[pfx] tracing smtp submission issues/ server timed out?
a user reported mail client message:
"It hard to sent mail we try 2-3 times then sent."
screengrab from mail client had: sending failed, couldn't send, connection
to outgoing server timed out
I couldn't noticed anything, tail maillog, saw emails going, probably
looking at wrong things ?
subsequently was told reply email to me took two attempts, the received
copy log is like;
what/where to look/check ?
- also, in case this matters:
sender has BOTH TLD.com.au as well as same TLD.com (without .au)
the mail server was always TLD.com.au, TLD.com was added as domain alias
several years ago, around 2015, 'alias domain' in PFA
# grep "C92564346E5" /var/log/maillog
Sep 8 16:41:25 geko postfix/smtpd[15518]: C92564346E5:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep 8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
message-id=
Sep 8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field
added (s=default, d=tld.com)
Sep 8 16:41:31 geko postfix/qmgr[1654]: C92564346E5: from=,
size=3262, nrcpt=1 (queue active)
Sep 8 16:41:42 geko amavis[31308]: (31308-14) Passed CLEAN
{RelayedInternal}, ORIGINATING LOCAL [111.222.333.444]:52547
[111.222.333.444] -> , Queue-ID: C92564346E5,
Message-ID: , mail_id:
zj3cR-iB-usR, Hits: -3.069, size: 3681, queued_as: F22794346E8, 10889 ms
Sep 8 16:41:42 geko postfix/smtp[15464]: C92564346E5: to=,
relay=127.0.0.1[127.0.0.1]:10026, delay=16, delays=5.4/0/0.01/11,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as F22794346E8)
Sep 8 16:41:42 geko postfix/qmgr[1654]: C92564346E5: removed
# grep "F22794346E8" /var/log/maillog
Sep 8 16:41:41 geko postfix/smtpd[13013]: F22794346E8:
client=localhost[127.0.0.1]
Sep 8 16:41:41 geko postfix/cleanup[15407]: F22794346E8:
message-id=
Sep 8 16:41:42 geko postfix/qmgr[1654]: F22794346E8: from=,
size=4144, nrcpt=1 (queue active)
Sep 8 16:41:42 geko amavis[31308]: (31308-14) Passed CLEAN
{RelayedInternal}, ORIGINATING LOCAL [111.222.333.444]:52547
[111.222.333.444] -> , Queue-ID: C92564346E5,
Message-ID: , mail_id:
zj3cR-iB-usR, Hits: -3.069, size: 3681, queued_as: F22794346E8, 10889 ms
Sep 8 16:41:42 geko postfix/smtp[15464]: C92564346E5: to=,
relay=127.0.0.1[127.0.0.1]:10026, delay=16, delays=5.4/0/0.01/11,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as F22794346E8)
Sep 8 16:41:42 geko postfix/pipe[15414]: F22794346E8: to=,
relay=dovecot, delay=0.09, delays=0.02/0/0/0.07, dsn=2.0.0, status=sent
(delivered via dovecot service)
Sep 8 16:41:42 geko postfix/qmgr[1654]: F22794346E8: removed
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tracing smtp submission issues/ server timed out?
