Postfix header_checks and Lsoft listserv

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix header_checks and Lsoft listserv

Jim McIver
I have postfix 2.1.5 on Freebsd 4.10 and am passing info through vams
virus scanner.

Far as I can tell everything is working ok(has been for couple of
years) with the exception of email from the Washington State
Police's(wsp) new listserv. WSP is using Lsoft on Windows 2003 and
the guy sayes we are the only one not receiving the messages from his
listserv????.

WSP adds the [hidden email] to his listserv, he sayes message
gets rejected and Lsoft automatically unsubscribes the email address.

The odd part is that I get a message from his listserv saying we have
been unsubscribed, but don't get messages submitted on his end to the
listserv for outgoing email. Not sure why I get the unsubscribe
message and not the real message and the guy doesn't seem to
interested in helping fix the problem.

When I get the unsubscribe message, here is a snipet from the
maillog.
"Aug 26 00:00:05 mail postfix/smtpd[94745]: 178F8585:
client=wspvmolylist1.wsp.wa.gov[167.72.2.45]
Aug 26 00:00:05 mail postfix/cleanup[95166]: warning: unknown command
in header_checks map: 550 Sender-specified
routing rejected
Aug 26 00:00:05 mail postfix/cleanup[95166]: 178F8585: message-
id=<LISTSERV%[hidden email].
WA.GOV>
Aug 26 00:00:05 mail postfix/cleanup[95166]: warning: unknown command
in header_checks map: 550 Sender-specified
routing rejected
Aug 26 00:00:05 mail postfix/qmgr[176]: 178F8585: from=<owner-D4-ALL-
[hidden email]>, size=2671, nrcpt
=1 (queue active)
Aug 26 00:00:05 mail postfix/smtp[95279]: 178F8585:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=1,
 status=sent (250 A07447D2511 queued for delivery)
Aug 26 00:00:05 mail postfix/qmgr[176]: 178F8585: removed
Aug 26 00:00:05 mail postfix/smtpd[94745]: disconnect from
wspvmolylist1.wsp.wa.gov[167.72.2.45]"

I don't have a message of anything sent from listserv other than
unsubscribe message. I've asked for a test message, but because it's
offical and goes to others he doesn't want to send one so I can track
it in the maillog.

Me and guy can email back and forth, but it comes from
"wspapolymailb.wsp.wa.gov" and not "wspvmolylist1.wsp.wa.gov"

My header_checks file contains:
# Disallow sender-specified routing. This is a must if you relay mail
#for other domains.
/[%!@].*[%!@]/              550 Sender-specified routing rejected

# Postmaster is OK, that way they can talk to us about how
#  to fix their problem.
/^postmaster@/                          OK

# Protect your outgoing majordomo exploders
# /^(.*)-outgoing@(.*)$/!/^owner-.*/    550 Use ${1}@${2} instead

#Restrictions
/approved/      REJECT approved
/debt/          REJECT debt
etc....

Do I have the correct syntax in my header_checks, or is this causing
the problem? I do relay for two domains, so I think I want to leave
the command intact.

postconf -n output:
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
mail_name = TPC Holdings, We report spam
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 5000000
mydestination = lt.lmtribune.com mail.lmtribune.com
mydomain = lmtribune.com
myhostname = mail.lmtribune.com
mynetworks = 1xx.xx.xxx.0/24 192.168.0.0/16 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = lmtribune.com dnews.com
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access
hash:/usr/local/etc/postfix/client_access       permit
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks        
reject_unauth_destination       reject_invalid_hostname
warn_if_reject reject_unknown_hostname   reject_unauth_pipelining    
   reject_non_fqdn_sender  reject_unknown_sender_domain    
reject_non_fqdn_recipient       reject_unknown_recipient_domain
warn_if_reject reject_unknown_client     reject_non_fqdn_hostname    
   check_client_access hash:/usr/local/etc/postfix/access_client  
check_helo_access hash:/usr/local/etc/postfix/helo_access        
check_sender_access hash:/usr/local/etc/postfix/sender_access    
check_recipient_access hash:/usr/local/etc/postfix/recipient_access
smtpd_restriction_classes = restrictive, permissive
smtpd_sender_restrictions = check_sender_access
hash:/usr/local/etc/postfix/sender_access
smtpd_soft_error_limit = 10
strict_rfc821_envelopes = yes
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

From what I can tell, there A records and mx records for wsp seem to
be ok. I can telnet to the box port 25, but can't get past the mail
from: for oblivious reasons.

