Re: Is this a good smtpd restrictions set?

El lun, 07-10-2019 a las 01:48 +0200, Gerben Wierda escribió: > permit_mynetworks, > permit_sasl_authenticated, I don't see the need for these two in the data restriction class.

Is this a good smtpd restrictions set?

I am revisiting my config and my config was made a long time ago (before relay_restrictions) Would this be a good restrictions set? I think it is but I’m not 100% certain if this is efficient for instance. For instance, I am blocking reject_non_fqdn_recipient in smtpd_recipient_restrictions wi

smtpd restrictions

Hello, I'm running Postfix 3.3. I'm thinking I've got an issue with my smtpd* restrictions, either doing double work or not ordered right, or just not optimized. Can someone take a look and see if anything stands out as being off? Thanks. Dave. master.cf (service excerpt): su

Re: Request for feedback on SMTPD restrictions

https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre check_client_access hash:/etc/postfix/whitelist check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre On Sun, January 28, 2018 7:00 am, Noel Jones wrote: So generally, you can put it anywhere after reject_unauth_destin

Re: Request for feedback on SMTPD restrictions

On Sun, January 28, 2018 7:00 am, Noel Jones wrote: >>> https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre >> check_client_access hash:/etc/postfix/whitelist >> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre > So generally, you can put it anywhere after > reject_una

Re: Request for feedback on SMTPD restrictions

On 1/26/2018 11:47 PM, Voytek wrote: > On Wed, January 24, 2018 3:55 am, Noel Jones wrote: > >> There is no simple regexp, but there is the fqrdns.pcre project. The >> project is a large hand-maintained list of dynamic hostnames with a goal of >> zero false positives. It's not perfect, but it's u

Re: Request for feedback on SMTPD restrictions

On Wed, January 24, 2018 3:55 am, Noel Jones wrote: > There is no simple regexp, but there is the fqrdns.pcre project. The > project is a large hand-maintained list of dynamic hostnames with a goal of > zero false positives. It's not perfect, but it's useful and safe for > general use. > > https:

Re: Request for feedback on SMTPD restrictions

smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:/etc/postfix/helo_acl, reject_unknown_helo_hostname, permit On Jan 22, 2018, at 8:43 AM, Matu

Re: Request for feedback on SMTPD restrictions

On 23 January 2018 at 16:55, Noel Jones wrote: > On 1/23/2018 1:06 AM, Dominic Raferd wrote: >> On 23 January 2018 at 04:20, Noel Jones > > wrote: >> >> Strong spam indicators for the HELO are >> (note: this is for mail coming from the internet. Authenticated

Re: Request for feedback on SMTPD restrictions

On Tue, Jan 23, 2018 at 11:51:37AM -0500, Bill Cole wrote: > > There is imprecise language in RFC1035 (1987) implying that there should be > only one PTR per IP but it depends on the idea of a "primary host name" for > an IP, which is not universally meaningful or useful as a naming concept. We

Re: Request for feedback on SMTPD restrictions

On 1/23/2018 1:06 AM, Dominic Raferd wrote: > On 23 January 2018 at 04:20, Noel Jones > wrote: > > Strong spam indicators for the HELO are > (note: this is for mail coming from the internet. Authenticated > submission mail or legit mail from devices on y

Re: Request for feedback on SMTPD restrictions

On 22 Jan 2018, at 22:31 (-0500), li...@lazygranch.com wrote: So if I do a reverse DNS lookup on some IP addresses, I will get multiple domains? Yes, as long as you use a DNS resolution tool and not a client of the abstracted name resolver of your OS (which may use a complex federation of na

Re: Request for feedback on SMTPD restrictions

On 23 January 2018 at 16:12, Andrew Sullivan wrote: > On Tue, Jan 23, 2018 at 10:50:24AM -0500, Kris Deugau wrote: >> >> There is no One True Standard, and even within the more common conventions >> there are quite a few variations. > > And even if people came up with a standard, the operator coul

Re: Request for feedback on SMTPD restrictions

On Tue, Jan 23, 2018 at 10:50:24AM -0500, Kris Deugau wrote: > > There is no One True Standard, and even within the more common conventions > there are quite a few variations. And even if people came up with a standard, the operator could lie. After all, it's just DNS. There are no DNS Police to

Re: Request for feedback on SMTPD restrictions

Dominic Raferd wrote: ​Is there a method (regex?) for reliably identifying dynamic ip addresses? Short answer: No. If you really insist on going down that rabbit hole, look up the RDNS_DYNAMIC rule from Apache SpamAssassin. It's an aggregation of 25 provider-specific probably-dynamic rDNS

