Is a late header check possible?

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Is a late header check possible?

Titanus Eramius
I'm running SpamAssassin as a content_filter on incoming mail which ads
4 spam-headers, one of them being "X-Spam-Level:". The precise
header varies, depending on the spamscore. SpamAssassin ads one "*" for
each spampoint, so a example-header could be:

X-Spam-Level: ********************

I would like to have the ability to redirect mails with that header to
a account where I can store them.

So basically I *think* I'm asking if Postfix have a header_checks
feature that runs after the content filters?

Thanks

titanus@ntdata:/etc/postfix$ sudo postconf -n

 (mail_version = 2.7.1)

alias_maps = hash:/etc/aliases

bounce_template_file = /etc/postfix/bounce.cf

broken_sasl_auth_clients = yes

config_directory = /etc/postfix

delay_warning_time = 4

disable_vrfy_command = yes

inet_interfaces = all

maximal_queue_lifetime = 15

myhostname = ntdata.nt-data.dk

mynetworks = 127.0.0.0/8

recipient_canonical_classes = envelope_recipient

recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10002

relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf

relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf

sender_canonical_classes = envelope_sender

sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10001

smtp_tls_security_level = may

smtp_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache

smtpd_data_restrictions =
  reject_unauth_pipelining
  reject_multi_recipient_bounce
  permit

smtpd_helo_required = yes

smtpd_recipient_restrictions =
  reject_unauth_destination
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  reject_rbl_client
  truncate.gbudb.net
  permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_exceptions_networks = $mynetworks

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot

smtpd_tls_ask_ccert = yes

smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_security_level = may

smtpd_tls_session_cache_database =
btree:$data_directory/smtpd_tls_session_cache

tls_random_source = dev:/dev/urandom

transport_maps = hash:/etc/postfix/transport.cf

virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

virtual_gid_maps = static:5000

virtual_mailbox_base = /home/vmail

virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 5000

virtual_transport = dovecot

virtual_uid_maps = static:5000
Reply | Threaded
Open this post in threaded view
|

Re: Is a late header check possible?

Noel Jones-2
On 2/7/2013 8:58 AM, Titanus Eramius wrote:

> I'm running SpamAssassin as a content_filter on incoming mail which ads
> 4 spam-headers, one of them being "X-Spam-Level:". The precise
> header varies, depending on the spamscore. SpamAssassin ads one "*" for
> each spampoint, so a example-header could be:
>
> X-Spam-Level: ********************
>
> I would like to have the ability to redirect mails with that header to
> a account where I can store them.
>
> So basically I *think* I'm asking if Postfix have a header_checks
> feature that runs after the content filters?

I'll assume your content_filter reinjects mail to localhost:10025
after processing.

Note: make sure your post-filter header checks don't ever reject
mail.  That would make you a backscatter source and get you blacklisted.

The cleanest way to do this is a separate postfix instance (not just
a master.cf listener service) that listens on 10025, with its own
header_checks.  This also gives the very nice benefit of separation
between pre-filter and post-filter mail.
http://www.postfix.org/MULTI_INSTANCE_README.html



Alternately, you can do some master.cf gyrations. This is likely
easier to set up, but more confusing long-term.  Something like:

# master.cf
# existing reinjection listener
127.0.0.1:10025 inet n - n - - smtpd
  ... existing stuff ...
  -o cleanup_service_name=cleanup_filter

# copy of the existing cleanup service
cleanup_filter unix n - n - 0 cleanup
  -o header_checks=pcre:/etc/postfix/header_checks_filter
  -o body_checks=

and then put your after-filter checks in header_checks_filter.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is a late header check possible?

Titanus Eramius
Thu, 07 Feb 2013 10:03:32 -0600 skrev Noel Jones
<[hidden email]>:

> On 2/7/2013 8:58 AM, Titanus Eramius wrote:
> > I'm running SpamAssassin as a content_filter on incoming mail which
> > ads 4 spam-headers, one of them being "X-Spam-Level:". The precise
> > header varies, depending on the spamscore. SpamAssassin ads one "*"
> > for each spampoint, so a example-header could be:
> >
> > X-Spam-Level: ********************
> >
> > I would like to have the ability to redirect mails with that header
> > to a account where I can store them.
> >
> > So basically I *think* I'm asking if Postfix have a header_checks
> > feature that runs after the content filters?
>
> I'll assume your content_filter reinjects mail to localhost:10025
> after processing.
>
> Note: make sure your post-filter header checks don't ever reject
> mail.  That would make you a backscatter source and get you
> blacklisted.
>
> The cleanest way to do this is a separate postfix instance (not just
> a master.cf listener service) that listens on 10025, with its own
> header_checks.  This also gives the very nice benefit of separation
> between pre-filter and post-filter mail.
> http://www.postfix.org/MULTI_INSTANCE_README.html

Thank you for the reply Noel, it's very helpful as usual.

