Hi I'm running a Postfix 2.3.8-2+b1 on a Debian. My setup is Postfix with virtual-domains and users running on mysql. I have 3 issues which I have been trying to solve, but not been able to. The first one is that my mail.log gets filled with lines like this. Jun 20 06:48:15 localhost postfix/qmgr[19721]: 79988C1607: to=<[hidden email]>, relay=none, delay=20947, delays=20947/0.1/0/0, dsn=4.4.1, status=deferred (delivery temporarily spended: Jun 20 06:48:15 localhost postfix/qmgr[19721]: 7A0D8C1F30: from=<[hidden email]>, size=2577, nrcpt=1 (queue active) Jun 20 06:48:15 localhost postfix/qmgr[19721]: 703CCC24FF: to=<[hidden email]>, relay=none, delay=33966, delays=33966/0.09/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: con Jun 20 06:48:15 localhost postfix/qmgr[19721]: 745A7C04CF: from=<[hidden email]>, size=1209, nrcpt=1 (queue active) I seems like my server is a open relay. But if I check my server at http://www.abuse.net/relay.html is says it is not a open relay. How do I stop this? My main.cf looks like this. command_directory = /usr/sbin daemon_directory = /usr/lib/postfix queue_directory = /var/spool/postfix masquerade_exceptions = root masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient smtpd_banner = $myhostname ESMTP setgid_group = postdrop transport_maps = mysql:/etc/postfix/mysql/transport.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf virtual_mailbox_base = /var/spool/postfix/virtual virtual_mailbox_limit = 102400000 inet_interfaces = all append_dot_mydomain = no home_mailbox = Maildir/ mailbox_size_limit = 0 message_size_limit = 0 recipient_delimiter = local_destination_concurrency_limit = 1 default_destination_concurrency_limit = 1 myhostname = agile.dk mydestination = $mydomain, blueled, localhost.localdomain, localhost relayhost = vip.cybercity.dk relay_domains = $mydestination remote_header_rewrite_domain = mynetworks = 127.0.0.0/8,192.1.1.0/24 smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_delay_reject = yes unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 unknown_client_reject_code = 554 smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit unknown_local_recipient_reject_code = 550 smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 The second problem is that I have been trying to set op SASL and TSL, but unsuccesfully. If I disable chroot it works but if I enable chroot again it doesn't. /etc/postfix/sasl/smtpd.conf looks like this pwcheck_method: auxprop auxprop_plugin: sql mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: *** sql_passwd: *** sql_database: *** sql_select: *** /etc/pam.d/smtp looks like this auth required pam_mysql.so user=*** passwd=*** db=*** host=127.0.0.1 table=*** usercolumn=concat(name,'@',domain) passwdcolumn=clearpwd crypt=0 I have even copied the files from /etc to /var/spool/postfix and giving read-rights to everything without luck. My third problem is that I get a lot of spam even that i run spamassassin with bayesian which is set to a score at 3. If I lower this score I get to many false positive. Is there any good ways to get rid of this spam? Regards Jan |
Jan Meyland Andersen wrote:
> Hi > > I'm running a Postfix 2.3.8-2+b1 on a Debian. > > My setup is Postfix with virtual-domains and users running on mysql. > > I have 3 issues which I have been trying to solve, but not been able to. > > The first one is that my mail.log gets filled with lines like this. > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 79988C1607: > to=<[hidden email]>, relay=none, delay=20947, > delays=20947/0.1/0/0, dsn=4.4.1, status=deferred (delivery temporarily > spended: > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 7A0D8C1F30: > from=<[hidden email]>, size=2577, nrcpt=1 (queue active) > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 703CCC24FF: > to=<[hidden email]>, relay=none, delay=33966, > delays=33966/0.09/0/0, dsn=4.4.1, status=deferred (delivery temporarily > suspended: con > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 745A7C04CF: > from=<[hidden email]>, size=1209, nrcpt=1 (queue active) > > I seems like my server is a open relay. But if I check my server at > http://www.abuse.net/relay.html is says it is not a open relay. How do I > stop this? > # postmap -q [hidden email] mysql:/etc/postfix/mysql/remote_aliases.cf # postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf # postmap -q [hidden email] mysql:/etc/postfix/mysql/aliases.cf # postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf > My main.cf looks like this. > Please send the output of 'postconf -n' instead of main.cf. If you still have the list welcome message, please read it (unlike most lists, the postfix one contains important information). if you lost it, please read http://www.postfix.org/DEBUG_README.html#mail This will help in the future. > [snip] > > The second problem is that I have been trying to set op SASL and TSL, but > unsuccesfully. If I disable chroot it works but if I enable chroot again it > doesn't. > then disable the chroot ;-p I see no sasl stuff in your claimed main.cf thing. so it is impossible to help you. > /etc/postfix/sasl/smtpd.conf looks like this > pwcheck_method: auxprop > auxprop_plugin: sql > mech_list: plain login cram-md5 digest-md5 > sql_engine: mysql > sql_hostnames: 127.0.0.1 > sql_user: *** > sql_passwd: *** > sql_database: *** > sql_select: *** > > /etc/pam.d/smtp looks like this > auth required pam_mysql.so user=*** passwd=*** db=*** host=127.0.0.1 > table=*** usercolumn=concat(name,'@',domain) passwdcolumn=clearpwd crypt=0 > > I have even copied the files from /etc to /var/spool/postfix and giving > read-rights to everything without luck. > > My third problem is that I get a lot of spam even that i run spamassassin > with bayesian which is set to a score at 3. If I lower this score I get to > many false positive. Is there any good ways to get rid of this spam? > you should use the default threshold of 5. do not play with the threshold. play with rules instead. that said, start by tuning your postfix restrictions. use zen.spamhaus.org and see if it's enoguh for you. if not, you can ask here but you will need to show a sample spam (full unalatered headers). the spamassassin list is also a good place for such questions. |
