Configuration problems

Hi

I'm running a Postfix 2.3.8-2+b1 on a Debian.

My setup is Postfix with virtual-domains and users running on mysql.

I have 3 issues which I have been trying to solve, but not been able to.

The first one is that my mail.log gets filled with lines like this.
Jun 20 06:48:15 localhost postfix/qmgr[19721]: 79988C1607:
to=<[hidden email]>, relay=none, delay=20947,
delays=20947/0.1/0/0, dsn=4.4.1, status=deferred (delivery temporarily
spended:
Jun 20 06:48:15 localhost postfix/qmgr[19721]: 7A0D8C1F30:
from=<[hidden email]>, size=2577, nrcpt=1 (queue active)
Jun 20 06:48:15 localhost postfix/qmgr[19721]: 703CCC24FF:
to=<[hidden email]>, relay=none, delay=33966,
delays=33966/0.09/0/0, dsn=4.4.1, status=deferred (delivery temporarily
suspended: con
Jun 20 06:48:15 localhost postfix/qmgr[19721]: 745A7C04CF:
from=<[hidden email]>, size=1209, nrcpt=1 (queue active)

I seems like my server is a open relay. But if I check my server at
http://www.abuse.net/relay.html is says it is not a open relay. How do I
stop this?

My main.cf looks like this.

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
masquerade_exceptions = root
masquerade_classes = envelope_sender, envelope_recipient, header_sender,
header_recipient
smtpd_banner = $myhostname ESMTP
setgid_group = postdrop
transport_maps = mysql:/etc/postfix/mysql/transport.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf
virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf
virtual_mailbox_base = /var/spool/postfix/virtual
virtual_mailbox_limit = 102400000
inet_interfaces = all
append_dot_mydomain = no
home_mailbox = Maildir/
mailbox_size_limit = 0
message_size_limit = 0
recipient_delimiter =
local_destination_concurrency_limit = 1
default_destination_concurrency_limit = 1
myhostname = agile.dk
mydestination = $mydomain, blueled, localhost.localdomain, localhost
relayhost = vip.cybercity.dk
relay_domains = $mydestination
remote_header_rewrite_domain =
mynetworks = 127.0.0.0/8,192.1.1.0/24
smtpd_helo_required          = yes
strict_rfc821_envelopes      = yes
disable_vrfy_command         = yes
smtpd_delay_reject           = yes
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554
unknown_client_reject_code   = 554
smtpd_helo_restrictions      = permit_mynetworks,
                               reject_non_fqdn_hostname,
                               reject_invalid_hostname,
                               permit
unknown_local_recipient_reject_code = 550
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

The second problem is that I have been trying to set op SASL and TSL, but
unsuccesfully. If I disable chroot it works but if I enable chroot again it
doesn't.
/etc/postfix/sasl/smtpd.conf looks like this
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: ***
sql_passwd: ***
sql_database: ***
sql_select: ***

/etc/pam.d/smtp looks like this
auth required pam_mysql.so user=*** passwd=*** db=*** host=127.0.0.1
table=*** usercolumn=concat(name,'@',domain) passwdcolumn=clearpwd crypt=0

I have even copied the files from /etc to /var/spool/postfix and giving
read-rights to everything without luck.

My third problem is that I get a lot of spam even that i run spamassassin
with bayesian which is set to a score at 3. If I lower this score I get to
many false positive. Is there any good ways to get rid of this spam?

Regards

Jan

Jan Meyland Andersen wrote: what is the output of
# postmap -q [hidden email]
mysql:/etc/postfix/mysql/remote_aliases.cf
# postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf
# postmap -q [hidden email]
mysql:/etc/postfix/mysql/aliases.cf
# postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf


> My main.cf looks like this.
>  

Please send the output of 'postconf -n' instead of main.cf. If you still
have the list welcome message, please read it (unlike most lists, the
postfix one contains important information). if you lost it, please read
    http://www.postfix.org/DEBUG_README.html#mail

This will help in the future.

