Quantcast

Re: postfix-to-mailman / possible backscatter

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Zbigniew Szalbot-9
Hello,

Ralf Hildebrandt pisze:

> * Zbigniew Szalbot <[hidden email]>:
>
>> I am writing with the hope that some of you are using  
>> postfix-to-mailman.py utility and would like to share how you have solved
>> the problem of possible backscatter. I have installed mailman a couple of
>> days ago and I am using postfix-tomailman.py script (I followed
>> instructions from http://www.purplehat.org/?page_id=18).
>>
>> When doing tests, I have noticed that with such setup, if I fake email  
>> address and send to a non-existent address at lists.domain.tld, then  
>> instead of rejecting postfix will bounce the mail. I believe this opens  
>> door for backscatter. Has anyone implemented this script and took  
>> measures to prevent such backscatter? If so, could you share how? If not,
>> I guess I will go the usuall route of generating necessary mailman  
>> aliases. The advantage of the postfix-to-mailman.py script is that the  
>> aliases are handled automatically (no need to generate them).
>
> relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
> lacks a corresponding
> relay_recipient_maps entry in main.cf which lists VALID addresses that
> may be relayed to mailman

Thank you Ralf - I just want to make sure:


1/ relay_recipient_maps should list mailman aliases and names for
existing lists? (like list_name, list_name-subscribe, etc.)? If so,
should it list them as complete addresses? ([hidden email])?

2/ According to Postfix documentation:
relay_recipient_maps are "Optional lookup tables with all valid
addresses in the domains that match $relay_domains."

My relay_domains looks currently like this:
relay_domains =
proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
lists.domain.tld
where lists.domain.tld is a domain for mailman lists. Other domains are
looked up in a database.

Does such setup mean that in relay_recipient_maps I need to specify
valid recipients not only for lists.domain.tld but for all (virtual)
domains I use? If so, that would actually beat the purpose of
mysql-based solution. In that case I would really need to go back to a
something else than postfix-to-mailman.py solution.

Many thanks for further help. I really want to eliminate the possibility
of becoming a backscatter source.

 


--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

mouss-2
Zbigniew Szalbot wrote:

> Hello,
>
> Ralf Hildebrandt pisze:
>
>> * Zbigniew Szalbot <[hidden email]>:
>>
>>> I am writing with the hope that some of you are using  
>>> postfix-to-mailman.py utility and would like to share how you have
>>> solved the problem of possible backscatter. I have installed mailman
>>> a couple of days ago and I am using postfix-tomailman.py script (I
>>> followed instructions from http://www.purplehat.org/?page_id=18).
>>>
>>> When doing tests, I have noticed that with such setup, if I fake
>>> email  address and send to a non-existent address at
>>> lists.domain.tld, then  instead of rejecting postfix will bounce the
>>> mail. I believe this opens  door for backscatter. Has anyone
>>> implemented this script and took  measures to prevent such
>>> backscatter? If so, could you share how? If not, I guess I will go
>>> the usuall route of generating necessary mailman  aliases. The
>>> advantage of the postfix-to-mailman.py script is that the  aliases
>>> are handled automatically (no need to generate them).
>>
>> relay_domains =
>> proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
>> lacks a corresponding
>> relay_recipient_maps entry in main.cf which lists VALID addresses that
>> may be relayed to mailman
>
>
> Thank you Ralf - I just want to make sure:
>
>
> 1/ relay_recipient_maps should list mailman aliases and names for
> existing lists? (like list_name, list_name-subscribe, etc.)? If so,
> should it list them as complete addresses? ([hidden email])?

yes

>
> 2/ According to Postfix documentation:
> relay_recipient_maps are "Optional lookup tables with all valid
> addresses in the domains that match $relay_domains."
>
> My relay_domains looks currently like this:
> relay_domains =
> proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
> lists.domain.tld
> where lists.domain.tld is a domain for mailman lists. Other domains
> are looked up in a database.
>
> Does such setup mean that in relay_recipient_maps I need to specify
> valid recipients not only for lists.domain.tld but for all (virtual)
> domains I use?

for all _relay_ domains. virtual mailboxes are to be declared for
virtual_mailbox_domains using virtual_mailbox_maps. you want to read the
ADDRESS CLASSES README...

> If so, that would actually beat the purpose of mysql-based solution.
> In that case I would really need to go back to a something else than
> postfix-to-mailman.py solution.
>
> Many thanks for further help. I really want to eliminate the
> possibility of becoming a backscatter source.
>
>
>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Ralf Hildebrandt
In reply to this post by Zbigniew Szalbot-9
* Zbigniew Szalbot <[hidden email]>:

>> relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
>> lacks a corresponding
>> relay_recipient_maps entry in main.cf which lists VALID addresses that
>> may be relayed to mailman


> 1/ relay_recipient_maps should list mailman aliases and names for  
> existing lists? (like list_name, list_name-subscribe, etc.)? If so,  
> should it list them as complete addresses? ([hidden email])?

Yes.

