[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Gilgongo via Postfix-users]

Hi Viktor,

I'm not questioning the veracity of this, but equally I'm not sure I can
justify turning off one of our more important RLBs just on the strength of
an email on this list.

It would be good to have something from Proofpoint about the closure to
refer to if possible. Google isn't coming up with any other information
about it. Are you able to get back to Michelle to ask her?

Thanks.



On Wed, 5 Jun 2024 at 08:48, Peter via Postfix-users <
postfix-users@postfix.org> wrote:

> On 5/06/24 19:23, Peter via Postfix-users wrote:
> > On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote:
> >> Original text:
> >
> > Is there a link to the announcement online?
>
> I see it's from the mailop list which, unfortunately has the archives
> set private so it doesn't help me to be able to link to the original post.
>
>
> Peter
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4)
config is pretty old and confusing, and may not be doing things we want. So
I'd like to re-jig it. Here's how I think I'd like to have it:

1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM
verification and SA (and maybe DMARC as not doing so currently).

2. Mail originating from $mynetworks and also from sasl-auth clients: DKIM
signing, SA, Rate/IP limiting (and maybe RBL checks? Not sure).

I think I can do that by having all our "global" settings in main.cf

https://pastebin.com/VKfNW0hu

and then specifying various extra bits and overrides in master.cf:

https://pastebin.com/Qcpt29PV

BTW I'm using a script (policyd.pl) that does weighted scoring for RBLs (as
well as SPF), which I'd prefer rather than doing that with Postfix directly.

I've put a couple of questions in as comments in the configs - any
thoughts/suggestions very much appreciated! :-)

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, <
postfix-users@postfix.org> wrote:

> why not postscreen for this purpose?
>

Thanks - I thought about postscreen, but wasn't sure if it would be
overkill for such a small server? Could look again though.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:

>
> 3.
> smtpd_recipient_restrictions = permit_mx_backup
>
> avoid this whenever possible. Or at least define permit_mx_backup_networks
>
>
Thanks - I forgot to ask about this. Am I right in saying that the
relay_domains configuration will take care of secondary MX relaying (if
that's what permit_mx_backup was originally for?), and I can remove
permit_mx_backup?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users <
postfix-users@postfix.org> wrote:

> You should remove permit_mx_backup.
>
> This feature is intended for ISP-scale users that may not have a
> complete list of domains that use their server as a backup MX. In
> this case, permit_mx_backup_networks would define the ISP's customer
> network space.
>
>
I've just tried that, but the mail queue filled up with double-bounce
messages being sent to postmaster. This is partly the reason why I'd like
to sort out my configs, as there's clearly some stuff going on that I don't
understand.

BTW in the meantime, if I add this (where mx2.mydomain.com is our secondary
MX hostname), I take it that would be a good idea:

permit_mx_backup_networks = $mynetworks mx2. mydomain.com

 or is there a way of replacing address verification (if that's what is
going on) with something better?

Thanks for your help BTW.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:

>
> >BTW in the meantime, if I add this (where mx2.mydomain.com is our
> secondary
> >MX hostname), I take it that would be a good idea:
> >
> >permit_mx_backup_networks = $mynetworks mx2. mydomain.com
>
> no, these are IP addreses or ranged, not hostnames.
> have you added those domains to relay_domains?
>

OK so I assume I can use the IP address of the primary and secondary MX
servers, since all our domains are hosted on those IPs.

All the domains are in relay_domains, yes (the current setup we have has
been running fine for many years: https://pastebin.com/S2q1fvaB and
https://pastebin.com/MmWvZaVQ - I'm just wanting to bring it more up to
date).


>
> To answer your previous question: yes, relay_domains is the list of
> domains
> your server is supposed to provide backup MX for, independently on
> permit_mx_backup
> and permit_mx_backup_networks setting.
>
>
Thanks, but if that's the case what I don't understand is why the mail
queue filled up with double-bounce messages to postmaster when I tried
removing permit_mx_backup from the config. It seems that mx_backup is
somehow necessary for our normal operation.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Tue, 11 Jun 2024 at 11:52, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:

> On 11.06.24 11:02, Gilgongo via Postfix-users wrote:
> >OK so I assume I can use the IP address of the primary and secondary MX
> >servers, since all our domains are hosted on those IPs.
>
> It would make sense to use permit_mx_backup on secondary MX server and
> setting the permit_mx_backup_networks to IP of primary server.
>
> That way, you don't have to list domains pointing to primary MX, but your
> server still accepts mail for anyone who lists your servers as MX, even if
> your primary MX does not accept it (address verification would help)
>

Thanks, I'll try that.