Hi Thanks for your answer. On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote: > what is the output of > # postmap -q [hidden email] > mysql:/etc/postfix/mysql/remote_aliases.cf > # postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf > # postmap -q [hidden email] > mysql:/etc/postfix/mysql/aliases.cf > # postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf All above postmap-commands returns nothing. > Please send the output of 'postconf -n' instead of main.cf. If you still > have the list welcome message, please read it (unlike most lists, the > postfix one contains important information). if you lost it, please read > http://www.postfix.org/DEBUG_README.html#mail > > This will help in the future. root@blueled:/ # postconf -n append_dot_mydomain = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix default_destination_concurrency_limit = 1 disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all local_destination_concurrency_limit = 1 mailbox_size_limit = 0 masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient masquerade_exceptions = root message_size_limit = 0 mydestination = $mydomain, blueled, localhost.localdomain, localhost, agile.ath.cx, bajon.dk myhostname = agile.dk mynetworks = 127.0.0.0/8,192.1.1.0/24 queue_directory = /var/spool/postfix recipient_delimiter = relay_domains = $mydestination relayhost = smtp.cybercity.dk remote_header_rewrite_domain = setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_error_sleep_time = 1s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_soft_error_limit = 10 strict_rfc821_envelopes = yes transport_maps = mysql:/etc/postfix/mysql/transport.cf unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf virtual_mailbox_base = /var/spool/postfix/virtual virtual_mailbox_limit = 102400000 virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf Postconf returns the main.cf as I can see it. > then disable the chroot ;-p Disabling chroot is an option, but I prefer not to, because I think it is more secure to have it enabled. > I see no sasl stuff in your claimed main.cf thing. so it is impossible > to help you. SASL is disabled right now, thats why it is not showing in the main.cf but when I enable it I am using the following lines. smtpd_sasl_path = /etc/postfix/sasl smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects all mail and I am not able to receive anything. # permit_sasl_authenticated, # reject_unknown_sender_domain, # reject_unauth_pipelining, # reject_unknown_recipient_domain, # reject_non_fqdn_sender, # reject_non_fqdn_recipient, # reject_non_fqdn_hostname, # reject_unauth_destination smtpd_sasl_local_domain = $myhostname, reject_rbl_client relays.ordb.org, reject_rbl_client dev.null.dk, reject_rbl_client opm.blitzed.org, reject_rbl_client sbl.spamhaus.org, check_relay_domains, permit smtpd_tls_cert_file=/etc/postfix/smtpd.cert smtpd_tls_key_file=/etc/postfix/smtpd.key smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > you should use the default threshold of 5. do not play with the > threshold. play with rules instead. Ok I will look into that. > that said, start by tuning your postfix restrictions. use > zen.spamhaus.org and see if it's enoguh for you. if not, you can ask > here but you will need to show a sample spam (full unalatered headers). > the spamassassin list is also a good place for such questions. Here is an example of a SPAM-mail [snip] Return-Path: <[hidden email]> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blueled X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=3.0 tests=RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK autolearn=disabled version=3.2.3 Delivered-To: [hidden email] Received: from evto11.nts.nnov.ru (evto11.nts.nnov.ru [217.23.30.11]) by agile.dk (Postfix) with ESMTP id 9A76BC2554 for <[hidden email]>; Fri, 20 Jun 2008 08:55:31 +0200 (CEST) Message-ID: <000701c8d2a2$03ca52a7$7ef162a0@wwslgf> From: "brody manahil" <[hidden email]> To: <[hidden email]> Subject: MSG ID:36047 Luxury Footwear and Leather products blowout sale Date: Fri, 20 Jun 2008 05:08:20 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-Virus: Scanned by agile.dk The world's largest luxury store for shoes and bags is just one click away. Recommended by thousands of satisfied customers worldwide, we carry dozens of famous brands including: ~ Louis Vuitton ~ Armani ~ Gucci ~ Prada ~ Hermes Here you will find thousands of stunning designs for shoes, and leather products, at rock bottom pricing. Prices range from just $39 to $199; quality is assured and satisfaction absolutely guaranteed. Sale ends this week, so visit us today and start pampering yourself and your loved ones! - Visit our site: www.nivematel[DOT]com (copy this link and then replace "[DOT]" to ".") [snip] I do not have autolearn enabled but am running sa-learn weekly, based on both ham and spam. Regards Jan |
In reply to this post by Jan Meyland Andersen
Hi,
I'm running a Postfix 2.4.5 on OpenSuse 10.3. My setup is Postfix/Amavisd-new (2.5.2) as mailgateway (to an internal network) with several domains. Up to now I provided same spam-handling to all domains (postfix -> smtpd_proxy_filter -> amavisd-new/sa = working fine). Now I would like to provide different spam-handling for some domains. Problem: Using the "policy-bank"-feature of amavisd-new I need multiple smtpd_proxy_filter to address different ports !? Will this work? (smtpd_*_restrictions / smtpd_restriction_classes !?) Is there (maybe) even a (better) way? If possible I'd like to keep the before-queue filter. I'm looking forward for every proposal or suggestion ;O)) Best regards, Martin |