On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via Postfix-users wrote: > On 08.09.23 23:13, lists--- via Postfix-users wrote: Matus, Viktor, thanks > logs from unsuccessful attempts are important, not from the one that > succeeded. is there some proper way to identify that..? looking at lines immediately above I see like, I screen scrapped lines immediately above: Sep 8 16:40:34 geko postfix/qmgr[1654]: 708204346EE: removed Sep 8 16:40:37 geko postfix/postscreen[21264]: CONNECT from [111.222.333.444]:50452 to [103.106.168.106]:25 Sep 8 16:40:37 geko postfix/postscreen[21264]: PASS OLD [111.222.333.444]:50452 Sep 8 16:40:37 geko postfix/smtpd[15732]: connect from unknown[111.222.333.444] Sep 8 16:40:37 geko postfix/smtpd[15732]: Anonymous TLS connection established from unknown[111.222.333.444]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bitsSep 8 16:40:37 geko postfix/smtpd[15732]: lost connection after STARTTLS from unknown[111.222.333.444] Sep 8 16:40:37 geko postfix/smtpd[15732]: disconnect from unknown[111.222.333.444] ehlo=1 starttls=1 commands=2 Sep 8 16:40:46 geko postfix/smtpd[15519]: connect from unknown[111.222.333.444] Sep 8 16:40:46 geko postfix/smtpd[15519]: Anonymous TLS connection established from unknown[111.222.333.444]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 Sep 8 16:40:47 geko postfix/smtpd[15519]: 2556C4346EC: client=unknown[111.222.333.444], sasl_method=PLAIN, sasl_username=i...@tld.com.au Sep 8 16:44:24 geko postfix/anvil[1945]: statistics: max connection rate 4/3600s for (smtpd:185.222.58.40) at Sep 8 16:40:22 Sep 8 16:44:24 geko postfix/anvil[1945]: statistics: max connection count 3 for (smtpd:185.222.58.40) at Sep 8 16:40:19 Sep 8 16:41:06 geko postfix/smtpd[15519]: lost connection after DATA (0 bytes) from unknown[111.222.333.444] Sep 8 16:41:06 geko postfix/smtpd[15519]: disconnect from unknown[111.222.333.444] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=0/1 commands=6/7 Sep 8 16:41:24 geko postfix/smtpd[15518]: connect from unknown[111.222.333.444] Sep 8 16:41:25 geko postfix/smtpd[15518]: Anonymous TLS connection established from unknown[111.222.333.444]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 Sep 8 16:41:25 geko postfix/smtpd[15518]: C92564346E5: client=unknown[111.222.333.444], sasl_method=PLAIN, sasl_username=i...@tld.com.au Sep 8 16:41:31 geko postfix/cleanup[15407]: C92564346E5: message-id= > > so, your users send mail on port 25? hmmm... supposed to be using 587... > >> Sep 8 16:41:31 geko postfix/cleanup[15407]: C92564346E5: >> message-id= > > this one took 6 seconds. > >> Sep 8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field >> added (s=default, d=tld.com) > > and you run opendkim (milter) on that? any other milters? dkim/dmarc ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tracing smtp submission issues/ server timed out?
On Sat, September 9, 2023 3:52 am, Viktor Dukhovni via Postfix-users wrote: > On Fri, Sep 08, 2023 at 11:13:02PM +1000, lists--- via Postfix-users > wrote: > > Your amavis content filter has a non-trivial backlog of mail, probably > because each message takes a long time to process. Here the message sat > 5.4 seconds in the incoming queue and then took 11 seconds to to deliver > to amavis. This bottleneck suggess that the amavis filter is doing remote > DNS lookups that are quite slow. > > > You need to review your amavis configuration and disable or tune the > actions that lead to the processing delays. Viktor, thank you hmmm, noticed that system has quite high load average, reaching 1.5/1.6 when I was checking... is that my problem ? or part of it ? have I overloaded/underresourced ? Tasks: 114, 98 thr; 2 running 2 Load average: 1.18 0.92 0.69 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tracing smtp submission issues/ server timed out?
On Sat, September 9, 2023 9:00 pm, Matus UHLAR - fantomas via Postfix-users wrote: >> On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via >> Postfix-users wrote: Matus, Michel, thanks > did you reorder those lines? look at timestamps. didn't intend to, but maybe stuffed up when I've tried to get out of maillog like: grep "Sep 8"' followed by grep "16:40:" and grep "16:41:" was trying to get entries between 16:40 On Sat, September 9, 2023 8:45 pm, Michel Verdier via Postfix-users wrote: > How much cores do you have on that system ? 2 cores 4gb ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tracing smtp submission issues/ server timed out?
On Sun, September 10, 2023 2:03 am, Viktor Dukhovni via Postfix-users wrote:
> Hard to say, you're not well prepared to isolate the issue, and
> the symptoms are diverse.
Viktor, Matus, many thanks!!
Viktor, I think and I'm afraid you've hit the nail on the head... that's
certainly large if not major part of my problem...
thank you for pointing it out! I hope you woke me up...!
> Your amavis content filter has a non-trivial backlog of mail, probably
> because each message takes a long time to process. Here the message sat
> 5.4 seconds in the incoming queue and then took 11 seconds to to deliver
> to amavis. This bottleneck suggess that the amavis filter is doing remote
> DNS lookups that are quite slow.
> You need to review your amavis configuration and disable or tune the
> actions that lead to the processing delays.
