chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Rich Wales
ri...@richw.org
't seem to
match the info I've been posting up till now about my server, that may
be why.
Rich Wales
ri...@richw.org
submission inet n - n - - smtpd -v
-o smtpd_enforce_tls=yes
-o soft_bounce=no
-o cleanup_service_name=msa-cleanup
-
on to "drop". I'm still waiting to
see if I have any more instances of open relay attempts from localhost
after having made this change. If the earlier open relay attempts are
in fact somehow (still unsure how?) being generated as a consequence of
the blacklisted connection, then
Postfix configuration for what this might be worth.
Thanks for any thoughts.
Rich Wales
ri...@richw.org
kind of attack. As a
very last resort, I may consider wiping and rebuilding the system, but
I'm not willing to expend the time and energy to do that without first
having some reasonably specific evidence indicating exactly what has
happened.
Rich Wales
ri...@richw.org
r which this web site is supposed to
recognize and do anything with is a "page=" parameter. Everything else
on the command line / URL should be disregarded.
Rich Wales
ri...@richw.org
none around the dates of interest.
And I have still not seen any further instances of the hacker attack in
the last several days.
Rich Wales
ri...@richw.org
return code.
The HTTP 302 responses to "GET /nette.micro" requests appear, as best I
can tell, to have all been simple redirections from HTTP to HTTPS. The
corresponding HTTPS GET requests were all rejected with 404 codes.
Rich Wales
ri...@richw.org
his wouldn't solve every problem,
but it seems to me like a very useful thing for Postfix to be able to
do. If this option is intentionally not and most likely never will be
part of Postfix, I would be grateful for an explanation of why it is not
actually helpful, even if it might appear to be at first glance.
Rich Wales
ri...@richw.org
mate e-mail passing through milters and such.
But what I want to know is if any such option exists at all.
Rich Wales
ri...@richw.org
be using e-mail or TCP connections
already for its own legitimate purposes, but being co-opted by a hacker
to nefarious ends? Or could *any* PHP script theoretically be infected
in a way that would cause this misbehaviour?
Rich Wales
ri...@richw.org
ame NAT/proxy path as the spam did.
I'll continue searching for any possible security hole on my firewall
appliance, though.
Rich Wales
ri...@richw.org
Sorry, when I said "chronologically last 'Received:' line" in my earlier
e-mail, I meant to say "chronologically first (physically last)". Mea
culpa.
Rich Wales
ri...@richw.org
coming into and delivered via this server retain the
sending host's identity, btw, and are not rewritten to claim they came
from localhost.
Rich Wales
ri...@richw.org
ission would also help.
Thanks. I'll look into this.
Rich Wales
ri...@richw.org
v) for the "smtpd" line in my master.cf,
in hopes that this may capture some additional detail of inbound SMTP
sessions. Any other debugging suggestions would be welcomed.
I'll be back when I have something reasonably useful for you to look at.
Rich Wales
ri...@richw.org
get taken off the GBUDB blacklist site.
The next time I see this happen -- could be tomorrow, could be weeks
from now, I have no idea when -- I'll gladly forward a copy of my
"mailq" output. I deleted my earlier evidence, I'm afraid.
Rich Wales
ri...@richw.org
in question as probably coming via an open
relay, but it still passes them. What confuses me is that I would
expect Postfix to have identified and rejected these messages during the
initial SMTP dialogue with the sender, and they should never reach
amavisd-new.
Any suggestions gratefully w
The best English phrase to use here would be "unnecessary leading zeroes".
Rich Wales
ri...@richw.org
ation parameter to tell the
postscreen server to reject new(ish) clients for a specified minimum
period of time before stepping out of the way and allowing them to pass?
At the moment, it seems to me that requiring a minimum of 5 minutes
after the first soft rejection should be more than sufficient.
see the Postfix configuration docs (www.postfix.org/postconf.5.html)
propose using address_verify_poll_count=1 as "a crude form of
greylisting"; how well do people find this to work in practice?
Any other suggestions?
Rich Wales
ri...@richw.org
is there, I'm afraid I'm misunderstanding the
documentation and am missing the answer.
Rich Wales
ri...@richw.org
Does Postfix support blacklisting / whitelisting for IPv6 addresses?
If so, is there any documentation available to help me with the details?
I'm running Postfix version 2.11.0 on an Ubuntu 14.04.4 LTS system.
--
*Rich Wales*
ri...@richw.org
your new
"unique ID" info in parentheses so it will look like a comment.
Rich Wales
ri...@richw.org
course, to hear either that I was mistaken, or that
Apple has enabled 587/STARTTLS on current iOS devices.