> [snip]

>
> The second problem is that I have been trying to set op SASL and TSL, but
> unsuccesfully. If I disable chroot it works but if I enable chroot again it
> doesn't.
>  

then disable the chroot ;-p
I see no sasl stuff in your claimed main.cf thing. so it is impossible
to help you.

you should use the default threshold of 5. do not play with the
threshold. play with rules instead.

that said, start by tuning your postfix restrictions. use
zen.spamhaus.org and see if it's enoguh for you. if not, you can ask
here but you will need to show a sample spam (full unalatered headers).  
the spamassassin list is also a good place for such questions.

Hi

Thanks for your answer.

On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote:
> what is the output of
> # postmap -q [hidden email]
> mysql:/etc/postfix/mysql/remote_aliases.cf
> # postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf
> # postmap -q [hidden email]
> mysql:/etc/postfix/mysql/aliases.cf
> # postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf

All above postmap-commands returns nothing.


> Please send the output of 'postconf -n' instead of main.cf. If you still
> have the list welcome message, please read it (unlike most lists, the
> postfix one contains important information). if you lost it, please read
>     http://www.postfix.org/DEBUG_README.html#mail
>
> This will help in the future.

root@blueled:/ # postconf -n
append_dot_mydomain = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 1
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
local_destination_concurrency_limit = 1
mailbox_size_limit = 0
masquerade_classes = envelope_sender, envelope_recipient, header_sender,
header_recipient
masquerade_exceptions = root
message_size_limit = 0
mydestination = $mydomain, blueled, localhost.localdomain, localhost,
agile.ath.cx, bajon.dk
myhostname = agile.dk
mynetworks = 127.0.0.0/8,192.1.1.0/24
queue_directory = /var/spool/postfix
recipient_delimiter =
relay_domains = $mydestination
relayhost = smtp.cybercity.dk
remote_header_rewrite_domain =
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
reject_invalid_hostname,  permit
smtpd_soft_error_limit = 10
strict_rfc821_envelopes = yes
transport_maps = mysql:/etc/postfix/mysql/transport.cf
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf
virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf
virtual_mailbox_base = /var/spool/postfix/virtual
virtual_mailbox_limit = 102400000
virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf
virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf

Postconf returns the main.cf as I can see it.


> then disable the chroot ;-p
Disabling chroot is an option, but I prefer not to, because I think it is
more secure to have it enabled.


> I see no sasl stuff in your claimed main.cf thing. so it is impossible
> to help you.

SASL is disabled right now, thats why it is not showing in the main.cf

but when I enable it I am using the following lines.
smtpd_sasl_path = /etc/postfix/sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects
all mail and I am not able to receive anything.
#                               permit_sasl_authenticated,
#                               reject_unknown_sender_domain,
#                               reject_unauth_pipelining,
#                               reject_unknown_recipient_domain,
#                               reject_non_fqdn_sender,
#                               reject_non_fqdn_recipient,
#                               reject_non_fqdn_hostname,
#                               reject_unauth_destination

smtpd_sasl_local_domain =   $myhostname,
                            reject_rbl_client relays.ordb.org,
                            reject_rbl_client dev.null.dk,
                            reject_rbl_client opm.blitzed.org,
                            reject_rbl_client sbl.spamhaus.org,
                            check_relay_domains,
                            permit
smtpd_tls_cert_file=/etc/postfix/smtpd.cert
smtpd_tls_key_file=/etc/postfix/smtpd.key
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

> you should use the default threshold of 5. do not play with the
> threshold. play with rules instead.

Ok I will look into that.
 
> that said, start by tuning your postfix restrictions. use
> zen.spamhaus.org and see if it's enoguh for you. if not, you can ask
> here but you will need to show a sample spam (full unalatered headers).
> the spamassassin list is also a good place for such questions.