OK, took out amavis from main.cf
#content_filter = smtp-amavis:[127.0.0.1]:10024
BIG reduction in Load average, still problem persists
took out amavis line from master.cf submission block
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
# -o content_filter=smtp-amavis:[127.0.0.1]:10026
user still reports problems...
wait... shouldn't main.cf mynetworks = INCLUDE user's fixed IP...??
I thought it always did...?
add IP to mynetwork - I think it's working OK now..
so, it seems my issue was (partially?) not having senders's fixed IP in
mynetworks ?
(I'm still aiming to look at today's logs, eralier today, timeouts, after
editing mynetworks, seems OK)
>> hmmm... supposed to be using 587...
>
> if you properly uncommented submission service in master.cf, the smtp
> should log as postfix/smtps/smtpd or postfix/submission/smtpd
> or your user used port 25 which is used for server-server mail transfer
> and may have different setup.
>
> I e.g. use postscreen (which sometimes adds 6-seconds delay) and also
> spam and virus checking milters (like amavisd-milter) on 25. This takes
> much time.
>
> on port 587/465 I tend to use amavis as content_filter, which means mail
> is received from user and filtered afterwards. This makes apparent
> receiving mail from client much faster.
does this look OK, that's what I had:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
# forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] printer ip SMTP AUTH / mynetworks question
I have a user with an 'old' printer/scanner who wants to scan/email scans
from the home located device
printer offers:
machine email address:
SMTP server:
SMTP server port:
send authentication: PoPb4SMTP/SMTP AUTH: Plain/Login/CRAM-MD5/Auto
login name:
passwd:
tried 587 with each of the 4 AUTH options, keeps failing
added printer IP to mynetworks, changed to port 25, working
any suggestion what it might need to use port 587 / AUTH ?
any undesired side effects of allowing printer IP in main.cf mynetworks ?
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: lost connection
after EHLO from 111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1
Dec 13 17:47:20 geko postfix/submission/smtpd[15098]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1
Dec 13 17:48:12 geko postfix/anvil[15001]: statistics: max connection rate
6/3600s for (submission:111.222.333.444) at Dec 13 17:47:20
Dec 13 17:48:26 geko postfix/postscreen[14984]: CONNECT from
[111.222.333.444]:50694 to [103.106.168.106]:25
Dec 13 17:48:26 geko postfix/postscreen[14984]: WHITELISTED
[111.222.333.444]:50694
Dec 13 17:48:26 geko postfix/smtpd[15061]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:48:26 geko postfix/smtpd[15061]: CB67D20BBA9:
client=111-222-333-444.tpgi.com.au[111.222.333.444], sasl_method=LOGIN,
sasl_username=u...@tld.com.au
Dec 13 17:48:30 geko amavis[15129]: (15129-15) Checking: P4rpqg2X2xgz
[111.222.333.444] ->
Dec 13 17:48:31 geko postfix/smtpd[15061]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 auth=1 mail=1 rcpt=1
data=1 quit=1 commands=6
Dec 13 17:48:31 geko amavis[15129]: (15129-15) Passed CLEAN
{RelayedInbound}, [111.222.333.444]:50694 [111.222.333.444] ESMTP/ESMTP
-> ,
(ESMTPA://[111.222.333.444]:50694), Queue-ID: CB67D20BBA9, mail_id:
P4rpqg2X2xgz, b: cNaGQKTr-, Hits: 0.436, size: 525554, queued_as:
C064E20A5CB, Subject: "ScanFrom Printer (raw:
=?utf-8?B?U2NhbkZy2NhbkZyb20gW50ZXI=?=)", From: ,
helo=iptarget, Tests:
[ALL_TRUSTED=-1,BAYES_00=-1.9,DATE_IN_PAST_06_12=1.543,DKIM_INVALID=0.1,DKIM_SIGNED=0.1,INVALID_DATE=1.096,MISSING_MID=0.497],
autolearn=no autolearn_force=no, autolearnscore=1.875, 1715 ms
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] migrating server to new host
I have postfix/dovecot/mysql with virtual domains on centos; I would like to migrate working server setup to new host on rocky 8 installed new rocky with postfix as is available for rocky what's the best way to do such ? do I install ghettoforge repo on rocky, get version pf 3.8.5 then copy main/master .cf , start it and check for errors ? existing centos server: # postconf mail_version mail_version = 3.8.5 # postconf -m btree cidr environ fail hash inline internal ldap memcache mysql nis pcre pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix rocky: # postconf mail_version mail_version = 3.5.8 # postconf -m btree cidr environ fail hash inline internal ldap memcache mysql nis pcre pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] rbl override doesn't work perhaps due to sender using relay
I have set up rbl_override for the sender's domain. However it occasionally gets blocked by spamcop. The user owns a domain but relays the mail from outlook. Here is the bounce message the user received: ** Remote server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.93.98' ** Here is the the related area from maillog with minimal sanitizing due to google reading these posts. ** Feb 22 18:25:18 MYDOMAIN postfix/smtpd[12010]: connect from mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98] Feb 22 18:25:18 MYDOMAIN postfix/smtpd[12010]: Anonymous TLS connection established from mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 22 18:25:19 MYDOMAIN postfix/smtpd[12010]: NOQUEUE: reject: RCPT from mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]: 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.93.98; from= to= proto=ESMTP helo= Feb 22 18:25:19 MYDOMAIN postfix/smtpd[12010]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "m...@mydomain.com" from client "mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]" Feb 22 18:25:19 MYDOMAIN postfix/smtpd[12010]: disconnect from mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 22 18:28:39 MYDOMAIN postfix/anvil[12013]: statistics: max connection rate 1/60s for (smtp:40.107.93.98) at Feb 22 18:25:18 This is the relevant part of my postfix main.cf. I am only showing the spamcop rbl. smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy * ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