Rich Wales
ri...@richw.org
eciate my going into detail about it here because it's
not narrowly specific to Postfix.
Rich Wales
ri...@richw.org
g to use p0f, I assume I need to run it on my MX hosts and not
on the mail server itself (since p0f on my mail server would be
fingerprinting my MX hosts and not the actual source of a message).
I would, of course, be using the rewritten p0f (version 3.08b).
Thanks for any suggestions.
Rich Wales
ri...@richw.org
> The reject_non_fqdn_hostname restriction will not block any of these.
How about reject_unknown_reverse_client_hostname instead? This one is
supposed to reject clients with no IP-address-to-name mapping.
Rich Wales
ri...@richw.org
pamhaus or other DNSBLs), would that break
other things in the postscreen logic?
Rich Wales
ri...@richw.org
atus, should I be looking at postscreen_dnsbl_ttl
instead (changing it from the default of 1 hour to something smaller)?
Rich Wales
ri...@richw.org
consider reducing my postscreen_cache_retention_time --
possibly to a few hours? Is that likely to have some unintended and
unwanted side effects?
I'm attaching a gzip'ed copy of the "postconf -n" output from one of my
MX servers.
Rich Wales
ri...@richw.org
richw-org-postconf.txt.gz
Description: application/gzip
ions was
somehow not working.
Now I understand why this is failing. I guess I'm going to need to do
something different with my SMTPD restrictions -- possibly move all my
existing client restrictions to be at the end of my list of recipient
restrictions (after reject_unauth_destination).
Rich Wales
ri...@richw.org
tions? It seems unnecessary and confusing to
ignore the whitelist operation in this case (unless there is some subtle
cause for concern that I'm overlooking).
Rich Wales
ri...@richw.org
the second time too.
Does this look OK? Or is there some obscure pitfall I need to be
aware of?
Rich Wales
ri...@richw.org
> printf '\000user\000pass' | openssl base64
This appears to work OK in tcsh and sh on Linux (Ubuntu Maverick).
It also works if I write "\0" instead of "\000".
Rich Wales
ri...@richw.org
comfortable trusting zen.spamhaus.org and truncate.gbudb.net
fully, and I am currently using them in reject_rbl_client checks.
Rich Wales
ri...@richw.org
processing of the BCC copies.
There may, I'm sure, be other variations possible here; I'm just
showing this as one way to do it.
Rich Wales
ri...@richw.org
e senders
can report any delivery problems. So far, at least, I have not received
any such communications.
Rich Wales
ri...@richw.org
sed to detect and
block IP addresses which are known spam sources and/or are dynamically
assigned. This particular IP address, for example, is listed in the
Spamhaus ZEN list (zen.spamhaus.org; http://www.spamhaus.org/zen/).
Read the documentation for the "reject_rbl_client" restriction.
Rich Wales
ri...@richw.org
with a "permit", right? (I think
this would have to be the case, otherwise it wouldn't make any sense,
but . . . .)
So, having smtpd_reject_unlisted_recipient = yes is not exactly the
same as having reject_unlisted_recipient at the very end of the list
of smtpd_recipient_restrictions item
here is an smtpd_reject_unlisted_sender parameter (which
is "no" by default). What issues would I want to consider before
deciding to enable this parameter in my configuration?
I'm running Postfix 2.8.1 on an Ubuntu server.
Rich Wales
ri...@richw.org
a thing planned, not
planned, or perhaps intrinsically evil for some reason I'm not thinking of?
Rich Wales
ri...@richw.org
or reject. Do you think there would be any
point in doing this? Or would it just be a meaningless exercise, and
you might as well query everything every time?
Rich Wales
ri...@richw.org
letely) and assigned different scores depending on the returned
value from a given list. (I won't go into the details, they would be
off-topic here, but it's nice to have this capability.)
Rich Wales
ri...@richw.org
If I enable postscreen and specify my choice of blocklists and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I might as well
remove any reject_rbl_client and permit_dnswl_client clauses from my
smtpd_*_restrictions, since they will now be redundant?
Rich Wales
ri
quot; and why a
mail server must *NOT* do deep parsing using Spamhaus's PBL block
list (their list of dynamic end-user IP addresses that ought to be
sending out their mail via their ISP's mail server rather than trying
to talk directly to destinations).
Rich Wales
ri...@richw.org
Is your mail server running Postfix? If not, you're probably not
going to find very much useful information from this list.
You should obviously identify which users have weak passwords and
make them change their passwords ASAP.
Rich Wales
ri...@richw.org
do anything but
waste your time and get people even more upset.