In reply to this post by Jan Meyland Andersen
On Mon June 23 2008 03:43:27 Jan Meyland Andersen wrote:
> On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote: > > then disable the chroot ;-p > > Disabling chroot is an option, but I prefer not to, because I think > it is more secure to have it enabled. Likewise, it's more secure to disconnect from the network. If you lack the experience and know-how to maintain the chroot, it's not helping. > > that said, start by tuning your postfix restrictions. use > > zen.spamhaus.org and see if it's enoguh for you. if not, you can > > ask here but you will need to show a sample spam (full unalatered > > headers). the spamassassin list is also a good place for such > > questions. > > Here is an example of a SPAM-mail > > [snip] > Return-Path: <[hidden email]> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blueled > X-Spam-Level: ** > X-Spam-Status: No, score=2.5 required=3.0 > tests=RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK > autolearn=disabled version=3.2.3 > Delivered-To: [hidden email] > Received: from evto11.nts.nnov.ru (evto11.nts.nnov.ru [217.23.30.11]) > by agile.dk (Postfix) with ESMTP id 9A76BC2554 > for <[hidden email]>; Fri, 20 Jun 2008 08:55:31 +0200 (CEST) 11.30.23.217.zen.spamhaus.org. 1800 IN TXT "http://www.spamhaus.org/query/bl?ip=217.23.30.11" 11.30.23.217.zen.spamhaus.org. 1800 IN A 127.0.0.4 This, like most spam, came from a known spam source. BTW the log lines in your original post were chopped off. I think we are still lacking a complete problem description here. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header |
In reply to this post by Jan Meyland Andersen
Jan Meyland Andersen wrote:
> The first one is that my mail.log gets filled with lines like this. > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 79988C1607: > to=<[hidden email]>, relay=none, delay=20947, > delays=20947/0.1/0/0, dsn=4.4.1, status=deferred (delivery temporarily > spended: > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 7A0D8C1F30: > from=<[hidden email]>, size=2577, nrcpt=1 (queue active) > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 703CCC24FF: > to=<[hidden email]>, relay=none, delay=33966, > delays=33966/0.09/0/0, dsn=4.4.1, status=deferred (delivery temporarily > suspended: con > Jun 20 06:48:15 localhost postfix/qmgr[19721]: 745A7C04CF: > from=<[hidden email]>, size=1209, nrcpt=1 (queue active) As /dev/rob0 pointed out, these lines seem to be truncated as well. > On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote: > >> > what is the output of >> > # postmap -q [hidden email] >> > mysql:/etc/postfix/mysql/remote_aliases.cf >> > # postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf >> > # postmap -q [hidden email] >> > mysql:/etc/postfix/mysql/aliases.cf >> > # postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf >> > > All above postmap-commands returns nothing. > postmap -q [hidden email] mysql:/etc/postfix/mysql/remote_aliases.cf postmap -q @agile.dk mysql:/etc/postfix/mysql/remote_aliases.cf > virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf > virtual_mailbox_base = /var/spool/postfix/virtual > virtual_mailbox_limit = 102400000 > virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf > virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf > What is the point of these entries? You don't have virtual_mailbox_domains defined. From `man 5 postconf`: virtual_mailbox_maps (default: empty) Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. > > SASL is disabled right now, thats why it is not showing in the main.cf > As the SASL_README says: "To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble." > but when I enable it I am using the following lines. > smtpd_sasl_path = /etc/postfix/sasl > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > broken_sasl_auth_clients = yes > #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects > all mail and I am not able to receive anything. > # permit_sasl_authenticated, > # reject_unknown_sender_domain, > # reject_unauth_pipelining, > # reject_unknown_recipient_domain, > # reject_non_fqdn_sender, > # reject_non_fqdn_recipient, > # reject_non_fqdn_hostname, > # reject_unauth_destination > > smtpd_sasl_local_domain = $myhostname, > reject_rbl_client relays.ordb.org, > reject_rbl_client dev.null.dk, > reject_rbl_client opm.blitzed.org, > reject_rbl_client sbl.spamhaus.org, > check_relay_domains, > permit > It is best to put reject_rbl_client restrictions into smtpd_recipient_restrictions. It is best to put reject_unauth_destination as the first reject in smtpd_recipient_restrictions because it is a very inexpensive check. Also, inline comments of a main.cf file are not permitted and cause problems. All comments must start in column 1 of a main.cf line. > smtpd_tls_cert_file=/etc/postfix/smtpd.cert > smtpd_tls_key_file=/etc/postfix/smtpd.key > smtpd_use_tls=yes > If you ever use TLS again, set 'smtpd_tls_security_level = may' instead of this. Brian > smtpd_tls_auth_only=yes > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > |
In reply to this post by Jan Meyland Andersen
At 10:43 AM +0200 6/23/08, Jan Meyland Andersen wrote:
>Hi > >Thanks for your answer. > >On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote: [...] >> Please send the output of 'postconf -n' instead of main.cf. If you still >> have the list welcome message, please read it (unlike most lists, the >> postfix one contains important information). if you lost it, please read >> http://www.postfix.org/DEBUG_README.html#mail >> >> This will help in the future. > >root@blueled:/ # postconf -n [...] > >Postconf returns the main.cf as I can see it. Using postconf -n is preferable over looking at main.cf because it eliminates some common types of human misperception. What is in main.cf is what you've put there, and the brain is very good at auto-correcting typos. Postfix isn't. In addition, you can only really make use of postconf -n output as a diagnostic guide when you believe that your main.cf contains the settings you want but something is not working as expected or desired. If you comment out a bunch of stuff to make Postfix work minimally but not as you want, then you've eliminated both the problem and the problematic config and you have nothing to diagnose. >> then disable the chroot ;-p >Disabling chroot is an option, but I prefer not to, because I think it is >more secure to have it enabled. In the sense that you break it, that is true. Unplug the server completely for maximal security. :) It is hard to support a theory of significantly improved safety from chroot'ing the various parts of Postfix in any concrete way given the design of Postfix and a reasonably well-secured system. If you can make it work, you might end up with a more theoretically secure system or you might do something that makes the chroot worthless. >> I see no sasl stuff in your claimed main.cf thing. so it is impossible >> to help you. > >SASL is disabled right now, thats why it is not showing in the main.cf > >but when I enable it I am using the following lines. >smtpd_sasl_path = /etc/postfix/sasl >smtpd_sasl_auth_enable = yes >smtpd_sasl_security_options = noanonymous >broken_sasl_auth_clients = yes >#smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects >all mail and I am not able to receive anything. ># permit_sasl_authenticated, ># reject_unknown_sender_domain, ># reject_unauth_pipelining, ># reject_unknown_recipient_domain, ># reject_non_fqdn_sender, ># reject_non_fqdn_recipient, ># reject_non_fqdn_hostname, ># reject_unauth_destination > >smtpd_sasl_local_domain = $myhostname, > reject_rbl_client relays.ordb.org, > reject_rbl_client dev.null.dk, > reject_rbl_client opm.blitzed.org, > reject_rbl_client sbl.spamhaus.org, > check_relay_domains, > permit As Brian Evans has pointed out, your commenting here creates a syntax problem because lines starting with whitespace are logical continuations of the previous line in main.cf. In addition, if you uncomment everything shown then you have a *different* syntax problem, because you've dropped smtpd_sasl_local_domain in the middle of what seems to have previously been the list of rules for smtpd_recipient_restrictions, which is probably why uncommenting those lines fails. When you fix this, you should also clean up the DNSBL usage that you seem to be intending. Both relays.ordb.org and opm.blitzed.org are obsolete. The SBL is great, but the Spamhaus Zen list is a superset that is far more effective and quite safe to use. Note as well that if you are handling enough volume (>100,000 connections per day or 300,000 DNSBL queries/day) Spamhaus requires you to set up a paid data feed instead of direct queries and they do enforcement of their volume limits without warning by simply dropping all queries from sites they identify as over-users. A Spamhaus feed is not very expensive nor hard to get set up, and it has the added bonus of giving you faster responses from your local instance than you'd get across the Internet. [...] >> you should use the default threshold of 5. do not play with the >> threshold. play with rules instead. > >Ok I will look into that. You probably want to consider a range of views on that issue. I've found that tuning both rule scores and the threshold value is the most effective approach to adapting SA to a particular mail stream. There's not really any convincing theory or data behind the number 5 and a lot of people who feed SA a stream of mail that does not look much like that of a consumer ISP or college find values in the 3-4 range safe and significantly more effective than 5. >> that said, start by tuning your postfix restrictions. use >> zen.spamhaus.org and see if it's enoguh for you. if not, you can ask >> here but you will need to show a sample spam (full unalatered headers). >> the spamassassin list is also a good place for such questions. > >Here is an example of a SPAM-mail > >[snip] >Return-Path: <[hidden email]> >X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blueled >X-Spam-Level: ** >X-Spam-Status: No, score=2.5 required=3.0 tests=RAZOR2_CF_RANGE_51_100, > RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK autolearn=disabled version=3.2.3 >Delivered-To: [hidden email] >Received: from evto11.nts.nnov.ru (evto11.nts.nnov.ru [217.23.30.11]) > by agile.dk (Postfix) with ESMTP id 9A76BC2554 > for <[hidden email]>; Fri, 20 Jun 2008 08:55:31 +0200 (CEST) [...] This is an example of why mouss suggested using the zen.spamhaus.org DNSBL. It would have blocked that message. It also looks like you've turned off the DNSBL checks inside SA, which can be helpful as well. Note that 217.23.30.11 is on the CBL, SpamCop, and SORBS lists currently and has been on the first two intermittently for some time, so even without functional reject_rbl_client settings in Postfix, you might have gotten useful scored application of those DNSBL's from SA. >I do not have autolearn enabled but am running sa-learn weekly, based on >both ham and spam. I suspect that there's a lot of adjustment in SA you could benefit from once the Postfix-level issues have been fixed, but those are probably best discussed in other places. -- Bill Cole [hidden email] |
In reply to this post by Martin.Nelius
[hidden email] wrote:
> Hi, > > I'm running a Postfix 2.4.5 on OpenSuse 10.3. > > My setup is Postfix/Amavisd-new (2.5.2) as mailgateway (to an internal network) with several domains. > Up to now I provided same spam-handling to all domains (postfix -> smtpd_proxy_filter -> amavisd-new/sa = working fine). > > Now I would like to provide different spam-handling for some domains. > > Problem: Using the "policy-bank"-feature of amavisd-new I need multiple smtpd_proxy_filter to address different ports !? > > Will this work? (smtpd_*_restrictions / smtpd_restriction_classes !?) > Is there (maybe) even a (better) way? > If possible I'd like to keep the before-queue filter. > > I'm looking forward for every proposal or suggestion ;O)) > > Best regards, Martin > > The proxy filter must be opened before the recipient is known, so no, it's not possible to use different smtpd_proxy_filter based on recipient. Typically, one would use different MX records to direct domains that require different handling to a different IP. or maybe you can accomplish what you need by using the various recipient controls in amavisd-new. -- Noel Jones |
In reply to this post by Bill Cole-3
Bill Cole wrote, at 06/23/2008 11:33 AM:
> I've found that tuning both rule scores and the threshold value is the > most effective approach to adapting SA to a particular mail stream. > There's not really any convincing theory or data behind the number 5 and The upstream rule developers target the default threshold of 5 (required_score 5.0). Thousands of rules have been tuned to this threshold, so adjust it at your own risk. I find leaving it alone and tweaking individual rules to be far more effective (along with running sa-update daily). > a lot of people who feed SA a stream of mail that does not look much > like that of a consumer ISP or college find values in the 3-4 range safe > and significantly more effective than 5. I manage mail for a wide variety of sites, including business, academic, healthcare, nonprofit and international. Lowering the threshold to 3 or 4 would result in many false positives. In some cases, I might even consider holding mail that scores between 5 and 7 for inspection, but I usually only do this for a new site until I've tuned to its needs. I still haven't needed to raise the threshold in those cases, and rarely need to tweak more than a handful of rules. |
In reply to this post by Bill Cole-3
Bill Cole wrote:
> [snip] > > I've found that tuning both rule scores and the threshold value is the > most effective approach to adapting SA to a particular mail stream. > There's not really any convincing theory or data behind the number 5 > and a lot of people who feed SA a stream of mail that does not look > much like that of a consumer ISP or college find values in the 3-4 > range safe and significantly more effective than 5. If you run your own mass check, then you're free to use whatever threshold you want. if you use the default scores, then you should know that they are computed by a perceptron that tries to find scores so that if spam, score > 5 I don't know who decided to use 5 instead of 0... SA provides no confidence measure (dspam does). don't tell me that an SA score of 7 is a lot more than 6, because there is no unit to compare these. In short, there is no "convicning theory or data behind" anything but th default threshold. |
In reply to this post by Jan Meyland Andersen
Jan Meyland Andersen wrote:
> Hi > > Thanks for your answer. > > On Sun, 22 Jun 2008 20:56:09 +0200, mouss <[hidden email]> wrote: > >> what is the output of >> # postmap -q [hidden email] >> mysql:/etc/postfix/mysql/remote_aliases.cf >> # postmap -q @example.com mysql:/etc/postfix/mysql/remote_aliases.cf >> # postmap -q [hidden email] >> mysql:/etc/postfix/mysql/aliases.cf >> # postmap -q @example.com mysql:/etc/postfix/mysql/aliases.cf >> > > All above postmap-commands returns nothing. > > > >> Please send the output of 'postconf -n' instead of main.cf. If you still >> have the list welcome message, please read it (unlike most lists, the >> postfix one contains important information). if you lost it, please read >> http://www.postfix.org/DEBUG_README.html#mail >> >> This will help in the future. >> > > root@blueled:/ # postconf -n > append_dot_mydomain = no > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/lib/postfix > default_destination_concurrency_limit = 1 > disable_vrfy_command = yes > home_mailbox = Maildir/ > inet_interfaces = all > local_destination_concurrency_limit = 1 > where is local_recipient_maps? what is the result of # postconf local_recipient_maps > mailbox_size_limit = 0 > masquerade_classes = envelope_sender, envelope_recipient, header_sender, > header_recipient > masquerade_exceptions = root > message_size_limit = 0 > mydestination = $mydomain, blueled, localhost.localdomain, localhost, > agile.ath.cx, bajon.dk > myhostname = agile.dk > you'd better set mydomain explictely as well (otherwise, resetting myhostname in master.cf will result in surprises...) > mynetworks = 127.0.0.0/8,192.1.1.0/24 > queue_directory = /var/spool/postfix > recipient_delimiter = > relay_domains = $mydestination > please set relay_domain = or use # postconf -e relay_domains= > relayhost = smtp.cybercity.dk > remote_header_rewrite_domain = > setgid_group = postdrop > smtpd_banner = $myhostname ESMTP > smtpd_delay_reject = yes > smtpd_error_sleep_time = 1s > smtpd_hard_error_limit = 20 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, > reject_invalid_hostname, permit > smtpd_soft_error_limit = 10 > strict_rfc821_envelopes = yes > transport_maps = mysql:/etc/postfix/mysql/transport.cf > unknown_address_reject_code = 554 > unknown_client_reject_code = 554 > unknown_hostname_reject_code = 554 > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf > virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf > virtual_mailbox_base = /var/spool/postfix/virtual > virtual_mailbox_limit = 102400000 > virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf > virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf > > Postconf returns the main.cf as I can see it. > if that makes you happy, it's good :) we don't want main.cf because we can't trust it (typos, redefined settings, ...) and we don't have the energy to