how to build a (enterprise) postfix system
Hello List, we are planing to set up a new E-Mail (Cluster) system with postfix. Our goal is that this is all ldap based and that our customers can manage their own: - E-Mail Addresses - Passwords - Black/White lists - Spamasassin reports - Autoreply/vacatation - Filter rules - etc.. Ldap is the choise because we need it for other systems too. Since postfix supports ldap out of the box this is not such a big problem. The tricky part is the autoresponder and filter rules. I could use mimedefang along with postfix to cover this, but i would like to know your opinion first. Maybe there is already such a projekt out there? It would also be okay to spend some money on it. Ok, so basically I/we want a (enterprise) postfix system that covers all those features so that a customer can manage their own e-mail business (all based on ldap). I am thankful for any thoughts or hints. Cheers, Mario
LDAP based auto reply in virtual hosting environment
Hello List, i would like to have a ldap based auto reply feature in a virtual hosting environment. I had a look at gnarwl, but it was removed from Debian lenny due to some security issues: http://www.downloadpipe.com/forums/linux/Bug-457279-remove-gnarwl-lenny-ftopict57832.html Is there any other way/project/tool to set up a auto reply or vacation messaged based on ldap? Cheers, Mario
Whats the LDAP variable for Source IP Address?
Hello List, there are such LDAP variables such as %s and %d to do ldap based queries. I am looking for the varibale which is the ip adress. I want to check my ldap for IP-Addresses that i allow relay for. I did have a look at http://www.postfix.org/ldap_table.5.html, but was unlucky. Cheers, Mario
submit locally-generated mail via SMTP
Hello List, is it possible to submit locally-generated mail via SMTP somehow?! If yes, how?! I am asking because i would like to use stream_by_receipient from mimedefang and i ran into this problem here: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-June/035844.html (...)Convince Wietse Venema to add a flag to Postfix that makes it submit locally-generated mail via SMTP on the loopback address the same way Sendmail 8.12 and newer do. (Or maybe you can already configure Postfix to do this? I do not know.) (...) Cheers, Mario
smtpd saslauthd wont work
Hello List,
i cant get postfix with smtpd saslauthd working and its driving me crazy!
warning: SASL authentication problem: unknown password verifier
warning: unknown[192.168.10.30]: SASL LOGIN authentication failed: no
mechanism available
Basically i followed the howto from http://wiki.debian.org/PostfixAndSASLb
Saslauthd seems to work:
/usr/sbin/testsaslauthd -u admin -p
0: OK "Success."
~# postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:/usr/local/foo-admin/cyrus/var/socket/lmtp
message_size_limit = 31457280
milter_default_action = accept
mydestination =
myhostname = example.foo.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
192.168.106.0/24 192.168.107.0/24 192.168.108.0/24
myorigin =
readme_directory = no
recipient_delimiter = +
relay_domains = ldap:/usr/local/foo-admin/postfix/etc/relaydomains.cf
relayhost = [smtp.foo.net]
setgid_group = postdrop
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_milters = unix:/usr/local/foo-admin/var/spool/MIMEDefang/mimedefang.sock
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = no
transport_maps = ldap:/usr/local/foo-admin/postfix/etc/transportmaps.cf
virtual_alias_maps = ldap:/usr/local/foo-admin/postfix/etc/virtusertable.cf
virtual_mailbox_domains = ldap:/usr/local/foo-admin/postfix/etc/mydestination.cf
virtual_mailbox_maps = ldap:/usr/local/foo-admin/postfix/etc/virtusertable.cf
virtual_transport = lmtp:unix:/usr/local/foo-admin/cyrus/var/socket/lmtp
cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
~# grep ^smtp /etc/postfix/master.cf
smtp inet n - - - - smtpd
smtp unix - - - - - smt
What does "unknown password verifier" mean and who creates the error and why?
How can i verify if postfix smtpd and sasl are set up with the correct
permissions, links and chroot?