The multi instance seems like the best solution, so I'll most likely go
with that.
And thanks for the warning.
Reply | Threaded
Open this post in threaded view
|

Trouble configuring backup MX to reject unauth destination

Titanus Eramius
In reply to this post by Noel Jones-2
Hi all

Please note that the last time I asked about the behavior of Postfix it
turned out I had misunderstood the concept of relaying mail. It might
be the case again.

I'm running the mailserver that serves this domain + a few others,
the mailserver at ubuntudanmark.dk and the mailservers at nt-data.dk.

So I'm running these servers, with this relation:
mx01.aptget.dk         <-- Not a backup MX
mx01.ubuntudanmark.dk  <-- Not a backup MX
mx01.nt-data.dk        <-- Backup MX for mx01.aptget.dk and
                              mx01.ubuntudanmark.dk
mx02.nt-data.dk        <-- Backup MX for mx01.nt-data.dk

The setup is entirely virtual, using MySQL to store aliases, addressees
etc. The problem is, that *I think* the backup MX' can be used to
spread backscatter. I routinely looks at the Postfix logging, and found
these entries yesterday from mx01.nt-data.dk:

---
titanus@ntdata:/var/log$ grep "048341743609" mail.log.1

Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
from=<SRS0=3u76=L7=gmail.com=[hidden email]>

Feb  7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
message-id=<[hidden email]>

Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
from=<SRS0=3u76=L7=gmail.com=[hidden email]>, size=5268,
nrcpt=1 (queue active)

Feb  7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
to=<[hidden email]>,
relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
<[hidden email]>: Recipient address rejected: User unknown in
virtual mailbox table (in reply to RCPT TO command))

Feb  7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
non-delivery notification: B201D1743608

Feb  7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed
---

Then mx01.nt-data.dk tries to send a bounce to gmail:

---
Feb  7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
to=<[hidden email]>,
orig_to=<SRS0=3u76=L7=gmail.com=[hidden email]>,
relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
account that you tried to reach does not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://support.google.com/mail/bin/answer.py?answer=6596
bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))
---

The address [hidden email] does not exist - Neither at
mx01.nt-data.dk nor at mx01.ubuntudanmark.dk, so I would like
mx01.nt-data.dk to reject messages to it. I've tried with other
non-existent addresses trough telnet, and mx01.nt-data.dk accepts them,
as long as they are to one of the backup domains, and then bounces them
(so currently they are disabled in the database).

Following is postconf -n, the content of the 2 relay_* MySQL-files, and
the structure of their database. If more is needed, then please let me
know and I'll include it.

Any pointers, examples or explanations will be appreciated. I've read
in the documentation for virtual hosting and backup MX', but the answer
seems to evades me.

Thanks


ntdata:/etc/postfix# postconf -n

alias_maps = hash:/etc/aliases

bounce_template_file = /etc/postfix/bounce.cf

broken_sasl_auth_clients = yes

config_directory = /etc/postfix

delay_warning_time = 4

disable_vrfy_command = yes

inet_interfaces = all

maximal_queue_lifetime = 15

myhostname = ntdata.nt-data.dk

mynetworks = 127.0.0.0/8

recipient_canonical_classes = envelope_recipient

recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10002

relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf

relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf

sender_canonical_classes = envelope_sender

sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10001

smtp_tls_security_level = may

smtp_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache

smtpd_data_restrictions =
  reject_unauth_pipelining,
  reject_multi_recipient_bounce,
  permit

smtpd_helo_required = yes

smtpd_recipient_restrictions =
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_rbl_client truncate.gbudb.net,
  reject_unauth_destination,
  permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_exceptions_networks = $mynetworks

