan.io > > > > Whereby when Postfix matches the words it would write to a logfile > > and > > includes an IP address it would call an external script with that > > IP > > address and the associated word so I could immediately drop the IP > > address into IPTables as a block with a simple script? > > > > I realise stuff like failtoban is available but when I look at it > > the > > wrong way, or in any way, it falls over and it only looks at > > logfiles > > every so often and last time I broke my Pi I had to install rsyslog > > or > > somesuch to get the logfiles back. > > > > Try not to be nice to me because if you are I will request other > > stuff > > for simple minded people such as myself. > > > > Bob > > > > > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
I know of such things but I am not sure that they are the solution to my problem in as much as they are lists of known spammers. Other than the Hotmail SEO/APP Cretins I have, fingers crossed, only suffered from two persistent idiots that are rejected in headers_check. Not that any of them pay attention to the rejects. I'm not sure that such services would deal with port scanners and even if they did such irritants would ignore and rotate their IP addresses. I want "Kill on Sight". Fastest way to me would be Postfix says it logged a connection from fluffy.cuddly.port.raping.internet-measurement.com calls my script with the IP address and they get stuffed up IPTables. Bob On Tue, 2024-07-23 at 23:13 +0100, Gilgongo wrote: > Although most if not all of the IP addresses in that log are in > blocking lists - have you tried using some RBLs as an easy solution? > For example in main.cf: > > smtpd_recipient_restrictions = > permit_mynetworks > ... etc. > reject_rbl_client zen.spamhaus.org > reject_rbl_client bl.spamcop.net ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Thanks for the reply. There are some words here, https://unix.stackexchange.com/questions/179477/how-does-fail2ban-detect-the-time-of-an-intrusion-attempt-if-the-log-files-dont Which suggests that Fail2Ban is continuously scanning logfiles for changes unless you install Gamin which is some sort of helper program that sppears to get a Kernal notification in the event something is written to the logfile. Now I have to install Fail2Ban and Gamin and work out how to use them in anger. OK, perhaps I moan too much but things are escalting in complexity whereas if I had my way Postfix could directly notify my simple script rather than going around these additinal houses. Miss out the middle men. Bob On Wed, 2024-07-24 at 14:11 +0200, Jaroslaw Rafa via Postfix-users wrote: > Dnia 24.07.2024 o godz. 00:14:51 Bob via Postfix-users pisze: > > I want "Kill on Sight". > > > > Fastest way to me would be Postfix says it logged a connection from > > fluffy.cuddly.port.raping.internet-measurement.com calls my script > > with the IP address and they get stuffed up IPTables. > > Despite what you say about your unsuccessful attempts with fail2ban, > it seems the best tool for the job. It's the whole idea of fail2ban > anyway - if "SOMETHING" appears in the logfile "SOME" number of times > (which can be 1), then stuff the IP address into iptables for > blocking. > > AFAIK, fail2ban uses inotify mechanism to monitor log files, so it > detects changes in logfiles immediately and not retroactively as you > stated. So at the moment when Postfix logs connection from > "fluffy.cuddly.port.raping.internet-measurement.com" ;), fail2ban can > block it. It's all the matter of writing proper rules for fail2ban. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
As a further ramble headers_checks, a line in mine, looks like this /ional.co.uk/ REJECT No Spam Please. At the eame time that Postfix triggers on the match it must know the IP address that was associated with the trigger. Instead of the above... /ional.co.uk/ REJECT No Spam Please. ACTION iptables -A INPUT -s "$i" - j DROP No need for an external script. Bob On Wed, 2024-07-24 at 13:26 +0100, Bob via Postfix-users wrote: > Thanks for the reply. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Oooops. Also applies to me :) Bob On Wed, 2024-07-24 at 14:51 +0200, Matus UHLAR - fantomas via Postfix- users wrote: > This article is 9 years old and apparently some parts of it are > obsolete... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
I get it might be a bit flakey from a security perspective and should come with warnings but it is my box. As an aside the contents of my /etc/postfix directory are owned by root so I assume Postfix needs root priveledges to access them. That seems like its already halfway down that particular rabbit tunnel. Bob On Wed, 2024-07-24 at 09:29 -0400, Wietse Venema via Postfix-users wrote: > Running commands as root from a Postfix daemon process? > Why didn't I think of doing that 25 years ago. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Yes. It was just an example. However many of these uninvited warts don't publish such information and I have no doubt that they periodically roll addresses. No I am not going to send them an e-mail so they can pretend to go away. The rest of my logs are stuffed with "user<>" and "unknown" or "does not resolve to" so they can get in the sea as well. Bob On Wed, 2024-07-24 at 14:23 +0100, Allen Coates via Postfix-users wrote: > These particular guys can be killed using two net-block entries on > IPv4 (and seven on IPv6) - worth putting in manually ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Not sure when it happened but when I had to reinstall it on my Pi the Pi was missing, ISTR, rsyslog so it was not the fault of Postfix. I just had to put rsyslog back in and logging was back to normal. Your link has the glimmer of a plan but would I not be back to having to periodically scan stdout, a file, to check for changes needimg action? Bob On Wed, 2024-07-24 at 09:53 -0400, Wietse Venema via Postfix-users wrote: > Gary R. Schmidt via Postfix-users: > > I'm sure postfix can be configured to use normal log files, or is > > that > > something that has to be made available at build-time? > > https://www.postfix.org/MAILLOG_README.html > > Available with Postfix version 3.4 or later. This includes logging > to stdout while running in a container. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Thanks... Toddles of to read about PostScreen "Wietse expects that the zombie problem will get worse before things improve, if ever." Waves. Sorry if I am being ittitating. Bob On Thu, 2024-07-25 at 00:12 +1000, Gary R. Schmidt via Postfix-users wrote: > This is exactly what postscreen - which is part of postfix - and > fail2ban were developed to handle. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