Any ideas on how I can futher test?

thx,

-Jim McIver

Reply | Threaded
Open this post in threaded view
|

Re: Postfix header_checks and Lsoft listserv

Ralf Hildebrandt
* Jim McIver <[hidden email]>:

> "Aug 26 00:00:05 mail postfix/smtpd[94745]: 178F8585: client=wspvmolylist1.wsp.wa.gov[167.72.2.45]
> Aug 26 00:00:05 mail postfix/cleanup[95166]: warning: unknown command in header_checks map: 550 Sender-specified routing rejected

Show your header_checks file

> My header_checks file contains:
> # Disallow sender-specified routing. This is a must if you relay mail
> #for other domains.
> /[%!@].*[%!@]/              550 Sender-specified routing rejected

Wrong. Must be "REJECT Sender-specified routing rejected"
see "man header_checks"

> # Postmaster is OK, that way they can talk to us about how
> #  to fix their problem.
> /^postmaster@/                          OK
>
> # Protect your outgoing majordomo exploders
> # /^(.*)-outgoing@(.*)$/!/^owner-.*/    550 Use ${1}@${2} instead

Wrong. Must be "REJECT Use ${1}@${2} instead"
see "man header_checks"

> Do I have the correct syntax in my header_checks,

No

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
Fear leads to anger.  Anger leads to hate.  Hate leads to using
Windows NT for mission-critical applications.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix header_checks and Lsoft listserv

MrC-7
In reply to this post by Jim McIver
Jim McIver wrote:

> My header_checks file contains:
> # Disallow sender-specified routing. This is a must if you relay mail
> #for other domains.
> /[%!@].*[%!@]/              550 Sender-specified routing rejected
>

This seems prone to many false positives.  Many headers have such
patterns.  Eg:

X-Amavis-OS-Fingerprint: Linux 2.4-2.6 (NAT!) (firewall!) (up: 815 hrs),
From: "[hidden email]" <[hidden email]>
To: "[hidden email]" <[hidden email]>

Perhaps you need to be more restrictive, matching only a particular
header, and allow for valid email addresses as above.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix header_checks and Lsoft listserv

Noel Jones-2
In reply to this post by Jim McIver
Jim McIver wrote:

> I have postfix 2.1.5 on Freebsd 4.10 and am passing info through vams
> virus scanner.
>
> Far as I can tell everything is working ok(has been for couple of
> years) with the exception of email from the Washington State
> Police's(wsp) new listserv. WSP is using Lsoft on Windows 2003 and
> the guy sayes we are the only one not receiving the messages from his
> listserv????.
>
> WSP adds the [hidden email] to his listserv, he sayes message
> gets rejected and Lsoft automatically unsubscribes the email address.
>
> The odd part is that I get a message from his listserv saying we have
> been unsubscribed, but don't get messages submitted on his end to the
> listserv for outgoing email. Not sure why I get the unsubscribe
> message and not the real message and the guy doesn't seem to
> interested in helping fix the problem.
>
> When I get the unsubscribe message, here is a snipet from the
> maillog.
> "Aug 26 00:00:05 mail postfix/smtpd[94745]: 178F8585:
> client=wspvmolylist1.wsp.wa.gov[167.72.2.45]
> Aug 26 00:00:05 mail postfix/cleanup[95166]: warning: unknown command
> in header_checks map: 550 Sender-specified
> routing rejected
> Aug 26 00:00:05 mail postfix/cleanup[95166]: 178F8585: message-
> id=<LISTSERV%[hidden email].
> WA.GOV>
> Aug 26 00:00:05 mail postfix/cleanup[95166]: warning: unknown command
> in header_checks map: 550 Sender-specified
> routing rejected
> Aug 26 00:00:05 mail postfix/qmgr[176]: 178F8585: from=<owner-D4-ALL-
> [hidden email]>, size=2671, nrcpt
> =1 (queue active)
> Aug 26 00:00:05 mail postfix/smtp[95279]: 178F8585:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=1,
>  status=sent (250 A07447D2511 queued for delivery)
> Aug 26 00:00:05 mail postfix/qmgr[176]: 178F8585: removed
> Aug 26 00:00:05 mail postfix/smtpd[94745]: disconnect from
> wspvmolylist1.wsp.wa.gov[167.72.2.45]"
>
> I don't have a message of anything sent from listserv other than
> unsubscribe message. I've asked for a test message, but because it's
> offical and goes to others he doesn't want to send one so I can track
> it in the maillog.
>
> Me and guy can email back and forth, but it comes from
> "wspapolymailb.wsp.wa.gov" and not "wspvmolylist1.wsp.wa.gov"
>
> My header_checks file contains:
> # Disallow sender-specified routing. This is a must if you relay mail
> #for other domains.
> /[%!@].*[%!@]/              550 Sender-specified routing rejected
>
> # Postmaster is OK, that way they can talk to us about how
> #  to fix their problem.
> /^postmaster@/                          OK
>
> # Protect your outgoing majordomo exploders
> # /^(.*)-outgoing@(.*)$/!/^owner-.*/    550 Use ${1}@${2} instead

Where did the above crap come from?  Looks like a
check_sender_access map that someone stuck in header_checks.

"550 ..." is not valid for header_checks, but is OK for
check_sender_access.  All the above checks will cause lots of
false positives in header_checks, but are probably OK for a
check_sender_access table.