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot

smtpd_tls_ask_ccert = yes

smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_security_level = may

smtpd_tls_session_cache_database =
btree:$data_directory/smtpd_tls_session_cache

tls_random_source = dev:/dev/urandom

transport_maps = hash:/etc/postfix/transport.cf

virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf

virtual_gid_maps = static:5000

virtual_mailbox_base = /home/vmail

virtual_mailbox_domains =
proxy:mysql:/etc/postfix/virtual_domains_maps.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf

virtual_minimum_uid = 5000

virtual_transport = dovecot

virtual_uid_maps = static:5000


ntdata:/etc/postfix# cat relay_domains.cf
user       = postfix
password   =
dbname     = postfix
query      = SELECT description FROM domain WHERE domain='%s' AND
backupmx='1' AND active='1';

ntdata:/etc/postfix# cat relay_recipient_maps.cf
user       = postfix
password   =
dbname     = postfix
query      = SELECT goto FROM alias WHERE address='%s' AND active='1';


mysql> use postfix;
mysql> desc domain;
+-------------+--------------+------+-----+---------------------+------
| Field       | Type         | Null | Key | Default             | Extra
+-------------+--------------+------+-----+---------------------+------
| domain      | varchar(255) | NO   | PRI | NULL                |
| description | varchar(255) | NO   |     | NULL                |
| aliases     | int(10)      | NO   |     | 0                   |
| mailboxes   | int(10)      | NO   |     | 0                   |
| maxquota    | bigint(20)   | NO   |     | 0                   |
| quota       | bigint(20)   | NO   |     | 0                   |
| transport   | varchar(255) | NO   |     | NULL                |
| backupmx    | tinyint(1)   | NO   |     | 0                   |
| created     | datetime     | NO   |     | 0000-00-00 00:00:00 |
| modified    | datetime     | NO   |     | 0000-00-00 00:00:00 |
| active      | tinyint(1)   | NO   |     | 1                   |
+-------------+--------------+------+-----+---------------------+------

mysql> desc alias;
+----------+--------------+------+-----+---------------------+-------+
| Field    | Type         | Null | Key | Default             | Extra |
+----------+--------------+------+-----+---------------------+-------+
| address  | varchar(255) | NO   | PRI | NULL                |       |
| goto     | text         | NO   |     | NULL                |       |
| domain   | varchar(255) | NO   | MUL | NULL                |       |
| created  | datetime     | NO   |     | 0000-00-00 00:00:00 |       |
| modified | datetime     | NO   |     | 0000-00-00 00:00:00 |       |
| active   | tinyint(1)   | NO   |     | 1                   |       |
+----------+--------------+------+-----+---------------------+-------+
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

/dev/rob0
On Fri, Feb 08, 2013 at 04:06:57PM +0100, Titanus Eramius wrote:

> Please note that the last time I asked about the behavior of Postfix it
> turned out I had misunderstood the concept of relaying mail. It might
> be the case again.
>
> I'm running the mailserver that serves this domain + a few others,
> the mailserver at ubuntudanmark.dk and the mailservers at nt-data.dk.
>
> So I'm running these servers, with this relation:
> mx01.aptget.dk         <-- Not a backup MX
> mx01.ubuntudanmark.dk  <-- Not a backup MX
> mx01.nt-data.dk        <-- Backup MX for mx01.aptget.dk and
>                               mx01.ubuntudanmark.dk
> mx02.nt-data.dk        <-- Backup MX for mx01.nt-data.dk
>
> The setup is entirely virtual, using MySQL to store aliases, addressees
> etc. The problem is, that *I think* the backup MX' can be used to
> spread backscatter. I routinely looks at the Postfix logging, and found
> these entries yesterday from mx01.nt-data.dk:
>
> ---
> titanus@ntdata:/var/log$ grep "048341743609" mail.log.1
>
> Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
> from=<SRS0=3u76=L7=gmail.com=[hidden email]>

pickup(8) picks up mail which was sent via sendmail(1). This is a
local/system user's process (UID 5005, specifically) sending the
mail. Your misunderstanding this time seems to be that you think it
came from the network and could thus be rejected.

If this seems to be some kind of abuse, it could be that something
you're running on the server has been compromised; web/php scripts
being the most common vector.

> Feb  7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
> message-id=<[hidden email]>
>
> Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
> from=<SRS0=3u76=L7=gmail.com=[hidden email]>, size=5268,
> nrcpt=1 (queue active)
>
> Feb  7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
> to=<[hidden email]>,
> relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
> delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
> mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
> <[hidden email]>: Recipient address rejected: User unknown in
> virtual mailbox table (in reply to RCPT TO command))
>
> Feb  7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
> non-delivery notification: B201D1743608
>
> Feb  7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed
> ---
>
> Then mx01.nt-data.dk tries to send a bounce to gmail:
>
> ---
> Feb  7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
> to=<[hidden email]>,
> orig_to=<SRS0=3u76=L7=gmail.com=[hidden email]>,

Here you have virtually aliased this sender (now a bounce recipient)
address to [hidden email].

> relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
> delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
> gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
> account that you tried to reach does not exist. Please try 550-5.1.1
> double-checking the recipient's email address for typos or 550-5.1.1
> unnecessary spaces. Learn more at 550 5.1.1
> http://support.google.com/mail/bin/answer.py?answer=6596
> bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))
> ---
>
> The address [hidden email] does not exist - Neither at
> mx01.nt-data.dk nor at mx01.ubuntudanmark.dk, so I would like
> mx01.nt-data.dk to reject messages to it. I've tried with other
> non-existent addresses trough telnet, and mx01.nt-data.dk accepts them,
> as long as they are to one of the backup domains, and then bounces them
> (so currently they are disabled in the database).

There is no possible mechanism within Postfix to reject mail
submitted via the sendmail command.

> Following is postconf -n, the content of the 2 relay_* MySQL-files, and
> the structure of their database. If more is needed, then please let me
> know and I'll include it.
>
> Any pointers, examples or explanations will be appreciated. I've read
> in the documentation for virtual hosting and backup MX', but the answer
> seems to evades me.

FWIW, generally a backup MX is a bad idea. Why did you want it?

[snip]
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Fri, 8 Feb 2013 09:45:07 -0600 skrev /dev/rob0 <[hidden email]>:

snip

> > ---
> > titanus@ntdata:/var/log$ grep "048341743609" mail.log.1
> >
> > Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
> > from=<SRS0=3u76=L7=gmail.com=[hidden email]>
>
> pickup(8) picks up mail which was sent via sendmail(1). This is a
> local/system user's process (UID 5005, specifically) sending the
> mail. Your misunderstanding this time seems to be that you think it
> came from the network and could thus be rejected.
>
> If this seems to be some kind of abuse, it could be that something
> you're running on the server has been compromised; web/php scripts
> being the most common vector.

I'm sorry, UID 5005 is SpamAssassin. The grep-command didn't got all
the lines, so here they are:
---
Feb  7 22:12:46 ntdata postfix/smtpd[30171]: connect from
c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

Feb  7 22:12:47 ntdata postfix/smtpd[30171]: 39E441743607:
client=c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

Feb  7 22:12:47 ntdata postfix/cleanup[30176]: 39E441743607:
message-id=<[hidden email]>

Feb 7 22:12:47 ntdata postfix/qmgr[20252]: 39E441743607:
from=<SRS0=3u76=L7=gmail.com=[hidden email]>, size=2182,
nrcpt=1 (queue active)

Feb  7 22:12:47 ntdata spamd[6887]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 58896 Feb  7 22:12:47 ntdata
spamd[6887]: spamd: processing message
<[hidden email]> for
[hidden email]:5005

Feb  7 22:12:47 ntdata postfix/smtpd[30171]:
disconnect from c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224]

Feb  7 22:12:48 ntdata spamd[6887]: spamd: identified spam (11.6/5.0)
for [hidden email]:5005 in 0.4 seconds, 2200 bytes.

Feb  7 22:12:48 ntdata spamd[6887]: spamd: result: Y 11 -
FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_DYNAMIC,SPF_FAIL
scantime=0.4,size=2200,user=[hidden email],uid=5005,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=58896,mid=<[hidden email]>,autolearn=no

Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
from=<SRS0=3u76=L7=gmail.com=[hidden email]>

Feb  7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
to=<[hidden email]>, relay=spamassassin, delay=0.95,
delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
spamassassin service)

Feb  7 22:12:48 ntdata postfix/qmgr[20252]: 39E441743607: removed

Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609:
message-id=<[hidden email]>

Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609:
from=<SRS0=3u76=L7=gmail.com=[hidden email]>, size=5268,
nrcpt=1 (queue active)

Feb  7 22:12:48 ntdata spamd[6886]: prefork: child states: II

Feb  7 22:12:48 ntdata postfix/smtp[30181]: certificate verification
failed for mx01.ubuntudanmark.dk[31.192.231.5]:25: self-signed
certificate

Feb  7 22:12:48 ntdata postfix/smtp[30181]: 048341743609:
to=<[hidden email]>,
relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71,
delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host
mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1
<[hidden email]>: Recipient address rejected: User unknown in
virtual mailbox table (in reply to RCPT TO command))

Feb  7 22:12:48 ntdata postfix/cleanup[30176]: B201D1743608:
message-id=<[hidden email]>

Feb  7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender
non-delivery notification: B201D1743608

Feb  7 22:12:48 ntdata postfix/qmgr[20252]: B201D1743608: from=<>,
size=7699, nrcpt=1 (queue active)