Sorry for the top post but I am using my phone. The rbl_override file only contains domain names with "space OK". If I whitelisted that IP address, I would be whitelisting a Microsoft address that I assume has multiple users. Also that relay IP address isn't static. Feb 24, 2024 6:03:54 AM Matus UHLAR - fantomas via Postfix-users : > On 24.02.24 00:49, lists--- via Postfix-users wrote: >> I have set up rbl_override for the sender's domain. However it >> occasionally gets blocked by spamcop. The user owns a domain but relays >> the mail from outlook. >> >> Here is the bounce message the user received: > > >> Remote server returned '550 5.7.514 Decision Engine classified the mail >> item was rejected because of IP Block (from outbound normal IP pools) >> -> 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked >> using bl.spamcop.net; Blocked - see >> https://www.spamcop.net/bl.shtml?40.107.93.98' > >> This is the relevant part of my postfix main.cf. I am only showing the >> spamcop rbl. > > >> smtpd_recipient_restrictions = > [...] >> check_client_access hash:/etc/postfix/rbl_override, >> reject_rbl_client bl.spamcop.net, >> check_policy_service unix:private/policy > > What's in /etc/postfix/rbl_override ? It obviously does not match 40.107.93.98 > > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > One OS to rule them all, One OS to find them, > One OS to bring them all and into darkness bind them > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
https://www.dnswl.org/?page_id=15 I get your point but this is for a different blocking list. That is spamcop and spamassassin have different blocking lists. What I really need is a way to make the rbl_override work for the domain name that has been related. I am going to review my logs and see how much spam spamcop stops that isn't coming from Microsoft. Maybe I could whitelist the Microsoft IP space in rbl_override. Feb 24, 2024 6:15:10 AM Benny Pedersen via Postfix-users : > lists--- via Postfix-users skrev den 2024-02-24 09:49: > >> check_client_access hash:/etc/postfix/client_checks, >> check_sender_access hash:/etc/postfix/sender_checks, >> check_client_access hash:/etc/postfix/rbl_override, >> reject_rbl_client bl.spamcop.net, >> check_policy_service unix:private/policy > > https://hetrixtools.com/blacklist-check/40.107.93.98 > > not listed, suggest dnswl in postfix, google it :) > > other then that don't use hash for ip checks > > cidr is more perfect for this > > on the other side https://multirbl.valli.org/lookup/40.107.93.98.html > > https://dnswl.org/s/?s=1357 > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
That should work. Thanks https://www.postfix.org/access.5.html Feb 24, 2024 8:05:00 AM Matus UHLAR - fantomas via Postfix-users : >>> On 24.02.24 00:49, lists--- via Postfix-users wrote: >>>> I have set up rbl_override for the sender's domain. > [...] >>>> smtpd_recipient_restrictions = >>> [...] >>>> check_client_access hash:/etc/postfix/rbl_override, >>>> reject_rbl_client bl.spamcop.net, >>>> check_policy_service unix:private/policy > >> Feb 24, 2024 6:03:54 AM Matus UHLAR - fantomas via Postfix-users >> : >>> What's in /etc/postfix/rbl_override ? It obviously does not match >>> 40.107.93.98 > > On 24.02.24 06:12, lists--- via Postfix-users wrote: >> The rbl_override file only contains domain names with "space OK". If I >> whitelisted that IP address, I would be whitelisting a Microsoft address >> that I assume has multiple users. Also that relay IP address isn't static. > > I see it now. > > If you are trying to whitelist sender domain, you must use > check_sender_access, since check_client_access checks sending IP address or > hostname that IP maps to, which is in this case > mail-dm6nam10on2098.outbound.protection.outlook.com. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > He who laughs last thinks slowest. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] rbl bounces email that has both rbl_override and client_checks whitelisting