> 2/ According to Postfix documentation:
> relay_recipient_maps are "Optional lookup tables with all valid addresses
> in the domains that match $relay_domains."
>
> My relay_domains looks currently like this:
> relay_domains =  proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf lists.domain.tld
> where lists.domain.tld is a domain for mailman lists. Other domains are  
> looked up in a database.

Sounds good.

> Does such setup mean that in relay_recipient_maps I need to specify valid
> recipients not only for lists.domain.tld but for all (virtual) domains I
> use?

Yes. You need to do this, because otherwise you'll be generating
backscatter (when mail goes to non-existing addresses), which will
lead to blacklisting of your server (spamcop & backscatterers.org)

> If so, that would actually beat the purpose of mysql-based solution.

Why not fetch the recipients from mysql AND a file?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Signatures cause cancer.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Zbigniew Szalbot-9
Hello,

 > Yes. You need to do this, because otherwise you'll be generating

> backscatter (when mail goes to non-existing addresses), which will
> lead to blacklisting of your server (spamcop & backscatterers.org)


I do not want to be part of the problem, that's why I feel uneasy about
the default postfix-to-mailman.py solution :)!

>> If so, that would actually beat the purpose of mysql-based solution.
>
> Why not fetch the recipients from mysql AND a file?


Thanks for your idea Ralf!

Would this do the trick:

relay_recipient_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf,
hash:/usr/local/etc/postfix/relay_recipients
where relay_recipients would contain a list of mailman addresses in the
format of:
[hidden email] OK
[hidden email] OK

and
where mysql_virtual_mailbox_maps.cf contains such a query:

SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Or does it need another query?

Thank you very much for your assistance! I appreciate your patience with me.

Kind regards,

--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Zbigniew Szalbot-9
In reply to this post by Ralf Hildebrandt
Hello,

Ralf Hildebrandt pisze:

> Why not fetch the recipients from mysql AND a file?


Can hardly believe it but I made it! :) What I day!

relay_domains =
proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
mailman.szalbot.homedns.org
relay_recipient_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf,
hash:/usr/local/etc/postfix/relay_recipients

 

Thank you once again for your assistance!

--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Wietse Venema
In reply to this post by Ralf Hildebrandt
Ralf Hildebrandt:

> > Does such setup mean that in relay_recipient_maps I need to specify valid
> > recipients not only for lists.domain.tld but for all (virtual) domains I
> > use?
>
> Yes. You need to do this, because otherwise you'll be generating
> backscatter (when mail goes to non-existing addresses), which will
> lead to blacklisting of your server (spamcop & backscatterers.org)
>
> > If so, that would actually beat the purpose of mysql-based solution.
>
> Why not fetch the recipients from mysql AND a file?

Indeed. Use a hash: file that is owned and maintained by mailman,
and use MySQL for things that you maintain.

relay_recipient_maps = mysql:/file/name hash:/some/where/mailmain/file

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Zbigniew Szalbot-9
Hello,

Wietse Venema pisze:

> Indeed. Use a hash: file that is owned and maintained by mailman,
> and use MySQL for things that you maintain.
>
> relay_recipient_maps = mysql:/file/name hash:/some/where/mailmain/file

Yes - thank you, it has solved my problem and I do not have to change
the setup for which I am grateful. It is interesting though - the file
is not owned by mailman (I forgot to chown it!) but it works nonetheless.

Thanks!
--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Wietse Venema
Zbigniew Szalbot:

> Hello,
>
> Wietse Venema pisze:
>
> > Indeed. Use a hash: file that is owned and maintained by mailman,
> > and use MySQL for things that you maintain.
> >
> > relay_recipient_maps = mysql:/file/name hash:/some/where/mailmain/file
>
> Yes - thank you, it has solved my problem and I do not have to change
> the setup for which I am grateful. It is interesting though - the file
> is not owned by mailman (I forgot to chown it!) but it works nonetheless.

The ownership matters only when you want to add another mailing list.
Then, it is nice if mailman can update and postmap the file with
mailing list addresses.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-to-mailman / possible backscatter

Zbigniew Szalbot-9

>> Yes - thank you, it has solved my problem and I do not have to change
>> the setup for which I am grateful. It is interesting though - the file
>> is not owned by mailman (I forgot to chown it!) but it works nonetheless.
>
> The ownership matters only when you want to add another mailing list.
> Then, it is nice if mailman can update and postmap the file with
> mailing list addresses.

I had no idea Mailman could do it. I have looked at Defaults.py in
Mailman. Setting these options will not be enough, will it?

MTA = 'Postfix'
POSTFIX_STYLE_VIRTUAL_DOMAINS = [] (??? I am not sure what to put in
here...)
POSTFIX_ALIAS_CMD = '/usr/local/sbin/postalias'
POSTFIX_MAP_CMD = '/usr/local/sbin/postmap'

But then how will Mailman know the path to relay_recipients file
(/usr/local/etc/postfix)? Also the way Mailman generates aliases will
not be compatible with relay_recipients syntax?
email_address OK

Thanks a lot! I really appreciate all the help I am getting here.


--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Loading...