> I only see there:
>
> relay_domains = $mydestination
>
> wich makes little sense, because this way you would only relay fo
> - domains that are local (and thus not relayed)
> - their subdomains (due to parent_domain_matches_subdomains setting)
>

I think because $mydestination (further down the config file) includes
"/etc/postfix/localdomains" (containing a list of the domains we relay
for), then that works? This is an example of one of the reasons why I
wanted to sort out some confusions in the config...


> Since I don't see any of those  double bounces, I can only guess it's a
> symptom of other problem:
>
> myhostname = mx0.domain.org.uk
> myorigin = $mydomain
> mydestination = $myhostname, alice.$mydomain, localhost.$mydomain,
> localhost, /etc/postfix/localdomains
>
> I can guess your server sends mail from "domain.org.uk" but can't process
> those.
>
>
Not sure. The domain is listed in the "localdomains" file though.

But this is all clearly rather mysterious. I think it may be necessary to
hire some professional help, rather than trying to debug it on the mailing
list.

If anyone reading this would like to take this on, feel free to mail me off
list.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Tue, 11 Jun 2024 at 16:14, Noel Jones via Postfix-users <
postfix-users@postfix.org> wrote:

> If you need permit_mx_backup, that means postfix doesn't have a
> clear idea of domains it is responsible for.
>
> Please read and study:
> http://www.postfix.org/BASIC_CONFIGURATION_README.html
>
> mydestination should contain domains that are delivered locally by
> postfix on the same machine.
>
> relay_domains should contain a list of all domains that are passed
> further downstream for final delivery outside of "this" postfix,
> such as to another process on the same server, or to a different server.
>
> It shouldn't be that hard to tell postfix what domains it is
> responsible for.
>
>
Apologies - I've confused the conversation with my question about
permit_mx_backup.

The server has been working with its present configuration using
permit_mx_backup for almost a decade (and keeping out of RBLs, etc. in that
time). I don't doubt there are some suboptimal things going on in the
configs, but I'd rather not tinker with them.

What I understand is that in my proposed *new* (and untested, hence my
posting here) configuration https://pastebin.com/2X8gqVVq -
permit_mx_backup isn't going to be needed.

Further, I think I should look at de-duplicating the smtpd configs in
master.cf as suggested, and also look at using postscreen.

That said, I think I'll enlist some professional help in all this, as
debugging the details on the mailing list seems rather more tricky than I'd
expected :-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Gilgongo via Postfix-users]

On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users <
postfix-users@postfix.org> wrote:

> Hello,
>
> I have this section in master.cf:
>
> smtps inet  n   -   y   -   -   smtpd
>-o syslog_name=postfix/smtps
>-o smtpd_tls_wrappermode=yes
>-o smtpd_sasl_auth_enable=yes
>-o
>
> smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject
>-o smtpd_relay_restrictions=permit_sasl_authenticated,reject


I think all you need is:

-o smtpd_sender_restrictions=reject_sender_login_mismatch

Right now you're letting sasl-auth clients in without that check since
postfix evaluates left to right.

(By chance I was just looking at this when I saw your mail:
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Gilgongo via Postfix-users]

On Tue, 18 Jun 2024 at 08:55, Jeff Peng  wrote:

> I did have tried this line (with just one value
> reject_sender_login_mismatch).
> But then I even can't send mail from the valid user (the user who login
> into RC).
>

Oh, sorry I didn't see you weren't using smtpd_sender_login_maps. I'm
pretty sure you'll need that to list the allowed logins (and/or their
aliases if needed). See https://www.postfix.org/postconf.5.html for how
that works.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Gilgongo via Postfix-users]

On Wed, 19 Jun 2024 at 03:57, Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

> On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users
> wrote:
>
> > The defaults for those settings, as far as postfix is concerned, are as
> > follows:
> >
> > smtpd_tls_auth_only = no
>
> Why? Surely, "yes" is the better choice...


You need to set this to "yes" if you plan to have accounts sending mail out
through your mail server. Because that's potentially a security risk,
Postfix doesn't set this to "yes" by default.