Rich Wales
ri...@richw.org
at also
disable the feature? Or do I have to do other things to actually
turn a feature off and make it unavailable even if a client tries to
issue a command (such as ETRN) that was not advertised in my EHLO
response?
Rich Wales
ri...@richw.org
some of the extended features (such
as STARTTLS) are simply not expendable. This fact may or may not
influence a paranoid management type who is making demands based on
a fuzzy advisory from a security tool or a vague warning in a trade
rag, but I'm not at all surprised that Postfix does not appear to
have any way to disable EHLO entirely.
Rich Wales
ri...@richw.org
#x27;m sure someone will correct me if I'm
mistaken), there isn't any way to tell Postfix not to accept EHLO or
other extended commands at all -- nor should there be, in most people's
opinions.
Rich Wales
ri...@richw.org
ash a server by sending huge messages that are
just under the advertised maximum length -- hence the idea of omitting this
item from the EHLO response. I'd certainly be interested in hearing other
thoughts about EHLO-related security concerns.
Rich Wales
Palo Alto, CA
ri...@richw.org
sword
combo -- and thereby stop having to use sender-dependent authentication,
and thus avoid the problems which accompanied the sending of my auth
credentials to random servers, without needing to do anything complex.
For the time being, I'm happy. :-) Thanks to everyone for their help
's no way to tag messages in a single Postfix queue
with some sort of "already processed once -- let the secondary smtp
agent take care of this one" marker? Instead, doing this requires a
separate Postfix instance (with its own separate queue)?
Rich Wales
ri...@richw.org
, Victor.
A followup question, if I may. Briefly, can you help me understand what is
going on in a situation like mine that will require the use of a second,
completely separate Postfix instance (and precludes doing what I want to do
in a separate master.cf entry)?
Rich Wales
ri...@richw.org
ight. If you would
prefer to simply ignore my second message (in which I tried to say
that a possible workaround I had considered doesn't seem to work) and
consider only my original message (perhaps ignoring the paragraph near
the end starting with "I'm starting to ponder"), I won't object.
Rich Wales
ri...@richw.org
doesn't
like my sender-dependent authentication info intended only for my fallback
relay, and I can't selectively give out or withhold my authentication info
because sender-dependent authentication cares *only* about the sender and
apparently can't be told to care about the identity of the destination host.
Any suggestions would be welcome.
Rich Wales
ri...@richw.org
*real*
fallback relay as its relay host, and enable sender-dependent
authentication in the separate service instead of in my standard
SMTP service. But I realize that would be a messy kludge, and I'd
prefer not to do it this way except as a la
ries reply code to a 4xx-series code,
except it will keep the reply unchanged if there is a 5.1.x (address
status error) enhanced status code.
Rich Wales
ri...@richw.org
ming that I can use smtp_reply_filter to mark "block list" rejections
in a distinctive manner (and prevent them from being treated as hard
rejects), is there any way for me to convince Postfix to send these
messages to an alternate smarthost?
Rich Wales
ri...@richw.org
did not contain one of a limited set of extended status codes
(such as the 5.1.x codes). I'm not sure if Postfix has any way of
being told to do this sort of thing or not.
Rich Wales
ri...@richw.org
, I want Postfix to
automatically try "Plan B".
In general, is there any way to do what I want?
Rich Wales
Palo Alto, CA, USA
ri...@richw.org
nd make sure I don't break anything.
Thanks again.
Rich Wales
ri...@richw.org
o_header_body_checks
from "smtp"?
I'm including a copy (see below) of the "smtp" configuration stanza from
my master.cf file.
Rich Wales
ri...@richw.org
==
smtp inet n -
but I'm not going to hold my
breath, and I can't afford the petty luxury of refusing to look at an
e-mail reply because Google broke the specs.
See below for my "postconf -n" output. Any ideas?
Rich Wales
Palo Alto, CA, USA
ri...@richw.org
==
x27;ve managed to clean up my own setup (thanks for your earlier help in
this regard), so this is no longer an immediate need of mine, but I
could imagine some other people might run into this kind of issue, so
it seemed to still be worth bringing up.
Rich Wales
ri...@richw.org
ng to relay
host B -- am I currently out of luck?
Rich Wales
ri...@richw.org
have one username / password for www.richw.org, and no authentication
for sandals.richw.org), or else use per-sender SMTP authentication (and
use different username / password data for each sender, but attempt to
authenticate identically to either server) -- but I apparently can *not*
have authent
ne relay, and
a different username/password when sending to another relay. But for
the moment, I'd be content simply to have authentication for one and
only one of the relays I need to use.
--
Rich Wales
ri...@richw.org
69 matches
Mail list logo