Feb  7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed

Feb 7 22:12:49 ntdata postfix/smtp[30183]: certificate verification
failed for gmail-smtp-in.l.google.com[173.194.71.26]:25: untrusted
issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Feb  7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608:
to=<[hidden email]>,
orig_to=<SRS0=3u76=L7=gmail.com=[hidden email]>,
relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4,
delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host
gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email
account that you tried to reach does not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://support.google.com/mail/bin/answer.py?answer=6596
bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command))

Feb  7 22:12:52 ntdata postfix/qmgr[20252]: B201D1743608: removed
---

snip

>
> FWIW, generally a backup MX is a bad idea. Why did you want it?
>
> [snip]

Yeah, I start to see why. nt-data is my (soon to be) hosting company,
and when handling other peoples mail, I think it's wise to have some
sort of a backup system in place.

I've been searching high and low for alternatives, but short of setting
something fancy up there don't seem to be any.

Thank you for the reply.
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Jeroen Geilman
On 02/08/2013 06:02 PM, Titanus Eramius wrote:

> Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
> from=<SRS0=3u76=L7=gmail.com=[hidden email]>

So you are...not re-injecting spamassassin traffic, but instead
re-submitting it via sendmail ?
That's weird.

> Feb  7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
> to=<[hidden email]>, relay=spamassassin, delay=0.95,
> delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
> spamassassin service)

THIS is a send to spamassassin, but delayed in logging for almost a second.

It looks very much as if you're doing in-line spamassassin checks, but
then not re-injecting it via SMTP.

Why are you doing such a strange thing ?


--
J.

Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Fri, 08 Feb 2013 21:54:02 +0100 skrev Jeroen Geilman <[hidden email]>:

> On 02/08/2013 06:02 PM, Titanus Eramius wrote:
>
> > Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
> > from=<SRS0=3u76=L7=gmail.com=[hidden email]>
>
> So you are...not re-injecting spamassassin traffic, but instead
> re-submitting it via sendmail ?
> That's weird.
>
> > Feb  7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
> > to=<[hidden email]>, relay=spamassassin, delay=0.95,
> > delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
> > spamassassin service)
>
> THIS is a send to spamassassin, but delayed in logging for almost a
> second.
>
> It looks very much as if you're doing in-line spamassassin checks,
> but then not re-injecting it via SMTP.
>
> Why are you doing such a strange thing ?
>

To be honest I've read quite a lot about Postfix, Dovecot, SA ... , but
my experience is very limited and contained to about 3 months of
running time.

So SA is integrated as I found best after reading docs and guides, and
it's more than likely it can be done in a better way. Normally though,
the running time of SA is around ~200ms per text-mail.

It's integrated as a content_filter on smtp like so:
smtp inet n - - - - smtpd -o content_filter=spamassassin

And then on it's own lines:
spamassassin unix -     n       n       -       -       pipe
   flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
   -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

The sendmail-method seems to be preferred by the SA-folks
https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix

All of those examples uses sendmail. But again, in relation to Postfix,
it might very well be possible to integrate SA in a better way. Maybe
the method suggested by the docs on content_filters?
http://www.postfix.org/FILTER_README.html#advanced_filter
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

James Griffin
--> Titanus Eramius <[hidden email]> [2013-02-09 12:23:38 +0100]:

> All of those examples uses sendmail. But again, in relation to Postfix,
> it might very well be possible to integrate SA in a better way. Maybe
> the method suggested by the docs on content_filters?
> http://www.postfix.org/FILTER_README.html#advanced_filter

Integrating SA with amavisd-new is a better approach IMO. You might
consider that in your setup?

--
Primary Key: 4096R/1D31DC38 2011-12-03
Key Fingerprint: A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Noel Jones-2
In reply to this post by Titanus Eramius
On 2/9/2013 5:23 AM, Titanus Eramius wrote:

> Fri, 08 Feb 2013 21:54:02 +0100 skrev Jeroen Geilman <[hidden email]>:
>
>> On 02/08/2013 06:02 PM, Titanus Eramius wrote:
>>
>>> Feb  7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005
>>> from=<SRS0=3u76=L7=gmail.com=[hidden email]>
>>
>> So you are...not re-injecting spamassassin traffic, but instead
>> re-submitting it via sendmail ?
>> That's weird.
>>
>>> Feb  7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607:
>>> to=<[hidden email]>, relay=spamassassin, delay=0.95,
>>> delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via
>>> spamassassin service)
>>
>> THIS is a send to spamassassin, but delayed in logging for almost a
>> second.
>>
>> It looks very much as if you're doing in-line spamassassin checks,
>> but then not re-injecting it via SMTP.
>>
>> Why are you doing such a strange thing ?
>>
>
> To be honest I've read quite a lot about Postfix, Dovecot, SA ... , but
> my experience is very limited and contained to about 3 months of
> running time.
>
> So SA is integrated as I found best after reading docs and guides, and
> it's more than likely it can be done in a better way. Normally though,
> the running time of SA is around ~200ms per text-mail.
>
> It's integrated as a content_filter on smtp like so:
> smtp inet n - - - - smtpd -o content_filter=spamassassin
>
> And then on it's own lines:
> spamassassin unix -     n       n       -       -       pipe
>    flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
>    -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
>
> The sendmail-method seems to be preferred by the SA-folks
> https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix
>
> All of those examples uses sendmail. But again, in relation to Postfix,
> it might very well be possible to integrate SA in a better way.

Nothing wrong with this setup.  It's very easy to configure,
requires no third-party software or additional packages, and it's
easy to understand where your mail goes.  I expect that's why it's
used as an example on the spamassassin wiki, and doesn't necessarily
mean it's the recommended or preferred method.

It's not necessarily the highest performance or the most flexible,
but if it suits your needs, no need to change.

Folks who need more usually pick some third-party filtering software
that can run pre-queue as an smtpd_proxy_filter or milter. These
are, without exception, more complicated than the setup you
currently have.  The big advantage of a pre-queue filter is you can
safely REJECT unwanted mail.

Amavisd-new is a popular choice for pre-queue filtering since it's
fast, reliable, flexible, and can integrate both SpamAssassin and
antivirus.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones
<[hidden email]>:

...
 

> Nothing wrong with this setup.  It's very easy to configure,
> requires no third-party software or additional packages, and it's
> easy to understand where your mail goes.  I expect that's why it's
> used as an example on the spamassassin wiki, and doesn't necessarily
> mean it's the recommended or preferred method.
>
> It's not necessarily the highest performance or the most flexible,
> but if it suits your needs, no need to change.
>
> Folks who need more usually pick some third-party filtering software
> that can run pre-queue as an smtpd_proxy_filter or milter. These
> are, without exception, more complicated than the setup you
> currently have.  The big advantage of a pre-queue filter is you can
> safely REJECT unwanted mail.
>
> Amavisd-new is a popular choice for pre-queue filtering since it's
> fast, reliable, flexible, and can integrate both SpamAssassin and
> antivirus.
>
>
>   -- Noel Jones

Sorry for the late response, it took some time to dig through all the
information. The use of pre-queue filtering would solve another problem
I've been working on: What to do with mail from (user)blacklisted
senders.

I plan on upgrading Debians stable Postfix to the current stable
version of 2.10 so I may benefit from postscreen, and that will
probably be a good time to install amavisd-new as a pre-queue filter.

Thank you for the help once again.
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

DTNX Postmaster
On Feb 16, 2013, at 12:18, Titanus Eramius <[hidden email]> wrote:

> I plan on upgrading Debians stable Postfix to the current stable
> version of 2.10 so I may benefit from postscreen, and that will
> probably be a good time to install amavisd-new as a pre-queue filter.
>
> Thank you for the help once again.

A possible shortcut to getting postscreen is using the 2.9.3 version
available in the Debian backports repository. That's what we currently
use, instead of building custom packages.

HTH,
Jona

Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster
<[hidden email]>:

> On Feb 16, 2013, at 12:18, Titanus Eramius <[hidden email]> wrote:
>
> > I plan on upgrading Debians stable Postfix to the current stable
> > version of 2.10 so I may benefit from postscreen, and that will
> > probably be a good time to install amavisd-new as a pre-queue
> > filter.
> >
> > Thank you for the help once again.
>
> A possible shortcut to getting postscreen is using the 2.9.3 version
> available in the Debian backports repository. That's what we
> currently use, instead of building custom packages.
>
> HTH,
> Jona
>

Thank you for pointing the obvious out.
I don't know why I didn't thought of backports, but I will surely be
using 2.9.3 from there instead of building from source.
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
In reply to this post by Titanus Eramius
Thinking about this, I might have been to specific in my question.

At the fundamental level I would like to have 2 or more Postfix servers
capable of receiving virtual mail for multiple domains, where one of
the servers also handles relaying and local delivery. The rest should
function as backup MX.