Re: Request for feedback on SMTPD restrictions

Dominic Raferd wrote on 23.01.2018 at 9:06: > > ​Is there a method (regex?) for reliably identifying dynamic ip addresses?​ > Take for instance 199-127-103-235.static.avestadns.com - it looks dynamic to > me but it says it is static. Is it best/safest to rely on '\.dynamic\.' > occurring in th

Re: Request for feedback on SMTPD restrictions

On 23 January 2018 at 04:20, Noel Jones wrote: > Strong spam indicators for the HELO are > (note: this is for mail coming from the internet. Authenticated > submission mail or legit mail from devices on your network might > break any of these) > - a dynamic hostname (eg. 89-73-46-234.dynamic.chel

Re: Request for feedback on SMTPD restrictions

On 1/22/2018 8:36 PM, J Doe wrote: >>> smtpd_helo_required = yes >>> smtpd_helo_restrictions = permit_mynetworks, >>>reject_unauth_pipelining, >>>reject_invalid_helo_hostname, >>>reject_non_fqdn_helo_hostname, >>>check_helo_access hash:/etc/postfix/helo_acl, >>>reject_unknow

Re: Request for feedback on SMTPD restrictions

Replies in the middle of the email for clarity. On Mon, 22 Jan 2018 17:18:42 -0500 "Bill Cole" wrote: > On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote: > > > The reverse DNS can only point to one domain > > name. > > Not so. Multiple PTR records for one address may violate some

Re: Request for feedback on SMTPD restrictions

Hi, > On Jan 22, 2018, at 8:43 AM, Matus UHLAR - fantomas wrote: > >> smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, >>reject_unauth_pipelining, >> reject_invalid_helo_hostname, >>reject_non_fqdn_helo_hostname, >>check_helo_access hash:/etc/postfix/he

Re: Request for feedback on SMTPD restrictions

Hi Noel, > On Jan 21, 2018, at 3:35 PM, Noel Jones >> smtpd_client_restrictions = permit_mynetworks, >>reject_unauth_pipelining, >>check_client_access hash:/etc/postfix/client_acl, >>reject_unknown_client_hostname, >>permit > > reject_unknown_client_hostname is likely to rej

Re: Request for feedback on SMTPD restrictions

On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote: The reverse DNS can only point to one domain name. Not so. Multiple PTR records for one address may violate some people's expectations, but it's not wrong if the address doesn't really have a public name that is more "real" than t

Re: Request for feedback on SMTPD restrictions

On 21.01.18 00:56, J Doe wrote: I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions. Even with reading the man pages, I find some of

Re: Request for feedback on SMTPD restrictions

On Sun, 21 Jan 2018 14:35:42 -0600 Noel Jones wrote: > On 1/20/2018 11:56 PM, J Doe wrote: > > Hi, > > > > I have a basic SMTP server set up with what I believe to be good > > smtpd_*_ restrictions, but I was wondering if anyone could provide > > any insight on how to improve them or if I have b

Re: Request for feedback on SMTPD restrictions

On 1/20/2018 11:56 PM, J Doe wrote: > Hi, > > I have a basic SMTP server set up with what I believe to be good smtpd_*_ > restrictions, but I was wondering if anyone could provide any insight on how > to improve them or if I have been redundant in the restrictions. Even with > reading the man

Request for feedback on SMTPD restrictions

Hi, I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions. Even with reading the man pages, I find some of the restrictions tricky.

Re: Getting smtpd restrictions right....

You didn't answer the all-important question about what IP postfix sees for mail arriving from the Xeams server, nor did you provide the requested logging. I'll assume postfix sees the Xeams IP. That's bad; it prevents postfix from making any decisions about the source of the mail. The solution

Re: Getting smtpd restrictions right....

Postfix I assumed got it’s valid users from the same place Dovecot is getting it, the mySQL database. In the postconf -n I posted, it may not have shown the mynetworks as I have gone from trying different things to leaving it at default. It was probably at default when I generated it. I have

Re: Getting smtpd restrictions right....

On 1/19/2017 11:49 PM, SH Development wrote: > I have a server running Xeams for spam filtering, and another server running > Postfix 2.6.6. Both servers are on the same network behind a firewall. > Haven’t had any problems until recently when Xeams tech support pointed out > that my Xeams ser

Getting smtpd restrictions right....