parse it (too long, unsorted, ... etc). postconf -n reports what postfix sees. just recently, a poster had a problem because he used smptd_* instead of smtpd_*. he was certain the config was in his main.cf... and anyway, we prefer the sorted output of postconf -n where we know when to jump where. > > >> then disable the chroot ;-p >> > Disabling chroot is an option, but I prefer not to, because I think it is > more secure to have it enabled. > then find out what is required to run inside the chroot jail. This depends on what system you run and what packages you use. make sure any required socket is inside the jail at the right place. logs may help here. PS. since you use mysql, you'd better use it in sasl as well (you didn't show smtpd.conf so I can't tell). >> I see no sasl stuff in your claimed main.cf thing. so it is impossible >> to help you. >> > > SASL is disabled right now, thats why it is not showing in the main.cf > we can't help you fix N different configurations at a time (and even for you, this is hard). chose one config, implement it, test it and report the results. trying to chase a moving target is not easy. > but when I enable it I am using the following lines. > smtpd_sasl_path = /etc/postfix/sasl > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > broken_sasl_auth_clients = yes > #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this rejects > all mail and I am not able to receive anything. > your mailer or cut-past'er is making it wrong ;-p This is one reason why 'postconf -n' is better than arbitrary text. > # permit_sasl_authenticated, > # reject_unknown_sender_domain, > # reject_unauth_pipelining, > # reject_unknown_recipient_domain, > # reject_non_fqdn_sender, > # reject_non_fqdn_recipient, > # reject_non_fqdn_hostname, > # reject_unauth_destination > > smtpd_sasl_local_domain = $myhostname, > reject_rbl_client relays.ordb.org, > reject_rbl_client dev.null.dk, > reject_rbl_client opm.blitzed.org, > reject_rbl_client sbl.spamhaus.org, > check_relay_domains, > permit > smtpd_tls_cert_file=/etc/postfix/smtpd.cert > smtpd_tls_key_file=/etc/postfix/smtpd.key > smtpd_use_tls=yes > smtpd_tls_auth_only=yes > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > > >> you should use the default threshold of 5. do not play with the >> threshold. play with rules instead. >> > > Ok I will look into that. > > >> that said, start by tuning your postfix restrictions. use >> zen.spamhaus.org and see if it's enoguh for you. if not, you can ask >> here but you will need to show a sample spam (full unalatered headers). >> the spamassassin list is also a good place for such questions. >> > > Here is an example of a SPAM-mail > This is a spam you can't easily block in postfix (and maybe even in SA, I didn't run it through SA). the client is now listed in cbl (thus in zen) but it was not at the time you got the message. you can't stop all spam unless you don't care for FPs. so start by using "common" checks (zen.spamhaus.org is the one to start with). if you still get a lot of junk, we can recommend other checks. but again, do not try to stop all junk. > [snip] > Return-Path: <[hidden email]> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blueled > X-Spam-Level: ** > X-Spam-Status: No, score=2.5 required=3.0 tests=RAZOR2_CF_RANGE_51_100, > RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK autolearn=disabled version=3.2.3 > Delivered-To: [hidden email] > Received: from evto11.nts.nnov.ru (evto11.nts.nnov.ru [217.23.30.11]) > by agile.dk (Postfix) with ESMTP id 9A76BC2554 > for <[hidden email]>; Fri, 20 Jun 2008 08:55:31 +0200 (CEST) > Message-ID: <000701c8d2a2$03ca52a7$7ef162a0@wwslgf> > From: "brody manahil" <[hidden email]> > To: <[hidden email]> > Subject: MSG ID:36047 Luxury Footwear and Leather products blowout sale > Date: Fri, 20 Jun 2008 05:08:20 +0000 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2900.3138 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 > X-Virus: Scanned by agile.dk > > The world's largest luxury store for shoes and bags is just one click away. > Recommended by thousands of satisfied customers worldwide, we carry dozens > of famous brands including: > > ~ Louis Vuitton > ~ Armani > ~ Gucci > ~ Prada > ~ Hermes > > Here you will find thousands of stunning designs for shoes, and leather > products, at rock bottom pricing. > Prices range from just $39 to $199; quality is assured and satisfaction > absolutely guaranteed. > Sale ends this week, so visit us today and start pampering yourself and > your loved ones! > > > - Visit our site: www.nivematel[DOT]com > (copy this link and then replace "[DOT]" to ".") > [snip] > depending on how many such tricks are used, one can catch the "[DOT]" there. but if only few messages have this, it is not worth the pain. followup on the SA list please (it's where this belong). > I do not have autolearn enabled but am running sa-learn weekly, based on > both ham and spam. > > Regards > > Jan > > > > > > > |
In reply to this post by /dev/rob0
> Likewise, it's more secure to disconnect from the network. If you lack > the experience and know-how to maintain the chroot, it's not helping. I can see that many advise me to disabling this. I just thougt that there were a reason why it is enabled by default. But I do not have the experience or the time to make this work, so I will most likely follow the advise. > 11.30.23.217.zen.spamhaus.org. 1800 IN TXT > "http://www.spamhaus.org/query/bl?ip=217.23.30.11" > 11.30.23.217.zen.spamhaus.org. 1800 IN A 127.0.0.4 > > This, like most spam, came from a known spam source. > > BTW the log lines in your original post were chopped off. I think we > are still lacking a complete problem description here. I think you solved the problem with spamhaus. Thanks. Regards Jan |
In reply to this post by Brian Evans - Postfix List