Here is an example of a SPAM-mail

[snip]
Return-Path: <[hidden email]>
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blueled
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=3.0 tests=RAZOR2_CF_RANGE_51_100,
        RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK autolearn=disabled version=3.2.3
Delivered-To: [hidden email]
Received: from evto11.nts.nnov.ru (evto11.nts.nnov.ru [217.23.30.11])
        by agile.dk (Postfix) with ESMTP id 9A76BC2554
        for <[hidden email]>; Fri, 20 Jun 2008 08:55:31 +0200 (CEST)
Message-ID: <000701c8d2a2$03ca52a7$7ef162a0@wwslgf>
From: "brody manahil" <[hidden email]>
To: <[hidden email]>
Subject: MSG ID:36047 Luxury Footwear and Leather products blowout sale
Date: Fri, 20 Jun 2008 05:08:20 +0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Virus: Scanned by agile.dk

The world's largest luxury store for shoes and bags is just one click away.
Recommended by thousands of satisfied customers worldwide, we carry dozens
of famous brands including:

~ Louis Vuitton
~ Armani
~ Gucci
~ Prada
~ Hermes

Here you will find thousands of stunning designs for shoes, and leather
products, at rock bottom pricing.
Prices range from just $39 to $199; quality is assured and satisfaction
absolutely guaranteed.
Sale ends this week, so visit us today and start pampering yourself and
your loved ones!


- Visit our site:   www.nivematel[DOT]com
(copy this link and then replace "[DOT]" to ".")
[snip]

I do not have autolearn enabled but am running sa-learn weekly, based on
both ham and spam.

Regards

Jan

Hi,

I'm running a Postfix 2.4.5 on OpenSuse 10.3.

My setup is Postfix/Amavisd-new (2.5.2) as mailgateway (to an internal network) with several domains.
Up to now I provided same spam-handling to all domains (postfix -> smtpd_proxy_filter -> amavisd-new/sa = working fine).

Now I would like to provide different spam-handling for some domains.

Problem: Using the "policy-bank"-feature of amavisd-new I need multiple smtpd_proxy_filter to address different ports !?

Will this work? (smtpd_*_restrictions / smtpd_restriction_classes !?)
Is there (maybe) even a (better) way?
If possible I'd like to keep the before-queue filter.

I'm looking forward for every proposal or suggestion ;O))

Best regards, Martin

On Mon June 23 2008 03:43:27 Jan Meyland Andersen wrote:
> On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote:
> > then disable the chroot ;-p
>
> Disabling chroot is an option, but I prefer not to, because I think
> it is more secure to have it enabled.

Likewise, it's more secure to disconnect from the network. If you lack
the experience and know-how to maintain the chroot, it's not helping.

11.30.23.217.zen.spamhaus.org. 1800 IN  TXT     "http://www.spamhaus.org/query/bl?ip=217.23.30.11"
11.30.23.217.zen.spamhaus.org. 1800 IN  A       127.0.0.4

This, like most spam, came from a known spam source.

BTW the log lines in your original post were chopped off. I think we
are still lacking a complete problem description here.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Jan Meyland Andersen wrote: Please post full transactions (only one or two) instead of the end result.
As /dev/rob0 pointed out, these lines seem to be truncated as well. What is the result of:
postmap -q [hidden email]
mysql:/etc/postfix/mysql/remote_aliases.cf
postmap -q @agile.dk mysql:/etc/postfix/mysql/remote_aliases.cf
> virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf
> virtual_mailbox_base = /var/spool/postfix/virtual
> virtual_mailbox_limit = 102400000
> virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf
> virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf
>  
What is the point of these entries? You don't have
virtual_mailbox_domains defined.
 From `man 5 postconf`:
virtual_mailbox_maps (default: empty)

    Optional lookup tables with all valid addresses in the domains that
match $virtual_mailbox_domains.
>
> SASL is disabled right now, thats why it is not showing in the main.cf
>  
As the SASL_README says:
"To run software chrooted with SASL support is an interesting exercise.
It probably is not worth the trouble." This is not a restriction class.  

It is best to put reject_rbl_client restrictions into
smtpd_recipient_restrictions.
It is best to put reject_unauth_destination as the first reject in
smtpd_recipient_restrictions because it is a very inexpensive check.

Also, inline comments of a main.cf file are not permitted and cause
problems.
All comments must start in column 1 of a main.cf line.

> smtpd_tls_cert_file=/etc/postfix/smtpd.cert
> smtpd_tls_key_file=/etc/postfix/smtpd.key
> smtpd_use_tls=yes
>  
If you ever use TLS again, set 'smtpd_tls_security_level = may' instead
of this.