I have a server running Xeams for spam filtering, and another server running Postfix 2.6.6. Both servers are on the same network behind a firewall. Haven’t had any problems until recently when Xeams tech support pointed out that my Xeams server is showing as an open relay, but my Postfix serve

Re: smtpd restrictions on mail that comes from certain servers

A record I presume). I am trying to set up > >> an smtpd restrictions for all incoming mail except when it comes > >> from the servers I know about. I'm struggling to figure out how > >> I'd do this. > >> > >> I think the solution is to us

RE: smtpd restrictions on mail that comes from certain servers

> Does anyone have any ideas how I'd specify this? Would I have to use a > pcre like the following? > > /[^e][^x][^a][^m][^p][^l][^e][^\.][^c][^o][^m]$/WARN If you choose to use pcre, see: http://www.postfix.com/pcre_table.5.html It includes an example: !// Note that by default, mat

Re: smtpd restrictions on mail that comes from certain servers

>> My server's MX records points to some servers that do spam filtering >> then they send it to my server. However, some servers ignore the >> MX record and are connecting directly to my server (using the IP >> returned by the DNS A record I presume). I am

Re: smtpd restrictions on mail that comes from certain servers

James Reynolds: > My server's MX records points to some servers that do spam filtering > then they send it to my server. However, some servers ignore the > MX record and are connecting directly to my server (using the IP > returned by the DNS A record I presume). I am trying to

smtpd restrictions on mail that comes from certain servers

My server's MX records points to some servers that do spam filtering then they send it to my server. However, some servers ignore the MX record and are connecting directly to my server (using the IP returned by the DNS A record I presume). I am trying to set up an smtpd restrictions fo

Re: smtpd restrictions flow

On 3/17/2015 12:59 PM, Roger Walters wrote: > Hi, > > I've been trying to find some kind of diagram or documentation about > the smtpd_*_restrictions (sender, recipient, client, helo, relay) > flow upon mail sending and receiving, but couldn't find anything. > > Is this defined somewhere in the d

smtpd restrictions flow

Hi, I've been trying to find some kind of diagram or documentation about the smtpd_*_restrictions (sender, recipient, client, helo, relay) flow upon mail sending and receiving, but couldn't find anything. Is this defined somewhere in the documentation? If not, could someone illustrate in which or

Re: Question regarding null senders and smtpd restrictions

On Feb 25, 2015, at 5:56 PM, Noel Jones wrote: > On 2/25/2015 4:53 PM, Research wrote: >> Hello, >> >> I have recently begun deploying Postfix on a web server. >> >> Postfix is configured to handle the e-mail for the web server domain (i.e.: >> receives e-mail for example.com), and then has vi

Re: Question regarding null senders and smtpd restrictions

On 2/25/2015 4:53 PM, Research wrote: > Hello, > > I have recently begun deploying Postfix on a web server. > > Postfix is configured to handle the e-mail for the web server domain (i.e.: > receives e-mail for example.com), and then has virtual tables configured to > route that mail to Gmail ac

Question regarding null senders and smtpd restrictions

Hello, I have recently begun deploying Postfix on a web server. Postfix is configured to handle the e-mail for the web server domain (i.e.: receives e-mail for example.com), and then has virtual tables configured to route that mail to Gmail accounts. I have mappings for all RFC required e-mail

Re: Conditional/soft smtpd restrictions

-Original Message- From: Noel Jones Sent: Saturday, January 17, 2015 12:20 AM You want to conditionally run some extra restrictions based on the outcome of prior restrictions? Some of the existing policy servers do weighted scoring, which gives very similar results. Conditional greyl

Re: Conditional/soft smtpd restrictions

Am 18.01.2015 um 00:00 schrieb Eugene R: -Original Message- From: li...@rhsoft.net Sent: Saturday, January 17, 2015 7:29 AM > Actually the set I have is surprisingly effective and also surprisingly > good in keeping FPs low -- much, much better than anything I saw from SA > and DSPAM,

Re: Conditional/soft smtpd restrictions

Hello, -Original Message- From: li...@rhsoft.net Sent: Saturday, January 17, 2015 7:29 AM > Actually the set I have is surprisingly effective and also surprisingly > good in keeping FPs low -- much, much better than anything I saw from SA > and DSPAM, and with virtually no server or m

Re: Conditional/soft smtpd restrictions

Am 16.01.2015 um 21:48 schrieb Eugene R: If you're rejecting good mail more than "rarely", you should reevaluate your restrictions. In particular, most built-in HELO checks are likely to reject legit mail, and not terribly effective against current spam bots. The "reject_unknown_client" is al