Apologies if my random ignorance has been a bit much. Thanks for taking the time to look at the posibilities and also discuss them with added words for me to look in to. The mention of Policy Servers and Milters along with the information that is supplied to them by Postfix causes me to come up with another brain fart. Having put my foot in it by suggesting that Postfix might make calls to external functions requiring root access, in particular IPTables, what if Postfix had its own version of IPtables. I could have a logs_check containing keywords. Postfix would check those trigger words and log the triggering IPs to its own file. Then, when the IP tried to connect again, it could immediately drop the connection. No doubt there will be security problems with that idea but the local file would be much simpler for the user to deal with particulary in terms of editing and maintainence. I kow it makes me sound lazy, I am, but IPTables is a whole new thing to learn in and of itself My problem with Policy Servers and Milters is that I am painfully thick and would not be able to begin to write anything meaningful. As others have mentioned I have bodged together my own script that parses the log files looking for matches and blocking miscreants via IPTables. At the moment, I have time on my hands, I run it by hand but I could cron it. Again thanks for having the conversation but for now I shall leave you alone and watch from the sidelines. Best Bob On Wed, 2024-07-24 at 19:57 -0400, Wietse Venema via Postfix-users wrote: > postfix--- via Postfix-users: > > > what's the main difference between a policy server and a milter? > > > > > > Policy Server: > > - Coded quickly in scripting language > > - Lightweight, simple, and fast to setup > > - Is only provided limited header information by postfix for > > evaluating > > No headers or body. > > Supports complex conditions on helo, client, recipient, and other > envelope information. > > Example: postfwd, https://www.postfwd.org/ > > > > > Milter: > > - More complicated to setup and code > > - Has access to the entire email (Headers, body, attachments) > > - More robust for large volumes of email > > Supports complex conditions on envelope (helo, client, recipient, > etc.) and message content. > > Example: milter-regex, https://www.benzedrine.ch/milter-regex.html > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
I should pay more attention to which e-mail address I am using to instill confidence. Bob On Thu, 2024-07-25 at 20:31 +0100, Keith wrote: > On Thu, 2024-07-25 at 13:07 -0400, Wietse Venema via Postfix-users > wrote: > > Bob via Postfix-users: > > > Having put my foot in it by suggesting that Postfix might make > > > calls to > > > external functions requiring root access, in particular IPTables, > > > what > > > if Postfix had its own version of IPtables. > > > > It was decided long ago that Postfix will be extensible with > > different > > tools from different manufacturers, allowing the system > > administrator > > to choose the best tool for the job. This approach reflects that > > the initial market was organizations, and that the initial audience > > was system administrators. > > > > Michael W. Lucas recently wrote a book for individuals who wish to > > "run your own mail server". It covers a wide range of topics, and > > I think it lowers the barrier for entrance (despite the claim that > > it is for the hard-core Unix sysadmin, by a fellow hard-core > > sysadmin). > > > > Wietse > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > > OK... perhaps it is best to ignore me on this one but last time I > programmed in anger, meaning I may have bodged it, I used Borland > Pascal to interface a bunch of production test equipment for testing > loudspeakers I designed to some IBM clones. C was suggested but I was > MEH. These days I am also rubbish in Lazarus. > > > Later on I got an NVQ in C, which was mostly Visual Basic and some > train shunting problem. Also in the dim and distant past I had a play > with assembler on a placement. The engine management system printer > interface was broken. > > I assure you that the rest of my CV is similarly unimpressive. > > > https://github.com/vdukhovni/postfix > https://github.com/vdukhovni/postfix/blob/master/postfix/src/anvil/anvil.c > > If you are interested and I do not subsequently break your head can I > ask some questions as to how to find snippets of your code that might > do things related to those questions so I can fail to make sense of > them and rob them to try and implement a/my thing? > > You can make a strong guess that I will need nursemading to get up > and > running but either I have to intall all/some of the Hardcore Unix add > ons and work out how to use them or just go to the source and bend > it. > > When the pain becomes too much tell me to get lost. You can do that > now. > > Your starter for 5 is the only time I have ever cloned something from > Git was Mastodon and whilst I was following the instructions (copy > and > paste), it fell over multiple times and then said, two hours later, > it > did not have enough memory. Mastodon is, apparently, infected by > Linux > Geeks. > > Oh. Someone said they did not understand what I was trying to say. > That's kool. I know i do it and the excuse/reason is that I have an > Attachement Deficit Disorder so, at best, my social skills are a bit > broken along with my communication skills. > > Bob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: connect to pgsql server could not translate host name
On Sun, 2024-07-28 at 11:00 +, Laura Smith via Postfix-users wrote: > I know you're desperately trying to finger point elsewhere but I'm > pretty sure you are barking up the wrong tree. Everything else > works, apart from postfix. At the risk of demonstrating my level of thick I have seen similar messages about "Temporary failure in name resolution" which, at a guess, happen on something like when Postfix is checking that the IP address resolves to the name it claims to be from. I'm assuming that if the DNS does not return an answer quickly enough for whatever reason Postfix logs a name resolution error and carrys on its merry way. Perhaps slow DNS, but the rest of your stuff is fast enough, or a delay somewhere in Postfix, could be doing something else, or Postfix not waiting long enough to get an answer. Sorry. Ignorance results in me making stuff up. Bob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