As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is
better as "may", but the reason the default is none is that you will need
to set up TLS certificate first, which isn't in the scope of what Postfix
does. So that's why it sets none as the default.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Gilgongo via Postfix-users]

On Thu, 20 Jun 2024, 2:01 pm Emmanuel Seyman via Postfix-users, <
postfix-users@postfix.org> wrote:

>
> So there's a confusion between the hostname of the mailer and the
> doamin to be used for the SPF check. Is anybody else seeing this ?
>

Yes, I had to recently add an "a:" record to an SPF (for the sending
hostname) as I was seeing some of these I think.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Using postfwd for sasl auth clients only?

[Gilgongo via Postfix-users]

I have some simple postfwd rules that count the number of emails being sent
per hour/day  per sasl account (and reject once a limit is reached).

I'm not sure how best to implement that though, Should I just have the
following in master.cf? So if an account sent a CC to [n] addresses, the
rules would be evaluated [n] times?

submission inet n   -   n   -   -   smtpd
  ... current configs here...
  -o { smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10040
permit_sasl_authenticated
}

Thanks for any help.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Question on DKIM process ordering

[Gilgongo via Postfix-users]

I'm setting up a server to handle outbound mail for sasl auth accounts and
would like to scan that mail for spam and malware before DKIM signing
because I assume scanning might potentially add headers that could break
the sig.

Right now I have the following (extract) in my Amavis conf:

$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'}
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  notify_method => 'smtp:[127.0.0.1]:10025',

With master.cf as:

submission  inet  n   -   n-  -   smtpd
... configs...
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

smtp-amavisunix--n-2smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

# For sending notifications about actions
127.0.0.1:10025inetn-n--smtpd
  -o syslog_name=notify
  configs...

# For OpenDKIM signing
127.0.0.1:10027inetn-n--smtpd
  ... configs...
  -o smtpd_milters=inet:127.0.0.1:8891

So I assume DKIM should come last. But the logs imply the spam/virus check
is done after?

postfix/cleanup[1685]: BB20880330:
message-id=<20240705073351.001500@fre.localdomain>
opendkim[700]: BB20880330: DKIM-Signature field added (s=dkim20200516, d=
bakerbates.com)
postfix/qmgr[1558]: BB20880330: from=, size=945, nrcpt=1
(queue active)
amavis[1563]: (01563-01) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL
[192.168.0.241]:51084 [etc.]
postfix/smtp[1686]: 76C0C80266: to=,
relay=127.0.0.1[127.0.0.1]:10026, [etc.]
postfix/qmgr[1558]: 76C0C80266: removed

Unfortunately, I can't tell whether the DKIM sig is OK or not in my test
setup, but I'd like to ensure it's the last thing to happen before sending.
How can I do that?

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Question on DKIM process ordering

[Gilgongo via Postfix-users]

On Fri, 5 Jul 2024 at 09:10, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:

> I think in case of amavis it's just the order of logs being written.
> IIUC amavis does not confirm receiving message from postfix until after
> it's
> scanned and passed further, which is why new scanned message is logger
> before


OK that's what I was hoping.


>
> BTW, amavis can DKIM-sign the message itself.
>

Yes, it's just that we already have OpenDKIM signing for 200+ domains so I
thought I'd leave that alone.


> >Unfortunately, I can't tell whether the DKIM sig is OK or not in my test
> >setup, but I'd like to ensure it's the last thing to happen before
> sending.
> >How can I do that?
>
> deliver it to mailbox locally and run spamassassin scan, it should tell
> you
> whether the signature is correct.
>
>
Ah yes, thanks! :-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Preventing unauthorised senders

[Gilgongo via Postfix-users]

I've set up our mail server (with some help from this list, for which much
thanks) to scan sasl-auth senders for spam and viruses with Amavis.

I'd now like to make sure that rogue processes can't bypass those checks,
particularly web servers (I already have PHP using msmtp to enforce
well-behaved scripts to do that at least).

My first thought was to start by firewalling off mail ports on the local
machine to only allow processes owned by root or postfix. Then make any
non-root sending processes use smtp-auth to send out. But is there a better
way?