Brian
> smtpd_tls_auth_only=yes
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
>  

At 10:43 AM +0200 6/23/08, Jan Meyland Andersen wrote:
>Hi
>
>Thanks for your answer.
>
>On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote:
[...]
>>  Please send the output of 'postconf -n' instead of main.cf. If you still
>>  have the list welcome message, please read it (unlike most lists, the
>>  postfix one contains important information). if you lost it, please read
>>      http://www.postfix.org/DEBUG_README.html#mail
>>
>>  This will help in the future.
>
>root@blueled:/ # postconf -n
[...]
>
>Postconf returns the main.cf as I can see it.

Using postconf -n is preferable over looking at main.cf because it
eliminates some common types of human misperception. What is in
main.cf is what you've put there, and the brain is very good at
auto-correcting typos. Postfix isn't.

In addition, you can only really make use of postconf -n output as a
diagnostic guide when you believe that your main.cf contains the
settings you want but something is not working as expected or
desired. If you comment out a bunch of stuff to make Postfix work
minimally but not as you want, then you've eliminated both the
problem and the problematic config and you have nothing to diagnose.

>>  then disable the chroot ;-p
>Disabling chroot is an option, but I prefer not to, because I think it is
>more secure to have it enabled.

In the sense that you break it, that is true. Unplug the server
completely for maximal security.  :)

It is hard to support a theory of significantly improved safety from
chroot'ing the various parts of Postfix in any concrete way given the
design of Postfix and a reasonably well-secured system. If you can
make it work, you might end up with a more theoretically secure
system or you might do something that makes the chroot worthless.

As Brian Evans has pointed out, your commenting here creates a syntax
problem because lines starting with whitespace are logical
continuations of the previous line in main.cf. In addition, if you
uncomment everything shown then you have a *different* syntax
problem, because you've dropped smtpd_sasl_local_domain in the middle
of what seems to have previously been the list of rules for
smtpd_recipient_restrictions, which is probably why uncommenting
those lines fails.

When you fix this, you should also clean up the DNSBL usage that you
seem to be intending. Both relays.ordb.org and opm.blitzed.org are
obsolete. The SBL is great, but the Spamhaus Zen list is a superset
that is far more effective and quite safe to use. Note as well that
if you are handling enough volume (>100,000 connections per day or
300,000 DNSBL queries/day) Spamhaus requires you to set up a paid
data feed instead of direct queries and they do enforcement of their
volume limits without warning by simply dropping all queries from
sites they identify as over-users. A Spamhaus feed is not very
expensive nor hard to get set up, and it has the added bonus of
giving you faster responses from your local instance than you'd get
across the Internet.

[...]
>>  you should use the default threshold of 5. do not play with the
>>  threshold. play with rules instead.
>
>Ok I will look into that.

You probably want to consider a range of views on that issue.

I've found that tuning both rule scores and the threshold value is
the most effective approach to adapting SA to a particular mail
stream. There's not really any convincing theory or data behind the
number 5 and a lot of people who feed SA a stream of mail that does
not look much like that of a consumer ISP or college find values in
the 3-4 range safe and significantly more effective than 5.

[...]

This is an example of why mouss suggested using the zen.spamhaus.org
DNSBL. It would have blocked that message. It also looks like you've
turned off the DNSBL checks inside SA, which can be helpful as well.
Note that 217.23.30.11 is on the CBL, SpamCop, and SORBS lists
currently and has been on the first two intermittently for some time,
so even without functional reject_rbl_client settings in Postfix, you
might have gotten useful scored application of those DNSBL's from SA.

>I do not have autolearn enabled but am running sa-learn weekly, based on
>both ham and spam.

I suspect that there's a lot of adjustment in SA you could benefit
from once the Postfix-level issues have been fixed, but those are
probably best discussed in other places.

--
Bill Cole
[hidden email]

[hidden email] wrote:
The proxy filter must be opened before the recipient is known,
so no, it's not possible to use different smtpd_proxy_filter
based on recipient.

Typically, one would use different MX records to direct
domains that require different handling to a different IP.

or maybe you can accomplish what you need by using the various
recipient controls in amavisd-new.