I suggest remove them all.

>
> #Restrictions
> /approved/      REJECT approved
> /debt/          REJECT debt
> etc....

Single word rejects are (almost)? always a mistake.
Will you even get this reply?

You should remove them all.

>
> Do I have the correct syntax in my header_checks, or is this causing
> the problem? I do relay for two domains, so I think I want to leave
> the command intact.

I think you should completely remove your header_checks file
and start over again.

>
> postconf -n output:
> alias_database = hash:/etc/mail/aliases
> alias_maps = hash:/etc/mail/aliases
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> content_filter = smtp:[127.0.0.1]:10024
> daemon_directory = /usr/local/libexec/postfix
> debug_peer_level = 2
> disable_vrfy_command = yes
> header_checks = regexp:/usr/local/etc/postfix/header_checks
> html_directory = no
> mail_name = TPC Holdings, We report spam

This is usually "Postfix". Maybe you really wanted to add this
text to smtpd_banner?

> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 5000000
> mydestination = lt.lmtribune.com mail.lmtribune.com
> mydomain = lmtribune.com
> myhostname = mail.lmtribune.com
> mynetworks = 1xx.xx.xxx.0/24 192.168.0.0/16 127.0.0.0/8
> mynetworks_style = subnet
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = no
> relay_domains = lmtribune.com dnews.com
> relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_restrictions = check_client_access
> hash:/usr/local/etc/postfix/client_access       permit
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks        
> reject_unauth_destination       reject_invalid_hostname
> warn_if_reject reject_unknown_hostname   reject_unauth_pipelining    
>    reject_non_fqdn_sender  reject_unknown_sender_domain    
> reject_non_fqdn_recipient      

There won't ever be any non-fqdn recipients after
permit_mynetworks and reject_unauth_destination.
remove this.

> reject_unknown_recipient_domain

The only possible unknown recipient domain after
reject_unauth_destination is your own, in case your DNS
hiccups.  remove this.

> warn_if_reject reject_unknown_client     reject_non_fqdn_hostname    
>    check_client_access hash:/usr/local/etc/postfix/access_client  
> check_helo_access hash:/usr/local/etc/postfix/helo_access        
> check_sender_access hash:/usr/local/etc/postfix/sender_access    
> check_recipient_access hash:/usr/local/etc/postfix/recipient_access
> smtpd_restriction_classes = restrictive, permissive
> smtpd_sender_restrictions = check_sender_access
> hash:/usr/local/etc/postfix/sender_access
> smtpd_soft_error_limit = 10
> strict_rfc821_envelopes = yes
> transport_maps = hash:/usr/local/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
>
> From what I can tell, there A records and mx records for wsp seem to
> be ok. I can telnet to the box port 25, but can't get past the mail
> from: for oblivious reasons.
>
> Any ideas on how I can futher test?

Resubscribe and then watch your logs carefully.  My assumption
is that one of your header_checks is rejecting the mail.

>
> thx,
>
> -Jim McIver
>


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Postfix header_checks and Lsoft listserv

mouss-2
In reply to this post by MrC-7
MrC wrote:

> Jim McIver wrote:
>
>> My header_checks file contains:
>> # Disallow sender-specified routing. This is a must if you relay mail
>> #for other domains.
>> /[%!@].*[%!@]/              550 Sender-specified routing rejected
>>
>
> This seems prone to many false positives.  Many headers have such
> patterns.  Eg:
>
> X-Amavis-OS-Fingerprint: Linux 2.4-2.6 (NAT!) (firewall!) (up: 815 hrs),
> From: "[hidden email]" <[hidden email]>
> To: "[hidden email]" <[hidden email]>
>

note that it also matches the message-id of the rejected message.

Message-Id: <LISTSERV%[hidden email]>


it looks like he copied Jim's cheat sheet but put the rules in
header_checks instead of smtpd restrictions.

now, I woul'nt even use these in smtpd restrictions. I'm not seeing any
spam with such patterns. so why reject valid characters if it doesn't
even reduce spam?

> Perhaps you need to be more restrictive, matching only a particular
> header, and allow for valid email addresses as above.

he needs to put the checks in a check_sender_access instead.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix header_checks and Lsoft listserv

Wietse Venema
In reply to this post by Jim McIver
Jim McIver:

> My header_checks file contains:
> # Disallow sender-specified routing. This is a must if you relay mail
> #for other domains.
> /[%!@].*[%!@]/              550 Sender-specified routing rejected
>
> # Postmaster is OK, that way they can talk to us about how
> #  to fix their problem.
> /^postmaster@/                          OK
>
> # Protect your outgoing majordomo exploders
> # /^(.*)-outgoing@(.*)$/!/^owner-.*/    550 Use ${1}@${2} instead

Those are to be used as SMTPD_RECIPIENT_RESTRICTIONS
(check_recipient_access) not as HEADER_CHECKS.

        Wietse