I still have that problem with the sender that used a spammy microsoft server that gets rejected by IP for using spamcop. I put the domain in the client_checks file but the sender gets bounced. postconf mail_version mail_version = 3.8.1 compatibility_level = 2 The client_checks line was added. smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy This is the contents of client_checks: cat client_checks idontspam.com OK A simple check to verify the postmap worked: sh-4.2# ls -l client_check* -rw-r--r-- 1 root root19 Feb 25 03:03 client_checks -rw-r--r-- 1 root root 12288 Feb 25 03:06 client_checks.db ** This is an actual spammer being rejected: Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: connect from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: Anonymous TLS connection established from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: NOQUEUE: reject: RCPT from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]: 554 5.7.1 Service unavailable; Client host [40.107.220.108] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.220.108; from= to= proto=ESMTP helo= Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "m...@mydomain.com" from client "mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]" Feb 25 23:10:04 MYDOMAIN postfix/smtpd[19121]: disconnect from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 ** ** This is email from the sender that appears on the client_check file Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: connect from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: Anonymous TLS connection established from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: NOQUEUE: reject: RCPT from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: 554 5.7.1 Service unavailable; Client host [40.107.93.125] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.93.125; from= to= proto=ESMTP helo= Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "m...@mydomain.com" from client "mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]" Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: disconnect from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 27 03:57:47 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting
Well do I put the domain in sender_access or sender_checks? It looks like sender_access with an OK since it acts on the FROK field. https://www.postfix.org/postconf.5.html I have a sender_checks file but I don't see that on the postfix.org website. Is that a deprecated parameter? Feb 27, 2024 1:09:02 PM Wietse Venema : > Your mistake: you are trying to match a SENDER ADDRESS with > check_CLIENT_access. > > Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] question regarding postmap -q test
My sender_access file contains charity.donation.jp REJECT postmap -q charity.donation.jp hash:sender_access REJECT So it returns REJECT as expected. However testing some random users at the domain: postmap -q m...@charity.donation.jp hash:sender_access returns nothing. Is the domain being rejected in actual use even though postmap -q testing with a specific user at the domain name doesn't return anything? This test has similar results with OK instead of REJECT. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix check_sender_access and subdomain test
I can tell you there is significant spam from that Microsoft IP space. That spamcop doesn't have false positives, but rather due to the sharing of IP space, senders that aren't spammers get tarred with the same brush as the spammers. I did a grep on the maillog files and that is a firehose of spam. Up to you of course. I have a few posts on the list trying to whitelist just one sender. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Restrict Sender Domain for Relay
I have a small email relay server that is used to allow IOT devices to send email. Some of those devices do not do authentication. I'd like to restrict the sender domain based on the IP. I'm looking for something like smtpd_sender_login_maps, but for client IPs. Example of a smtpd_sender_login_maps: /@domain.tld/ account # Only 'account' can send email from @domain.tld Example of what I'm looking for: /@domain.tld/1.2.3.4,5.6.7.8 # Only list IPs can send email as @domain.tld. Bonus point if the solution can take CIDR notation in additions to IPs I've been re-reading the documents, but I don't see how to do this. Does anyone know how to do this? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Restrict Sender Domain for Relay
On Fri, Sep 13, 2024 at 10:50 AM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Dan Lists via Postfix-users: > > I have a small email relay server that is used to allow IOT devices to > send > > email. Some of those devices do not do authentication. I'd like to > > restrict the sender domain based on the IP. > > > > I'm looking for something like smtpd_sender_login_maps, but for client > IPs. > > There is no IP-based analogon for smtpd_sender_login_mapss, > due to lack of demand. > > If you don't have a huge number of such IP addresses, perhaps a > plugin with https://www.postfwd.org/ can do this. > > main.cf: > smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:12345 > > Make sure that this will not affect the services for submission > (port 587) and submissions (port 465) in master.cf. They should > look like: > > master.cf: > submission inet n - n - - smtpd > ... > -o smtpd_sender_restrictions= > ... > submissions inet n - n - - smtpd > ... > -o smtpd_sender_restrictions= > ... > > Alternatively, milter-regex may be able to do this. > > Wietse > Thanks for the information. I was hoping to avoid using a policy daemon.I'll have a look at postfwd and milter-regex. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Restrict Sender Domain for Relay
On Fri, Sep 13, 2024 at 10:22 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Fri, Sep 13, 2024 at 10:29:21AM -0500, Dan Lists via Postfix-users
> wrote:
>
> > I have a small email relay server that is used to allow IOT devices to
> send
> > email. Some of those devices do not do authentication. I'd like to
> > restrict the sender domain based on the IP.