--
Noel Jones

Bill Cole wrote, at 06/23/2008 11:33 AM:

> I've found that tuning both rule scores and the threshold value is the
> most effective approach to adapting SA to a particular mail stream.
> There's not really any convincing theory or data behind the number 5 and

The upstream rule developers target the default threshold of 5
(required_score 5.0). Thousands of rules have been tuned to this
threshold, so adjust it at your own risk. I find leaving it alone and
tweaking individual rules to be far more effective (along with running
sa-update daily).

> a lot of people who feed SA a stream of mail that does not look much
> like that of a consumer ISP or college find values in the 3-4 range safe
> and significantly more effective than 5.

I manage mail for a wide variety of sites, including business, academic,
healthcare, nonprofit and international. Lowering the threshold to 3 or
4 would result in many false positives. In some cases, I might even
consider holding mail that scores between 5 and 7 for inspection, but I
usually only do this for a new site until I've tuned to its needs. I
still haven't needed to raise the threshold in those cases, and rarely
need to tweak more than a handful of rules.

Bill Cole wrote:
> [snip]
>
> I've found that tuning both rule scores and the threshold value is the
> most effective approach to adapting SA to a particular mail stream.
> There's not really any convincing theory or data behind the number 5
> and a lot of people who feed SA a stream of mail that does not look
> much like that of a consumer ISP or college find values in the 3-4
> range safe and significantly more effective than 5.

If you run your own mass check, then you're free to use whatever
threshold you want.

if you use the default scores, then you should know that they are
computed by a perceptron that tries to find scores so that
    if spam, score > 5
I don't know who decided to use 5 instead of 0...

SA provides no confidence measure (dspam does). don't tell me that an SA
score of 7 is a lot more than 6, because there is no unit to compare
these. In short, there is no "convicning theory or data behind" anything
but th default threshold.

Jan Meyland Andersen wrote:
where is local_recipient_maps? what is the result of
# postconf local_recipient_maps
> mailbox_size_limit = 0
> masquerade_classes = envelope_sender, envelope_recipient, header_sender,
> header_recipient
> masquerade_exceptions = root
> message_size_limit = 0
> mydestination = $mydomain, blueled, localhost.localdomain, localhost,
> agile.ath.cx, bajon.dk
> myhostname = agile.dk
>  

you'd better set mydomain explictely as well (otherwise, resetting
myhostname in master.cf will result in surprises...)
> mynetworks = 127.0.0.0/8,192.1.1.0/24
> queue_directory = /var/spool/postfix
> recipient_delimiter =
> relay_domains = $mydestination
>  

please set

relay_domain =

or use
# postconf -e relay_domains=



if that makes you happy, it's good :)
we don't want main.cf because we can't trust it (typos, redefined
settings, ...) and we don't have the energy to parse it (too long,
unsorted, ... etc). postconf -n reports what postfix sees. just
recently, a poster had a problem because he used smptd_* instead of
smtpd_*. he was certain the config was in his main.cf... and anyway, we
prefer the sorted output of postconf -n where we know when to jump where.
>
>  
>> then disable the chroot ;-p
>>    
> Disabling chroot is an option, but I prefer not to, because I think it is
> more secure to have it enabled.
>  

then find out what is required to run inside the chroot jail. This
depends on what system you run and what packages you use. make sure any
required socket is inside the jail at the right place. logs may help here.

PS. since you use mysql, you'd better use it in sasl as well (you didn't
show smtpd.conf so I can't tell).
>> I see no sasl stuff in your claimed main.cf thing. so it is impossible
>> to help you.
>>    
>
> SASL is disabled right now, thats why it is not showing in the main.cf
>  

we can't help you fix N different configurations at a time (and even for
you, this is hard). chose one config, implement it, test it and report
the results. trying to chase a moving target is not easy.

> but when I enable it I am using the following lines.
> smtpd_sasl_path = /etc/postfix/sasl
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects
> all mail and I am not able to receive anything.
>  

your mailer or cut-past'er is making it wrong ;-p This is one reason why
'postconf -n' is better than arbitrary text.