I've tried with relay_domains, but it matches on domain-level which is
too much. I then applied relay_recipient_maps, but it don't seem to
have any effect, which means that addresses is still matched on domain
basis.

Every Postfix will have access to a complete list of recipients
through MySQL.

So the question becomes two-part:
Why can't I get relay_recipient_maps to work?

How would you recommend to set up a backup MX?
One obvious way is not to do it, but some of the mail is not mine,
which is why I at least would like the option to run a backup MX.
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Viktor Dukhovni
On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:

> I've tried with relay_domains, but it matches on domain-level which is
> too much. I then applied relay_recipient_maps, but it don't seem to
> have any effect, which means that addresses is still matched on domain
> basis.
>
> Every Postfix will have access to a complete list of recipients
> through MySQL.
>
> So the question becomes two-part:
> Why can't I get relay_recipient_maps to work?

        http://www.postfix.org/DEBUG_README.html#mail
        http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

Wildcard entries in canonical_maps and virtual_alias_maps are the
most common reason for recipient validation failing to distinguish
between valid and invalid recipients.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Tue, 19 Feb 2013 16:31:05 +0000 skrev Viktor Dukhovni
<[hidden email]>:

> On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote:
>
> > I've tried with relay_domains, but it matches on domain-level which
> > is too much. I then applied relay_recipient_maps, but it don't seem
> > to have any effect, which means that addresses is still matched on
> > domain basis.
> >
> > Every Postfix will have access to a complete list of recipients
> > through MySQL.
> >
> > So the question becomes two-part:
> > Why can't I get relay_recipient_maps to work?
>
> http://www.postfix.org/DEBUG_README.html#mail
> http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
>
> Wildcard entries in canonical_maps and virtual_alias_maps are the
> most common reason for recipient validation failing to distinguish
> between valid and invalid recipients.
>

Thank you for the response and sorry for the slow reply.

The problem seems to be related with the virtual setup, but I'm not
sure how to best describe and document it.

Besides aptget.dk this server also hosts cogky.dk (among others), and
while unknown recipients is being correctly rejected with a 550 when
sent to aptget.dk, they are not when sent to the other virtual domains.
Instead they are accepted and then returned by the MAILER_DAEMON, which
in turn opens the server to backscatter.

I have tried setting "local_recipient_maps = $virtual_mailbox_maps"
in main.cf, but without any apparent effect. To be honest, I'm unsure if
I have set "virtual_mailbox_maps" correct, but when testing it with
postalias it seems to work
titanus@aptget:/etc/postfix$ sudo postalias -q [hidden email]
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
aptget.dk/titanus/

When I test mysql_virtual_mailbox_maps.cf with a non-existent address,
nothing is returned and the exit status is 1.

What I would like to achieve, is that Postfix rejects mail to
non-existent recipients before accepting mail.

Thanks again, Titanus


postconf -n
alias_maps = hash:/etc/aliases

bounce_template_file = /etc/postfix/bounce.cf

broken_sasl_auth_clients = yes

config_directory = /etc/postfix

delay_warning_time = 4

disable_vrfy_command = yes

dovecot_destination_recipient_limit = 1

inet_interfaces = 46.21.105.38

local_recipient_maps = $virtual_mailbox_maps

mailman_destination_recipient_limit = 1

maximal_queue_lifetime = 15

message_size_limit = 26214400

mydestination = localhost

mydomain = aptget.dk

myhostname = aptget.aptget.dk

mynetworks = 127.0.0.0/8

postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
zen.spamhaus.org*1 bl.spamcop.net*1

postscreen_dnsbl_threshold = 2

postscreen_greet_action = enforce

recipient_canonical_classes = envelope_recipient

recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10002

sender_canonical_classes = envelope_sender

sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
tcp:127.0.0.1:10001

smtp_tls_security_level = may

smtp_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache

smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,

smtpd_helo_required = yes

smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_destination,

smtpd_sasl_auth_enable = yes

smtpd_sasl_exceptions_networks = $mynetworks

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot

smtpd_tls_ask_ccert = yes

smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_security_level = may

smtpd_tls_session_cache_database =
btree:$data_directory/smtpd_tls_session_cache

spamassassin_destination_recipient_limit = 1

tls_random_source = dev:/dev/urandom

transport_maps = hash:/etc/postfix/transport.cf

virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

virtual_gid_maps = static:5000

virtual_mailbox_base = /home/vmail

virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_transport = dovecot

virtual_uid_maps = static:5000
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Wietse Venema
Titanus Eramius:
> Besides aptget.dk this server also hosts cogky.dk (among others), and
> while unknown recipients is being correctly rejected with a 550 when
> sent to aptget.dk, they are not when sent to the other virtual domains.
> Instead they are accepted and then returned by the MAILER_DAEMON, which
> in turn opens the server to backscatter.