Re: Conditional/soft smtpd restrictions

Hello Noel, -Original Message- From: Noel Jones Sent: Saturday, January 17, 2015 12:20 AM You want to conditionally run some extra restrictions based on the outcome of prior restrictions? Some of the existing policy servers do weighted scoring, which gives very similar results. Co

Re: Conditional/soft smtpd restrictions

On 1/16/2015 2:48 PM, Eugene R wrote: > >> Sounds like you're trying to recreate deep inspection in postfix. >> Use SpamAssassin instead. > > Absolutely no deep inspection, no content inspection at all, just > more flexible / controllable chaining of smtpd restrictio

Re: Conditional/soft smtpd restrictions

x27;re trying to recreate deep inspection in postfix. Use SpamAssassin instead. Absolutely no deep inspection, no content inspection at all, just more flexible / controllable chaining of smtpd restrictions. Best wishes Eugene

Re: Conditional/soft smtpd restrictions

On 1/16/2015 1:36 PM, Eugene R wrote: > Hi all! > > I have a fairly standard set of smtpd restrictions implemented and > generally I’m very happy with them (very low spam traffic and no > headaches associated with SpamAssassin or DSPAM). > However, once in a while a legitimate m

Conditional/soft smtpd restrictions

Hi all! I have a fairly standard set of smtpd restrictions implemented and generally I’m very happy with them (very low spam traffic and no headaches associated with SpamAssassin or DSPAM). However, once in a while a legitimate message is rejected because the other side has misconfigured HELO

Re: postscreen smtpd restrictions

* Eduardo Ramos : > I've been reading about the benefits of postscreen and I got a > doubt: Using postscreen turns my smtpd restrictions obsoletes? Nope. connection policies Should Postfix accept the connection and forward it to the smtpd SMTP server? -> postscreen,

postscreen smtpd restrictions

Hi friends! I've been reading about the benefits of postscreen and I got a doubt: Using postscreen turns my smtpd restrictions obsoletes?

Re: adding rbl to smtpd restrictions

On Thu, December 12, 2013 2:11 am, Wietse Venema wrote: >> is this correct place for rbls, after 'unauth_dest' and before >> 'greylist' ? > Generally, yes, because DNS lookups take time, and check_policy_service > can be the most resource intensive, so they should be done after the quick > reject

Re: adding rbl to smtpd restrictions

li...@sbt.net.au: > is this correct place for rbls, after 'unauth_dest' and before 'greylist' ? Generally, yes, because DNS lookups take time, and check_policy_service can be the most resource intensive, so they should be done after the quick rejects such as reject_unauth_destination. > reject_u

adding rbl to smtpd restrictions

I have a new Postfix 2.6 server that came pre-configured, I'm trying to 'migrate' various anti UCE settings from the old server: order of some of the params is quite different on new server, hence I'm confused (as always) (so I'm trying to only make 1 or 2 changes at a time) is this correct place

Re: Best practices for smtpd restrictions.

On 10/31/2013 12:19 PM, John Allen wrote: > Which is "better", to put the various restrictions with the > appropriate smtpd__restriction stanzas, or to put them all into > the smtpd_recipient_restrictions stanza. I am assuming that > smtpd_delay_reject is yes. There is no "better". Putting ev

Re: Best practices for smtpd restrictions.

On 10/31/2013 12:19 PM, John Allen wrote: > Which is "better", to put the various restrictions with the appropriate > smtpd__restriction stanzas, or to put them all into the > smtpd_recipient_restrictions stanza. I am assuming that > smtpd_delay_reject is yes. > > I have always assumed that pu

Best practices for smtpd restrictions.

Which is "better", to put the various restrictions with the appropriate smtpd__restriction stanzas, or to put them all into the smtpd_recipient_restrictions stanza. I am assuming that smtpd_delay_reject is yes. I have always assumed that putting them in one place had the advantage of allo

Re: smtpd Restrictions

On 12/16/2011 12:36 PM, Punit Jain wrote: > Hi, > > I want to create restriction where a group of users should not be allowed to > send email among themselves but should be allowed to send to others and on > internet. I tried creating restrictions as below but it doesnot work : - > > smtpd_send

smtpd Restrictions

Hi, I want to create restriction where a group of users should not be allowed to send email among themselves but should be allowed to send to others and on internet. I tried creating restrictions as below but it doesnot work : - smtpd_sender_restrictions = check_sender_access hash:/etc/postf