> Please post full transactions (only one or two) instead of the end result. > As /dev/rob0 pointed out, these lines seem to be truncated as well. I have no idea how to isolate this. But I think that the zen spamhaus solves the problem. > What is the result of: > postmap -q [hidden email] mysql:/etc/postfix/mysql/remote_aliases.cf > postmap -q @agile.dk mysql:/etc/postfix/mysql/remote_aliases.cf Nothing as well. > What is the point of these entries? You don't have > virtual_mailbox_domains defined. > From `man 5 postconf`: > virtual_mailbox_maps (default: empty) I will look at this option. I didn't know there were such an option. The rest of my configuration is a composite of serveral guides found on the internet. > As the SASL_README says: > "To run software chrooted with SASL support is an interesting exercise. > It probably is not worth the trouble." I will most like turn off chroot then. >> but when I enable it I am using the following lines. >> smtpd_sasl_path = /etc/postfix/sasl >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> broken_sasl_auth_clients = yes >> #smtpd_recipient_restrictions = permit_mynetworks, #Enabling this > rejects >> all mail and I am not able to receive anything. This was only a comment I put when I pasted it to this list, so you were knowing why it was uncommented. > This is not a restriction class. > > It is best to put reject_rbl_client restrictions into > smtpd_recipient_restrictions. > It is best to put reject_unauth_destination as the first reject in > smtpd_recipient_restrictions because it is a very inexpensive check. I have just done that.. and I can still receive mails, which i great, so I think that this solves a lot. > If you ever use TLS again, set 'smtpd_tls_security_level = may' instead > of this. I will try to see what I can find about smtpd_tls_security_level = may. I have never seen this before. Regards Jan |
In reply to this post by Bill Cole-3
> When you fix this, you should also clean up the DNSBL usage that you > seem to be intending. Both relays.ordb.org and opm.blitzed.org are > obsolete. The SBL is great, but the Spamhaus Zen list is a superset > that is far more effective and quite safe to use. Note as well that > if you are handling enough volume (>100,000 connections per day or > 300,000 DNSBL queries/day) Spamhaus requires you to set up a paid > data feed instead of direct queries and they do enforcement of their > volume limits without warning by simply dropping all queries from > sites they identify as over-users. A Spamhaus feed is not very > expensive nor hard to get set up, and it has the added bonus of > giving you faster responses from your local instance than you'd get > across the Internet. This is from postconf -n now. [snip] smtpd_recipient_restrictions = reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client dev.null.dk, reject_rbl_client sbl.spamhaus.org, permit [snip] > I've found that tuning both rule scores and the threshold value is > the most effective approach to adapting SA to a particular mail > stream. There's not really any convincing theory or data behind the > number 5 and a lot of people who feed SA a stream of mail that does > not look much like that of a consumer ISP or college find values in > the 3-4 range safe and significantly more effective than 5. I have no idea how to tune rule-score. I just wanted a spam-setup that worked out of the box, but I how that zen.spamhaus.org does the trick. Regards Jan |
On Mon, Jun 23, 2008 at 11:05:17PM +0200, Jan Meyland Andersen wrote:
> > > When you fix this, you should also clean up the DNSBL usage that you > > seem to be intending. Both relays.ordb.org and opm.blitzed.org are > > obsolete. The SBL is great, but the Spamhaus Zen list is a superset > > that is far more effective and quite safe to use. Note as well that > > if you are handling enough volume (>100,000 connections per day or > > 300,000 DNSBL queries/day) Spamhaus requires you to set up a paid > > data feed instead of direct queries and they do enforcement of their > > volume limits without warning by simply dropping all queries from > > sites they identify as over-users. A Spamhaus feed is not very > > expensive nor hard to get set up, and it has the added bonus of > > giving you faster responses from your local instance than you'd get > > across the Internet. > > This is from postconf -n now. > [snip] > smtpd_recipient_restrictions = reject_unauth_destination, reject_rbl_client > zen.spamhaus.org, reject_rbl_client dev.null.dk, reject_rbl_client > sbl.spamhaus.org, permit > [snip] SpamHaus SBL is a subset of ZEN, don't query both. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:[hidden email]?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. |
In reply to this post by mouss-2
> where is local_recipient_maps? what is the result of > # postconf local_recipient_maps root@blueled:/etc/postfix # postconf local_recipient_maps local_recipient_maps = proxy:unix:passwd.byname $alias_maps > you'd better set mydomain explictely as well (otherwise, resetting > myhostname in master.cf will result in surprises...) But how do I then add new domains to my sql-base without reloading postfix? > please set > > relay_domain = > > or use > # postconf -e relay_domains= I have tried this. Then I am not able to receive any mail at all. > then find out what is required to run inside the chroot jail. This > depends on what system you run and what packages you use. make sure any > required socket is inside the jail at the right place. logs may help here. I have been reading a lot of log-files and not been able to solve this so i give up on this. > PS. since you use mysql, you'd better use it in sasl as well (you didn't > show smtpd.conf so I can't tell). I use mysql in sasl as well;-) I did post the smtpd.conf first time. > we can't help you fix N different configurations at a time (and even for > you, this is hard). chose one config, implement it, test it and report > the results. trying to chase a moving target is not easy. Ok I will remember. > you can't stop all spam unless you don't care for FPs. so start by using > "common" checks (zen.spamhaus.org is the one to start with). if you > still get a lot of junk, we can recommend other checks. but again, do > not try to stop all junk. What is FPs? Why not try to stop ALL junk. I prefer to miss a mail than get 5 spam mail daily. If I miss a important mail, I'll find out sooner or later, when I talk to the person. Regards Jan |