Where is cogky.dk defined: mydestination, virtual_alias_domains,
virtual_mailbox_domains, relay_domains? It must be only one.

This answer determines where the "known" recipients must be listed:
local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
relay_recipients. If you list the domain or recipients in the wrong
place then mail will be rejected.

See http://www.postfix.org/ADDRESS_CLASS_README.html

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Titanus Eramius
Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
<[hidden email]>:

> Titanus Eramius:
> > Besides aptget.dk this server also hosts cogky.dk (among others),
> > and while unknown recipients is being correctly rejected with a 550
> > when sent to aptget.dk, they are not when sent to the other virtual
> > domains. Instead they are accepted and then returned by the
> > MAILER_DAEMON, which in turn opens the server to backscatter.
>
> Where is cogky.dk defined: mydestination, virtual_alias_domains,
> virtual_mailbox_domains, relay_domains? It must be only one.
>
> This answer determines where the "known" recipients must be listed:
> local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
> relay_recipients. If you list the domain or recipients in the wrong
> place then mail will be rejected.
>
> See http://www.postfix.org/ADDRESS_CLASS_README.html
>
> Wietse

The goal is a "virtual only" mailserver, so the domains is stored
in MySQL and fetched through virtual_mailbox_domains. Besides
virtual_mailbox_domains, I use virtual_mailbox_maps and
virtual_alias_maps.

The documentation is among the best documentation I have seen, but I
can't seem to find the solution, even though I have read most of what I
could find in relation to virtual handling.

One more "clue" is the error messages when sending to non-existent
users. When sending to aptget.dk Postfix responds with
"550 5.1.1 <[hidden email]>: Recipient address rejected: User
unknown in virtual mailbox table".

When sending to cogky.dk the response is only "<[hidden email]>:
user unknown"

Thank you for your time, Titanus
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

Wietse Venema
Titanus Eramius:

> Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema
> > Where is cogky.dk defined: mydestination, virtual_alias_domains,
> > virtual_mailbox_domains, relay_domains? It must be only one.
> >
> > This answer determines where the "known" recipients must be listed:
> > local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps,
> > relay_recipients. If you list the domain or recipients in the wrong
> > place then mail will be rejected.
> >
> > See http://www.postfix.org/ADDRESS_CLASS_README.html
>
> The goal is a "virtual only" mailserver, so the domains is stored
> in MySQL and fetched through virtual_mailbox_domains. Besides
> virtual_mailbox_domains, I use virtual_mailbox_maps and
> virtual_alias_maps.

With the domain defined in virtual_mailbox_domains, mail will fail
with "user unknown in virtual mailbox table" when the recipient is
not found in virtual_mailbox_maps.  This is described in agonizing
detail in ADDRESS_CLASS_README.

Test your lookups:

postmap -q cogky.dk the-virtual_mailbox_domains-table
This should return a result (the value does not matter).

postmap -q [hidden email] the-virtual_mailbox_maps-table
This should return a result (the mailbox file name).

postmap -q [hidden email] the-virtual_mailbox_maps-table
This should return no result (Postfix treats this as "user unknown
in virtual mailbox table").

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Trouble configuring backup MX to reject unauth destination

mouss-4
In reply to this post by Titanus Eramius
Le 23/03/2013 00:02, Titanus Eramius a écrit :

> [snip]
> The goal is a "virtual only" mailserver, so the domains is stored
> in MySQL and fetched through virtual_mailbox_domains. Besides
> virtual_mailbox_domains, I use virtual_mailbox_maps and
> virtual_alias_maps.
>
> The documentation is among the best documentation I have seen, but I
> can't seem to find the solution, even though I have read most of what I
> could find in relation to virtual handling.
>
> One more "clue" is the error messages when sending to non-existent
> users. When sending to aptget.dk Postfix responds with
> "550 5.1.1 <[hidden email]>: Recipient address rejected: User
> unknown in virtual mailbox table".
>
> When sending to cogky.dk the response is only "<[hidden email]>:
> user unknown"
>

one possible reason is that you configured a wildcard alias:
  @cogky.dk ==> @aptget.dk
(that is anything to cogky maps to same address in aptget.dk).

if so, that's your problem.  you need to configure mappings only for
existing users.
since you use mysql, this should be easy to do.
12