> #                               permit_sasl_authenticated,
> #                               reject_unknown_sender_domain,
> #                               reject_unauth_pipelining,
> #                               reject_unknown_recipient_domain,
> #                               reject_non_fqdn_sender,
> #                               reject_non_fqdn_recipient,
> #                               reject_non_fqdn_hostname,
> #                               reject_unauth_destination
>  


This is a spam you can't easily block in postfix (and maybe even in SA,
I didn't run it through SA). the client is now listed in cbl (thus in
zen) but it was not at the time you got the message.

you can't stop all spam unless you don't care for FPs. so start by using
"common" checks (zen.spamhaus.org is the one to start with). if you
still get a lot of junk, we can recommend other checks. but again, do
not try to stop all junk.


depending on how many such tricks are used, one can catch the "[DOT]"
there. but if only few messages have this, it is not worth the pain.
followup on the SA list please (it's where this belong).

> Likewise, it's more secure to disconnect from the network. If you lack
> the experience and know-how to maintain the chroot, it's not helping.

I can see that many advise me to disabling this. I just thougt that there
were a reason why it is enabled by default.
But I do not have the experience or the time to make this work, so I will
most likely follow the advise.

> 11.30.23.217.zen.spamhaus.org. 1800 IN  TXT    
> "http://www.spamhaus.org/query/bl?ip=217.23.30.11"
> 11.30.23.217.zen.spamhaus.org. 1800 IN  A       127.0.0.4
>
> This, like most spam, came from a known spam source.
>
> BTW the log lines in your original post were chopped off. I think we
> are still lacking a complete problem description here.

I think you solved the problem with spamhaus. Thanks.

Regards Jan

> Please post full transactions (only one or two) instead of the end
result.
> As /dev/rob0 pointed out, these lines seem to be truncated as well.

I have no idea how to isolate this. But I think that the zen spamhaus
solves the problem.

> What is the result of:
> postmap -q [hidden email]
mysql:/etc/postfix/mysql/remote_aliases.cf
> postmap -q @agile.dk mysql:/etc/postfix/mysql/remote_aliases.cf

Nothing as well.

> What is the point of these entries? You don't have
> virtual_mailbox_domains defined.
>  From `man 5 postconf`:
> virtual_mailbox_maps (default: empty)

I will look at this option. I didn't know there were such an option. The
rest of my configuration is a composite of serveral guides found on the
internet.
 
> As the SASL_README says:
> "To run software chrooted with SASL support is an interesting exercise.
> It probably is not worth the trouble."
I will most like turn off chroot then.

>> but when I enable it I am using the following lines.
>> smtpd_sasl_path = /etc/postfix/sasl
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> broken_sasl_auth_clients = yes
>> #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this
> rejects
>> all mail and I am not able to receive anything.

This was only a comment I put when I pasted it to this list, so you were
knowing why it was uncommented.

> This is not a restriction class.
>
> It is best to put reject_rbl_client restrictions into
> smtpd_recipient_restrictions.
> It is best to put reject_unauth_destination as the first reject in
> smtpd_recipient_restrictions because it is a very inexpensive check.

I have just done that.. and I can still receive mails, which i great, so I
think that this solves a lot.

> If you ever use TLS again, set 'smtpd_tls_security_level = may' instead
> of this.
I will try to see what I can find about smtpd_tls_security_level = may. I
have never seen this before.

Regards Jan

This is from postconf -n now.
[snip]
smtpd_recipient_restrictions = reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, reject_rbl_client dev.null.dk, reject_rbl_client
sbl.spamhaus.org, permit
[snip]

> I've found that tuning both rule scores and the threshold value is
> the most effective approach to adapting SA to a particular mail
> stream. There's not really any convincing theory or data behind the
> number 5 and a lot of people who feed SA a stream of mail that does
> not look much like that of a consumer ISP or college find values in
> the 3-4 range safe and significantly more effective than 5.

I have no idea how to tune rule-score. I just wanted a spam-setup that
worked out of the box, but I how that zen.spamhaus.org does the trick.

Regards

Jan

On Mon, Jun 23, 2008 at 11:05:17PM +0200, Jan Meyland Andersen wrote:

SpamHaus SBL is a subset of ZEN, don't query both.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

> where is local_recipient_maps? what is the result of
> # postconf local_recipient_maps

root@blueled:/etc/postfix # postconf local_recipient_maps
local_recipient_maps = proxy:unix:passwd.byname $alias_maps

> you'd better set mydomain explictely as well (otherwise, resetting
> myhostname in master.cf will result in surprises...)