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preventing unauthorised senders

[Gilgongo via Postfix-users]

On Tue, 9 Jul 2024 at 15:39, Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

> On Tue, Jul 09, 2024 at 12:54:38PM +0100, Gilgongo via Postfix-users wrote:
>


> Just configure content inspection on all the submission pathways.
>
> > My first thought was to start by firewalling off mail ports on the local
> > machine to only allow processes owned by root or postfix.
>
> Why?  Just inspect the messages they submit, SASL is not required.
>

Apologies - perhaps I've misunderstood, but if I use (for
example) mail.mailutils to send to u...@yahoo.com from m...@mydomain.com then
I see the client communicate directly with the MX of yahoo.com over port
25. I'd like it to communicate with my mail server instead.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preventing unauthorised senders

[Gilgongo via Postfix-users]

On Wed, 10 Jul 2024 at 09:06, Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

>
> When you say "the client", what do you mean?  Do applications do "direct
> to MX" mail transmission?  That seems odd, because they generally lack
> the capability to queue and retry messages if there's a temporary error.
>
> Is "the client" Postfix, or really some application?
>

Yes, I mean clients other than Postfix. So for example, a user has a
Wordpress site which is compromised to send spam, or a user logs in and
sends email out in another way. Here's an example using swaks to send to an
external email address. I'm running this on the mail server itself (but
could be any machine on the LAN):

$ swaks --to u...@protonmail.com --from m...@mydomain.com
=== Trying mail.protonmail.ch:25...
=== Connected to mail.protonmail.ch.
<-  220-mailin054.protonmail.ch ESMTP Postfix
<-  220 mailin054.protonmail.ch ESMTP Postfix
 -> EHLO fre.localdomain
<-  250-mailin054.protonmail.ch
... etc.
<-  250 2.0.0 Ok: queued as 4WJrYr75Phz3f
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

As you can see, it goes straight to the MX of the domain of the recipient.
The same is true if I use mail.mailutils or other clients. So I was
wondering how I might both allow sending but also (reliably) prevent abuse.
Perhaps doing both isn't really possible?

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preventing unauthorised senders

[Gilgongo via Postfix-users]

On Wed, 10 Jul 2024 at 18:56, Serhii via Postfix-users <
postfix-users@postfix.org> wrote:

> On 7/10/24 08:40, Gilgongo via Postfix-users wrote:
> > As you can see, it goes straight to the MX of the domain of the
> recipient. The same is true if I use mail.mailutils or other clients. So I
> was wondering how I might both allow sending but also (reliably) prevent
> abuse. Perhaps doing both isn't really possible?
>
> You can implement firewall rules preventing access to 25/tcp for other
> users (not postfix and root):
>
> > iptables -A OUTPUT -m owner --gid-owner $postfix_gid_here -p tcp -m tcp
> --dport 25 -j ACCEPT
> > iptables -A OUTPUT -m owner --uid-owner 0 -p tcp -m tcp --dport 25 -j
> ACCEPT
> > iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with
> icmp-port-unreachable
>
> Similar feature is possible via nftables, the syntax is following:
> > nft 'add rule ip filter OUTPUT skgid $postfix_gid_here tcp dport 25
> counter accept> nft 'add rule ip filter OUTPUT skgid 0 tcp dport 25 counter
> accept
> > nft 'add rule ip filter OUTPUT tcp dport 25 counter reject'
>

Ah OK, thanks - I'll give that a go. Ideally I'd like to minimise the
disruption for users who want to send out with their own clients, but I
guess that would mean some kind of onvoluted local open relay proxy
arrangement that's not worth constructing. I was just checking on the list
that I'd not missed some "standard method" of restricting access :-)

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Gilgongo via Postfix-users]

On Tue, 23 Jul 2024 at 23:06, r.barclay--- via Postfix-users <
postfix-users@postfix.org> wrote:

> Hi,
>
> You could use a custom Fail2Ban regular expression to ban IP addresses
> that cause Postfix log entries containing certain domain names.
>
> See
> https://en.wikipedia.org/wiki/Fail2ban
> https://fail2ban.readthedocs.io/en/latest/filters.html
>
>
Although most if not all of the IP addresses in that log are in blocking
lists - have you tried using some RBLs as an easy solution? For example in
main.cf:

smtpd_recipient_restrictions =
permit_mynetworks
   ... etc.
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Do you reject DMARC failures?

[Gilgongo via Postfix-users]

I've recently installed and configured openDMARC. I see it marks perhaps
20-30% of domains as "fail" but I've not set it to reject those yet.