In reply to this post by Jan Meyland Andersen
Jan Meyland Andersen wrote:
>> Likewise, it's more secure to disconnect from the network. If you lack >> the experience and know-how to maintain the chroot, it's not helping. >> > > I can see that many advise me to disabling this. I just thougt that there > were a reason why it is enabled by default. > It is not enabled in the "original" postfix. it is enabled by your package maintainer. > But I do not have the experience or the time to make this work, so I will > most likely follow the advise. > > >> 11.30.23.217.zen.spamhaus.org. 1800 IN TXT >> "http://www.spamhaus.org/query/bl?ip=217.23.30.11" >> 11.30.23.217.zen.spamhaus.org. 1800 IN A 127.0.0.4 >> >> This, like most spam, came from a known spam source. >> >> BTW the log lines in your original post were chopped off. I think we >> are still lacking a complete problem description here. >> > > I think you solved the problem with spamhaus. Thanks. > unfortunately not. it was listed after you received it (2008-06-24 06:00 GMT). see http://cbl.abuseat.org/lookup.cgi?ip=217.23.30.11 > Regards Jan > > |
In reply to this post by Jan Meyland Andersen
Jan Meyland Andersen wrote:
>> you'd better set mydomain explictely as well (otherwise, resetting >> myhostname in master.cf will result in surprises...) >> > > But how do I then add new domains to my sql-base without reloading postfix? > mydomain is not looked up in sql. > >> please set >> >> relay_domain = >> >> or use >> # postconf -e relay_domains= >> > > I have tried this. Then I am not able to receive any mail at all. > Then you'll need to fix your setup. each domain must only appear in one class (either in mydestination, or in relay_domains or in virtual_mailbox_domains or in virtual_alias_domains). > >> then find out what is required to run inside the chroot jail. This >> depends on what system you run and what packages you use. make sure any >> required socket is inside the jail at the right place. logs may help >> > here. > > I have been reading a lot of log-files and not been able to solve this so i > give up on this. > > >> PS. since you use mysql, you'd better use it in sasl as well (you didn't >> show smtpd.conf so I can't tell). >> > > I use mysql in sasl as well;-) I did post the smtpd.conf first time. > indeed. I missed that. not enough coffee:) > >> you can't stop all spam unless you don't care for FPs. so start by using >> "common" checks (zen.spamhaus.org is the one to start with). if you >> still get a lot of junk, we can recommend other checks. but again, do >> not try to stop all junk. >> > > What is FPs? Why not try to stop ALL junk. I prefer to miss a mail than get > 5 spam mail daily. If I miss a important mail, I'll find out sooner or > later, when I talk to the person. > it's just that most people prefer to avoid FPs. but even if you can use an aggressive setup, you should still add "safe" checks first and then only adding (unsafe) checks when a spam slips. Among other things, this results in less efforts. For the sample you showed: - It has no Received header except the one your postfix adds (while still claiming that it is sent by outlook). so it should hit DOS_OE_TO_MX (2.8 points). you may want to setup your internal_networks explictely and correctly. given that you got a score of 2.5, this would have pushed the score to 5.3. - here, JM_SOUGHT_* rules give 8.0 points. I don't know if this would have worked at reception time, but I recommend that you include Justin Mason Sought rules in your sa-update. |
On Dienstag, 24. Juni 2008 mouss wrote:
> - here, JM_SOUGHT_* rules give 8.0 points. I don't know if this would > have worked at reception time, but I recommend that you include > Justin Mason Sought rules in your sa-update. Do you have the config line at hand how to get his sought rules? mfg zmi -- // Michael Monnerie, Ing.BSc ----- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4 |
In reply to this post by mouss-2
On Tue, 24 Jun 2008 09:46:59 +0200, mouss <[hidden email]> wrote: > Then you'll need to fix your setup. each domain must only appear in one > class (either in mydestination, or in relay_domains or in > virtual_mailbox_domains or in virtual_alias_domains). Ok I will look into this when I have time. > it's just that most people prefer to avoid FPs. but even if you can use > an aggressive setup, you should still add "safe" checks first and then > only adding (unsafe) checks when a spam slips. Among other things, this > results in less efforts. > > For the sample you showed: > > - It has no Received header except the one your postfix adds (while > still claiming that it is sent by outlook). so it should hit > DOS_OE_TO_MX (2.8 points). you may want to setup your internal_networks > explictely and correctly. given that you got a score of 2.5, this would > have pushed the score to 5.3. > > - here, JM_SOUGHT_* rules give 8.0 points. I don't know if this would > have worked at reception time, but I recommend that you include Justin > Mason Sought rules in your sa-update. I didn't know that commaind. I am only running sa-learn and not sa-update. However I found this http://taint.org/2007/08/15/004348a.html And runned the commands and now the spam from the previos mail scores 16.2, so this also seems to work very well. Thanks a lot Regards Jan |
Free forum by Nabble | Edit this page |