Thanks,
Mario
Re: smtpd saslauthd wont work
I just ran saslauthd with -d. I can see the auth requests if u run "/usr/sbin/testsaslauthd -u admin -p -s smtp -f /var/run/saslauthd/mux" as postfix user. But i DO NOT see any auth requests if I connect with my thunderbird client. So i guess postfix somehow can`t or won't connect to my saslauthd for some reason. I am not using chroot now. I guess (debian) postfix reads /etc/postfix/sasl/smtpd.conf: saslauthd_path: /var/run/saslauthd/mux pwcheck_method: saslauthd mech_list: PLAIN log_level: 3 and then tries to connect via unix socket to saslauthd_path: /var/run/saslauthd/mux ? Since saslauthd does not show any auth requests there must be something wrong with my unix socket and its permissions, right? >> warning: SASL authentication problem: unknown password verifier >> warning: unknown[192.168.10.30]: SASL LOGIN authentication failed: >> no mechanism available > > When posting logs here, do not trim. That should have been preceded > by a "$DATE postfix/smtpd[$PID]". If it was NOT smtpd, read no > further. Also, the entire logging related to this connection might > have been useful. Sorry. Yes it was smtpd. > > Why are you using LOGIN authentication? PLAIN is the standard. Ok, i changed it to plain now: smtpd: SASL PLAIN authentication failed: no mechanism available > >> Basically i followed the howto from >> http://wiki.debian.org/PostfixAndSASLb > > See also the Cyrus SASL portions of the Postfix SASL_README. To be > precise, you should only view third party HOWTO documents as an > addition to the Postfix documentation. I did also have a look at SASL_README, however if you use Debian you also need to read their Documentation, too. > > You'll also need to see your distributor's documentation of their > non-standard Cyrus SASL package. Specifically they use non-standard > paths. > >> Saslauthd seems to work: >> /usr/sbin/testsaslauthd -u admin -p >> 0: OK "Success." > > I think you'll need to specify "-s smtpd" to ensure you're testing > your smtpd.conf file. No manual entry for testsaslauthd here, > unfortunately. This actually works too (non chroot here): su - postfix /usr/sbin/testsaslauthd -u admin -p -s smtp -f /var/run/saslauthd/mux 0: OK "Success." > >> ~# postconf -n I removed the obsolete lines. I will have a closer look at the virutal and transport stuff later since i am stuck with sasl smtpd now. >> cat /etc/postfix/sasl/smtpd.conf >> pwcheck_method: saslauthd >> mech_list: PLAIN LOGIN >> >> >> ~# grep ^smtp /etc/postfix/master.cf >> smtp inet n - - - - smtpd >> smtp unix - - - - - smt > > Take it out of the chroot if you do not know how to maintain the > chroot. This is an ongoing issue with Debian. You probably do not > need chroot anyway. I also did that, still the same error. > >> What does "unknown password verifier" mean and who creates the >> error and why? > > It was created by the daemon process whose name you snipped from the > log line above. It looks like your Cyrus SASL does not support LOGIN > mechanism. The answer to that might be found in the distributor's > Cyrus SASL documentation. > >> How can i verify if postfix smtpd and sasl are set up with the >> correct permissions, links and chroot? > > If by "links" you mean symbolic links, those don't work in a chroot > environment unless they are relative to the chroot (links pointing > within the chroot.) The Postfix DEBUG_README covers how to take it > out of chroot, and chroot examples are provided with the source code > package. Thanks, Mario
smtpd_recipient_restrictions with empty from=<> envelope
Hello List,
why does postfix use a empty from=<> envelope when it tried to verify the
recioient?:
Aug 14 17:59:35 mailout9 postfix/smtpd[26204]: NOQUEUE: reject: RCPT from
smtp.example.net[212.87.132.35]: 450 4.1.1 : Recipient address
rejected: unverified address: Address verification in progress; from=<> to=<
f...@bar.com> proto=ESMTP helo=
Can i also set/pass the original from address somehow?