But how do I then add new domains to my sql-base without reloading postfix?

> please set
>
> relay_domain =
>
> or use
> # postconf -e relay_domains=

I have tried this. Then I am not able to receive any mail at all.

> then find out what is required to run inside the chroot jail. This
> depends on what system you run and what packages you use. make sure any
> required socket is inside the jail at the right place. logs may help
here.

I have been reading a lot of log-files and not been able to solve this so i
give up on this.

> PS. since you use mysql, you'd better use it in sasl as well (you didn't
> show smtpd.conf so I can't tell).

I use mysql in sasl as well;-) I did post the smtpd.conf first time.

> we can't help you fix N different configurations at a time (and even for
> you, this is hard). chose one config, implement it, test it and report
> the results. trying to chase a moving target is not easy.

Ok I will remember.
 
> you can't stop all spam unless you don't care for FPs. so start by using
> "common" checks (zen.spamhaus.org is the one to start with). if you
> still get a lot of junk, we can recommend other checks. but again, do
> not try to stop all junk.

What is FPs? Why not try to stop ALL junk. I prefer to miss a mail than get
5 spam mail daily. If I miss a important mail, I'll find out sooner or
later, when I talk to the person.

Regards

Jan

Jan Meyland Andersen wrote:
>> Likewise, it's more secure to disconnect from the network. If you lack
>> the experience and know-how to maintain the chroot, it's not helping.
>>    
>
> I can see that many advise me to disabling this. I just thougt that there
> were a reason why it is enabled by default.
>  

It is not enabled in the "original" postfix. it is enabled by your
package maintainer.

unfortunately not.  it was listed after you received it (2008-06-24
06:00 GMT). see
    http://cbl.abuseat.org/lookup.cgi?ip=217.23.30.11


> Regards Jan
>
>  

Jan Meyland Andersen wrote:
>> you'd better set mydomain explictely as well (otherwise, resetting
>> myhostname in master.cf will result in surprises...)
>>    
>
> But how do I then add new domains to my sql-base without reloading postfix?
>  


mydomain is not looked up in sql.
Then you'll need to fix your setup. each domain must only appear in one
class (either in mydestination, or in relay_domains or in
virtual_mailbox_domains or in virtual_alias_domains).
indeed. I missed that. not enough coffee:)
it's just that most people prefer to avoid FPs. but even if you can use
an aggressive setup, you should still add "safe" checks first and then
only adding (unsafe) checks when a spam slips. Among other things, this
results in less efforts.

For the sample you showed:

- It has no Received header except the one your postfix adds (while
still claiming that it is sent by outlook). so it should hit
DOS_OE_TO_MX (2.8 points). you may want to setup your internal_networks
explictely and correctly. given that you got a score of 2.5, this would
have pushed the score to 5.3.

- here, JM_SOUGHT_* rules give 8.0 points. I don't know if this would
have worked at reception time, but I recommend that you include Justin
Mason Sought rules in your sa-update.

On Dienstag, 24. Juni 2008 mouss wrote:
> - here, JM_SOUGHT_* rules give 8.0 points. I don't know if this would
> have worked at reception time, but I recommend that you include
> Justin Mason Sought rules in your sa-update.

Do you have the config line at hand how to get his sought rules?

mfg zmi
--
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660 / 415 65 31                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net                   Key-ID: 1C1209B4

On Tue, 24 Jun 2008 09:46:59 +0200, mouss <[hidden email]> wrote:

> Then you'll need to fix your setup. each domain must only appear in one
> class (either in mydestination, or in relay_domains or in
> virtual_mailbox_domains or in virtual_alias_domains).

Ok I will look into this when I have time.

I didn't know that commaind. I am only running sa-learn and not sa-update.
However I found this http://taint.org/2007/08/15/004348a.html
And runned the commands and now the spam from the previos mail scores 16.2,
so this also seems to work very well.

Thanks a lot

Regards

Jan