I also see Spamassassin doesn't give particularly high scores for SPF/DKIM
failures, and Mail::SpamAssassin::Plugin::DMARC (not that it comes as
standard) seems to have quite low scores by default too. So I'm a bit wary
of false positives if I tell openDMARC to reject.

What do others do with DMARC? I'm inclined to just gradually turn up the SA
scores on  SPF/DKIM failures instead, if only because
Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and
presumably for a reason.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do you reject DMARC failures?

[Gilgongo via Postfix-users]

Thanks for all the replies on this - food for thought! Seems the general
consensus is that while in theory I should reject for p=reject (since
that's what the sender wants me to do), in practice things like mailing
lists and other forwarding conditions make that unsafe (and to a lesser
extent the same applies to SPF and DKIM). At least in terms of a
binary decision. So I think I'll stick with what I have and perhaps
experiment with some SA scoring tweaks.

I should perhaps mention that I'm more concerned about spam coming out of
our network via forwarding than I am about annoying our local
recipients (and we use SRS).

BTW various RBLs were mentioned - was going to ask a question on that, but
will do so in a different thread.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] dnsblog question

[Gilgongo via Postfix-users]

I have the following in my postscreen_dnsbl_sites:

 wl.mailspike.net=127.0.0.[19;20]*-2

Yet my logs show entries for .17 and .18 as well, eg:

Aug 11 14:14:10 alice postfix/dnsblog[3952116]: addr 211.151.30.122 listed
by domain wl.mailspike.net as 127.0.0.17
Aug 11 14:14:59 alice postfix/dnsblog[3960566]: addr 192.30.252.200 listed
by domain wl.mailspike.net as 127.0.0.18

What's the reason for this? Perhaps there's something about the way lookups
are being done that I've missed, but I'm not sure what it is.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dnsblog question

[Gilgongo via Postfix-users]

On Sun, 11 Aug 2024 at 16:16, Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

>
> The dnsblog(8) service is NOT postscreen(8) and does not know which
> values postscreen(8) might, or might not, take into account.  It just
> logs what it fines.  It is up to postscreen(8) to make a decision on
> those findings, and apparently poscreen(8) did nothing, as configured.
>
>
Indeed - and not only did I not consider that, I didn't read mailspike's
docs correctly either.  Looks like I should be using rep.mailspike.net with
those return codes, not wl.mailspike.net, which returns anything listed
between .17 and .20.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] RBLs at smtp level

[Gilgongo via Postfix-users]

I notice Spamhaus say that for smaller hosts, RBL blocking at smtp level is
not recommended, and instead it’s better to use a milter for RBL checking.

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/030-Sendmail.html

I can see the logic in that, since a milter gives you much more control. So
for smaller hosts running postscreen, do I take it you just use allow lists
with dnsbl_allowlist_threshold to minimise problems with pregreet tests (if
you use them)? Or do you have some combination (eg to weed out very low
reputation senders before they get to the milter)?

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RBLs at smtp level

[Gilgongo via Postfix-users]

On Sat, 7 Sept 2024 at 10:55, Peter via Postfix-users <
postfix-users@postfix.org> wrote:

> Postscreen has several advantages here in that it allows you to block
> based on a weighted score, so that you can give each individual RBL a
> score based on how reliable you believe it to be and then require a
> certain score in order to actually block.  It's not as comprehensive as
> SpamAssassin but is more tunable than smtpd and a lot lighter weight, so
> if you can eliminate a lot of spam based on postscreen RBL blocking then
> you end up passing way fewer messages through to SpamAssassin and thus
> considerably lessen the load on your system.  SpamAssassin can then do a
>   more comprehensive (and decidedly more resource intensive) scan on the
> remaining mail to flag the bulk of the rest.
>

I see, thanks. Assuming for a moment that resources for the SA checks
weren't an issue, if I had this for postscreen to help with
occasional pregreet issues, then rely on Spamassassin for all other checks,
would that work?

postscreen_dnsbl_threshold = 0
postscreen_dnsbl_allowlist_threshold = -1
postscreen_dnsbl_sites =  list.dnswl.org=127.0.[0..255].[2..3]*-2

I take it from what you say though that it's not a common configuration
(and assuming all the pregreet checks are turned on). It's just that I'm
toying with the idea of giving our users (who are mostly pretty savvy)
control over their own Spamassassin user_prefs files :)

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: General feedback on my postfix setup?