root@mailout9:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =
myhostname = mailout9.example.net
mynetworks = 127.0.0.0/8 123.123.123.123 123.123.123.85
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_unknown_client_hostname
reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_unverified_recipient
permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = no
transport_maps = hash:/etc/postfix/transport
unverified_recipient_reject_code = 550
Thanks,
Mario
Re: smtpd_recipient_restrictions with empty from=<> envelope
Hello Robert, thanks for your reply. Can i also set the original sender address as the address_verify_sender? I wasnt able to find anything in the manual :-/ Thanks, Mario On Fri, Aug 15, 2014 at 11:12 AM, Robert Schetterer wrote: > Am 15.08.2014 um 10:36 schrieb li...@rhsoft.net: > > > > > > Am 15.08.2014 um 08:22 schrieb ml ml: > >> why does postfix use a empty from=<> envelope when it tried to verify > the recioient? > > > > * because it is the correct way of doing it > > * because an ordianry address may get blocked > > * because the other side knows and has to know > > that this is a bounce or verify call and > > handeled differently (never ever autorespond...) > > > > http://en.wikipedia.org/wiki/Bounce_message > > Bounce messages in SMTP are sent with the envelope sender address <>, > known as the null sender address > > > > ... > address_verify_sender (default: $double_bounce_sender) > > The sender address to use in address verification probes; prior to > Postfix 2.5 the default was "postmaster". To avoid problems with address > probes that are sent in response to address probes, the Postfix SMTP > server excludes the probe sender address from all SMTPD access blocks. > > Specify an empty value (address_verify_sender =) or <> if you want > to use the null sender address. Beware, some sites reject mail from <>, > even though RFCs require that such addresses be accepted. > > Examples: > > address_verify_sender = <> > address_verify_sender = postmaster@my.domain > > > > Best Regards > MfG Robert Schetterer > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein >
how to protect MTAs from mass mails
Hello list, from time to time i get hit by mass mail with fake sender addresses. By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that "550 User Unknown" error mail. However, the sender is fake. Therefore the mails get stuck on my postfix mta. I now enabled recipient address verification. In that case my postfix mta will reject the mails already in the rcpt to stream. Which is great. However, i now got blacklisted by backscatterer: --- This IP IS CURRENTLY LISTED in our Database. Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques. This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse. To track down what happened investigate your smtplogs near 20.08.2014 09:19 CEST +/-1 minute. You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time. So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM. Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing. This IP is temporary listed. The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP. The source of this problem seem to be the emtpy address verify probes/mails. In this case this no spam or mass mails or anything. Just a lot of mails and empty from sender addresses and a lot of mail traffic. I already asked about this in http://archives.neohapsis.com/archives/postfix/2014-08/0282.html But i am not sure if i am doing it right in genereal. Does anyone have the same problem? Is reject_unverified_recipient the wrong way to go? Thanks a lot, Mario
Re: smtpd_recipient_restrictions with empty from=<> envelope
Hi Wietse, may i kindly ask why the original sender address cant be passed for the address_verify_sender feature? Is there a specific reason? Thanks a lot, Mario On Wed, Aug 20, 2014 at 1:07 PM, Wietse Venema wrote: > ml ml: >> Hello Robert, >> >> thanks for your reply. >> >> Can i also set the original sender address as the address_verify_sender? >> >> I wasnt able to find anything in the manual :-/ > > It is not documented, therefore it is not supported. > > Wietse
Re: how to protect MTAs from mass mails
This setup is not very unusual if you have a lager network. Then you
have multiple mailout servers for send/deliver the mails.
How could i possibly control recipients that do not belong to me?!
This is my config:
--
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =
myhostname = mailout9.example.net
mynetworks = 127.0.0.0/8 xxx.xxx.132.35 xxx.xxx.131.219 195.4.248.13
xxx.xxx.132.51 xxx.xxx.132.36 xxx.xxx.131.181 xxx.xxx.131.201
xxx.xxx.131.205 xxx.xxx.130.99 xxx.xxx.132.56 xxx.xxx.132.73
xxx.xxx.130.98 xxx.xxx.154.100 xxx.xxx.132.57 xxx.xxx.146.241
xxx.xxx.138.85
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_unknown_client_hostname
reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = no
transport_maps = hash:/etc/postfix/transport
unverified_recipient_reject_code = 550
Looking at it now, mynetwork seems to be the reason my mta accepts all
mails (which it does not by default).
Here is a little ugly diagram:
http://www.sumoware.com/images/temp/xztxkmqojbcmrerp.png
I tried using reject_unverified_recipient to avoid that the mailout
server accept mails it wont be able to deliver.
What am i doing wrong? Or: HOW should i do it?
Thanks,
Mario
On Wed, Aug 20, 2014 at 1:44 PM, Daniele Nicolodi wrote:
> On 20/08/2014 10:56, ml ml wrote:
>> By default my postfix accepted those mails until it found out that the
>> recipent does not exists. Then postfix tries to send back that "550
>> User Unknown" error mail.
>
> I doubt that Postfix by default accepts mail for users it does not know
> about, but anyway...
>
>> However, the sender is fake. Therefore the mails get stuck on my postfix mta.
>>
>> I now enabled recipient address verification. In that case my postfix
>> mta will reject the mails already in the rcpt to stream. Which is
>> great.
>>
>> However, i now got blacklisted by backscatterer:
>
> I'm not surprised.
>
>> The source of this problem seem to be the emtpy address verify
>> probes/mails. In this case this no spam or mass mails or anything.
>> Just a lot of mails and empty from sender addresses and a lot of mail
>> traffic.
>
> The reason why you are blacklisted is the backscatter caused by your
> late rejection of incoming messages, NOT the recipient verify probes.