>
> How many distinct sender domains are in scope? If it is just a small
> handful, you can restriction classes:
>
> main.cf:
> smtpd_restriction_classes =
> require_sender_domain_a,
> require_sender_domain_b,
> require_sender_domain_c
>
> smtpd_client_restrictions =
> check_client_access cidr:{
> {192.0.2.1/32 require_sender_domain_a}
> {192.0.2.2/32 require_sender_domain_b}
> {192.0.2.3/32 require_sender_domain_c}
> ...
> }
>
> # Be meticulous with the PCRE syntax, ensuring the trailing '$'
> # anchor, leading '@' domain prefix, and escaping literal '.'
> # with '\'. You can use "regexp" rather than "pcre" if that's
> # more convenient. The syntax below is common to both.
> #
> require_sender_domain_a =
> check_sender_access pcre:{
> {if !/@a\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_b =
> check_sender_access pcre:{
> {if !/@b\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_c =
> check_sender_access pcre:{
> {if !/@c\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
>
> > /@domain.tld/1.2.3.4,5.6.7.8 # Only list IPs can send email as
> > @domain.tld.
>
> You probably have more IPs than sender domains, and the latter are
> typically less volatile than the IPs, so with restriction classes, it
> makes more sense to map IPs to allowed domains, than domains to allowed
> IPs.
>
> --
> Viktor.
>
Thanks, that is some cool voodoo!
We have 8 domains currently and about 25 IPs and CIDR blocks. The inline
tables would make this fairly manageable.
It looks like if an IP isn't in check_client_access but is allowed to relay
then that IP could send as whoever they like. All IPs that relay would
have to be in check_client_access.
Could this be reversed?
smtpd_client_restrictions =
check_sender_access: pcre:{
/@a\.example$/ check_client_access_a
}
check_client_access_a =
check_client_access cidr: {
192.168.1.0/24 DUNNO
192.168.2.0/24 DUNNO
0.0.0.0/0 REJECT Relay access denied
}
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 25 years today
On 14-12-2023 14:20, Wietse Venema via Postfix-users wrote: As a few on this list may recall, it is 25 years ago today that the "IBM secure mailer" had its public beta release. This was accompanied by a nice article in the New York Times business section. ... That was a long time ago. Postfix has evolved as the Internet has changed. I am continuing the overhaul of this software, motivated by people like you on this mailing list. Wietse Back in 2001 or so, I needed an MTA at the place I worked, and I wasn't too experienced. So I tried Sendmail because it was the default, didn't understand it, so that didn't work out. Next I somehow found Qmail (it's too long ago to remember how that happened), and found it even worse to handle. Then I found Postfix, and immediately got it to work for what I needed it to do. Since then, I've been using Postfix for all mail servers I've ever built, never looked back. A big thank you for this excellent piece of software and all the support we're still getting! -- Rob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] SASL_README correction
Hi, I was reading the SASL_README, "The ldapdb plugin" at: https://www.postfix.org/SASL_README.html#auxprop_ldapdb [quote] Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the LDAP database directly, with appropriate configuration in saslauthd.conf, as described here. [...snip...] [/quote] The link for "as described here" points to: http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD Which returns a "No page found" message. I guess it is currently hosted at: https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD -- Rob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