[Gilgongo via Postfix-users]

On Thu, 24 Oct 2024 at 13:02, Mark via Postfix-users <
postfix-users@postfix.org> wrote:

> Hello Postfix fellows,
>
> Could you please give me your feedback on my postfix (with dovecot
> LMTP and virtual users in MySQL db) setup?
>
> Here's my main.cf and master.cf contents;
>
> https://www.pastebin.cz/en/p/fqcoW8Q
>
> Anything unneeded, excessive, exaggerated, abusive or wrong there, please?
>

I'm always a bit unclear about the utility of specifying things in
helo/sender_restrictions.
I tend to put it all in recipient_restrictions and be done with it.

BTW I take it you're not using postscreen as you have rspamd, is
that correct?

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: General feedback on my postfix setup?

[Gilgongo via Postfix-users]

>
> Hi Jonathan, thank you.
> It helped me to eliminate some fake senders and spams, but I see your
> point.
> Yes, I'm not using postscreen as I have rspamd.
> Is there any further suggestion you might have?
>

I had a look at https://ssl-config.mozilla.org when setting up TLS things,
but I think you've got most of that covered. I chose to specify
smtpd_tls_security_level=encrypt for my submission port though (with "may"
for submissions) in master.cf. Also found it useful to label the log
entries with syslog_name, but that's just me.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: alternative to one.com ?

[Gilgongo via Postfix-users]

On Sun, 27 Oct 2024 at 04:37, Wesley via Postfix-users <
postfix-users@postfix.org> wrote:

> On 2024-10-27 02:31, Benny Pedersen via Postfix-users wrote:
> > i like to stop using one.com for servial ressons, first that do not
> > support rfc 7505, why ?
> >
>
>
I recently migrated some domains to Cloudflare, partly because of their
support for DNSSEC, but mainly due to their ease of role delegation so we
can have more than one admin able to edit zone files, change billing
methods, transfer in/out etc. Some other providers do this I think, but
Cloudflare seems the most flexible.

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check for check_sasl_access

[Gilgongo via Postfix-users]

On Wed, 5 Feb 2025 at 09:32, Gilgongo  wrote:

> I just wanted to make sure I've read the docs
>  correctly.
> I'd like to restrict a couple of sasl users by IP4/6 (I can't test this on
> my sandbox setup), so if I have this in my master.cf:
>
-- snip --
> And have the following in my access file:
>
> user1 192.x.x.x PERMIT
> user1 2001:x:x:x::x PERMIT
> user1 REJECT
>
>
I see the above would produce duplicate entries. But looking at
https://www.postfix.org/access.5.html#example would the following be valid?

user-1 192.x.x.1 OK
user-1 2001:x:x:x::AB OK
user-1 2001:x:x:x::   REJECT
user-1 192.x.x REJECT

That is, using a multi-line rule?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Sanity check for check_sasl_access

[Gilgongo via Postfix-users]

I just wanted to make sure I've read the docs
 correctly. I'd
like to restrict a couple of sasl users by IP4/6 (I can't test this on my
sandbox setup), so if I have this in my master.cf:

submission  inetn   -   n-  -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sender_restrictions=
  -o smtpd_milters=
  -o { smtpd_client_restrictions=
 check_sasl_access hash:/etc/postfix/sasl_access
   }
  -o { smtpd_recipient_restrictions=
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 permit_sasl_authenticated
 reject
 }

And have the following in my access file:

user1 192.x.x.x PERMIT
user1 2001:x:x:x::x PERMIT
user1 REJECT

(smtpd_sasl_local_domain is blank)

Will that work OK?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check for check_sasl_access

[Gilgongo via Postfix-users]

On Wed, 5 Feb 2025 at 11:06, Allen Coates via Postfix-users <
postfix-users@postfix.org> wrote:

>
> In my access lists I have found that  0.0.0.0/0 matches every IPv4
> address, and ::/0 matches every IPv6 address.
>
> (Unless, of course you are expressly testing for a specific IP address)
>

I see, thanks. Although I should have been clear that I am trying to test
for a specific IP. So essentially trying to say "allow sasl user1 to send
from these IPs, but not from any others"

The example in the docs seems to imply that I could concatenate the rules
to achieve that using leading whitespace for the subsequent lines (and I
see postmap doesn't complain if I do), but I'm not 100% sure.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org