> And if you need to use recipient verify for domains that are not under
> your control, you are definitely doing something wrong: why do you
> accept mail from external sources directed to domains you do not
> control? This smells like an open relay to me.
>
> Cheers,
> Daniele
>
[pfx] transport_maps : fatal: garbage after "]" in server description...
Hello List, i am running Postfix 3.4.14 and try to set up mailrouting to multiple smtp hosts. transport_maps = hash:/etc/postfix/mailertable example.com smtp:[mx1.foobar.com],smtp:[mx2.foobar.com] However i get: fatal: garbage after "]" in server description: [mx1.foobar.com],smtp:[mx2.foobar.com] Whats the correct syntax? I cant find a hint in the docs :-/ Thanks, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] reject_unverified_recipient triggers Recipient address rejected
Hello,
i am running 3.4.14 smoothly. However, after adding a virtual ip and
some mailrouting (migration from an old sendmail host) i have the
problem, that if i add "reject_unverified_recipient":
smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain reject_unverified_recipient
then i fail to deliver those mails:
postfix/submission/smtpd[23263]: NOQUEUE: reject: RCPT from
unknown[21.193.143.55]: 450 4.1.1 : Recipient address rejected:
unverified address: unknown mail transport error; from=
to= proto=ESMTP helo=
The reject_unverified_recipient flag worked fine before i did that migration.
The mails get delivered just fine (!) after removing the
reject_unverified_recipient flag. We already deleted the cache files
which temporarily fixed the problem.
I can also deliver the mail with a manual telnet.
Any hints on this verify problem? It looks like a local problem to me.
Here is my config:
-
address_verify_negative_cache = yes
address_verify_negative_expire_time = 24h
address_verify_negative_refresh_time = 15m
alias_database = hash:/etc/aliases hash:/etc/postfix/aliases
alias_maps = hash:/etc/aliases hash:/etc/postfix/aliases
allow_mail_to_commands = alias,forward,include
append_dot_mydomain = no
biff = no
compatibility_level = 2
debug_peer_list = 123.123.131.199
default_process_limit = 150
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
local_transport = lmtp:unix:/run/cyrus/socket/lmtp
mailbox_size_limit = 9000
mailbox_transport = lmtp:unix:/run/cyrus/socket/lmtp
message_size_limit = 9000
mydestination = $myhostname, localhost, foo2.example.net, bar-1.example.net
myhostname = foo.example.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
123.123.172.75/32 123.123.130.86/32 123.123.150.195/32
123.123.152.74/32 123.123.160.114/32 123.123.152.105/32
123.123.128.219/32 123.123.131.247/32 123.123.66.12/32
123.123.128.227/32 123.123.150.17/32 123.123.149.243/32
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = hash:/etc/postfix/mailertable
relayhost = mailout.example.net
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_cert_file = /etc/ssl/certs/wildcard.example.net-fullchain.pem
smtp_tls_key_file = /etc/ssl/private/wildcard.example.net-key.pem
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 20
smtpd_client_event_limit_exceptions =
smtpd_recipient_restrictions = permit_mynetworks reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = foo.example.net
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_cert_file = /etc/ssl/certs/wildcard.example.net-fullchain.pem
smtpd_tls_key_file = /etc/ssl/private/wildcard.example.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/mailertable
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_domains = /etc/postfix/local-host-names
virtual_alias_maps = hash:/etc/postfix/virtusertable hash:/etc/postfix/aliases
virtual_transport = lmtp:unix:/run/cyrus/socket/lmtp
Cheers,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] HowTo Migrate from text based mapping/routing to Database based routing
Hello, currently we manually use text files for mapping/routing: # postconf -n |grep -e transport -e alias alias_database = hash:/etc/aliases hash:/etc/postfix/aliases alias_maps = hash:/etc/aliases hash:/etc/postfix/aliases allow_mail_to_commands = alias,forward,include local_transport = lmtp:unix:/run/cyrus/socket/lmtp mailbox_transport = lmtp:unix:/run/cyrus/socket/lmtp transport_maps = hash:/etc/postfix/mailertable (=> sub.example.com smtp:[somerelay.net] virtual_alias_domains = /etc/postfix/local-host-names (=> example.com) virtual_alias_maps = hash:/etc/postfix/virtusertable hash:/etc/postfix/aliases (=> f...@example.com pop-1234-0005) virtual_transport = lmtp:unix:/run/cyrus/socket/lmtp We would like to migrate to a Database in order to manage it with a GUI or something. Any hints on this? Are there existing scripts/projects? Thanks, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
