Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.1m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      at docs.pfsense.com has some info but not so detailed.

      the basic setup is:

      • remove nat from port 25

      • create a wan rule to permit smtp traffic to wan address

      • check enable postfix option

      • choose at least wan loopback interfaces

      • fill your domain/internal smtp info

      Many options has recommend, default and link option to postfix documentation.

      I recommend enable all antispam settings too.

      att,
      Marcello Coutinho

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • D
        darklogic
        last edited by

        Hey thanks very much for the info. I will give a try. I really like the concept of this package and have waited a while to see something like this come out for pfsense, so thanks for all your hard work.

        I do have one question for your response. When you say WAN loopback interface, do you mean select the WAN interface only, the loopback interface only, or both?

        Thanks Again,

        1 Reply Last reply Reply Quote 0
        • D
          darklogic
          last edited by

          So I have e-mails forwarding ok now and thanks for the basic info for that. Just curious, as I seen in early to mid last month a post you made about mailscanner, and was wondering if this will become part of the base install of the postfix forwarder package?

          Currently I am unsure how to implement this ability and not really sure on what the ACLs/Filter maps tab does.

          If you made this package an all inclusive install with all the components needed for a full SMTP filter, that would be sweet.

          Thanks

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Mailscanner + spamassassin will be released soon as a new package with more then 500 options to filter spam. As I told in other posts, I'm waiting Mailscanner package compilation by core team. But if you know how mailscanner works you can add freebsd package and configure it.

            Can you feedback in % how postfix + all antispam settings reduced spam messages on mailboxes?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • D
              darklogic
              last edited by

              Yeah, I will post some stats in a about a week. I will compare report files from our other filtering system and see what a rough % in reduction maybe. I can say that I have noticed a difference already just from last night when I enabled it. I am seeing a lot of RBLS blocks and invalide host address blocks. Normally this would get cought by our other filter, but not always for some reason.

              For the most part, it seems to be working very well and I am excited for the Mailscanner package.

              I have been playing around with the ACLs/Filter Maps section and was wondering if a manual blacklist block and whitelist allow will be added?

              Thanks,

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                The ACLs allow you to block or permit ips, subjects, atachments and Also filter message body.

                Take a look at samples below each field.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • D
                  darklogic
                  last edited by

                  Ahhh yes, I am starting to understand how you are laying this out. This all makes sense now. I guess I have just been getting to use to check boxes and enable buttons way to much LOL.

                  Thanks again for the info.

                  Take Care

                  MDP

                  1 Reply Last reply Reply Quote 0
                  • M
                    mauricioniñoavella
                    last edited by

                    hello

                    marcelloc

                    I can confirm you this module can function as a relay host, thatis I work as an SMTP forwarder to an external mail Server using STARTTLS

                    I congratulate you for your great support for this great pauqete, Proxies and redirects mail, I'm new in this package I would like know if there is some configuration information, as a forwarder (SMTP) mail to an external Server "Outbound Relay Hosts"

                    Could anyone help me with the basic configuration to work as mail forwarder to an external server authentication through a little priest specified. It's a bit difficult to understand the configuration without documentation or configuration give some tics.

                    thanks for your collaboration

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      mauricioniñoavella,

                      The basic setup is already in this topic.
                      http://forum.pfsense.org/index.php/topic,40622.msg217539.html#msg217539

                      All features in postfix forwarder package was include after many hours reading official postfix documentation.

                      Many features in this packages, has samples or direct links to postfix website, take a look.

                      Also you have the options to see the result of gui setup in View confi files tab.

                      Some docs about SASL say that are many implementations for it in postfix, now I'm trying to find one compatible with pfsense.

                      see considerations on enabling TLS
                      http://www.postfix.org/TLS_README.html

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • D
                        darklogic
                        last edited by

                        marcelloc

                        I have a e-mail that seems to be getting blocked, which I think is a false positive. Here is the log I get back. Note that I removed the actual domain name and IP.

                        postfix/smtpd[32719]: NOQUEUE: reject: RCPT from mail.example.org[XXX.XXX.XXX.XXX]: 450 4.7.1 <ex02.example.local>: Helo command rejected: Host not found; from= someone@example.orgto= someone@mydomain.comproto=ESMTP helo= <ex02.example.local>I added this filter rule in the header to allow. This did not seem to work, but when I added a different rule to REJECT a different domain name, it worked.

                        /^From:.*@example.org/ OK

                        Any idea on this?

                        Thanks,

                        MDP</ex02.example.local>/someone@mydomain.com/someone@example.org</ex02.example.local>

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          The host that remote server announce on Helo smtp command Does not exist.

                          This is one of the header verification tests.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            Hi all,

                            Postfix compilation on x64 now includes cyrus-SASL2 and TLS.

                            who need or want to test it, reinstall or remove/install postfix package.

                            No changes in gui for this option. Include all your SASL and/or TLS config in custom main.cf options

                            att,
                            Marcello Coutinho

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • D
                              darklogic
                              last edited by

                              marcelloc,

                              I am getting a lot of these messages and I have seen a lot of them that are from domains and users I know. What can I do to stop these false positives. Here is the message I recieve minus real IP and domain names.

                              postfix/smtpd[61721]: NOQUEUE: reject: RCPT from mail.someonesdomain.com[xxx.xxx.xxx.xxx]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@someonesdomain.comto= user@mydomain.comproto=ESMTP helo=<cnasrv.cna.local></cnasrv.cna.local>/user@mydomain.com/someone@someonesdomain.com</cnasrv.cna.local>

                              Here is my configuration. I have messed around trying to find out what is causing it and had no luck.

                              ACL Filter MIME:
                              /^name=[^>]*.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.
                              /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}})\b/ REJECT ".$2" file attachment types not allowed

                              **ACL Filter CIDR:**My Internal Subnet xxx.xxx.xxx.xxx/24

                              Antispam:
                              Header Verification = strong

                              Zombie Blocker = Enabled with enforce

                              After greetins Test= all selected

                              Softbounce= enabled

                              RBL with = dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, cbl.abuseat.org, b.barracudacentral.org

                              RBL threshold = 1

                              SPF Check = Recomended setting

                              I have tried litteraly disabling everything and setting head check to basic to see if the messages would pass. I even added rules to the ACL filter list such as /^From:.*@someonesdomain.com OK

                              Is there something I can do? Do you have any suggestions?

                              Thanks,

                              MDP

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                As I told you last post, postfix is very judicious in header checks, so check your DNS server to see if this host announced by remote SMTP does exist or not.

                                You can also try to white-list this host in your local RBL and CIDR ACL.

                                I have many of these alerts too, but all of them are really spam or 'misconfigured' hosts.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • D
                                  darklogic
                                  last edited by

                                  marcelloc,

                                  I am going to assume that they are misconfigured host because I know they are not spam emails.

                                  I did state I added the /^From:.*@someonesdomain.com OK in the ACL's Filter in the header section. Does this not whitelist the e-mail or is it just whitelisting only one of the spam checks?

                                  Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?

                                  Thanks,

                                  MDP

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    darklogic
                                    last edited by

                                    Sorry, I meant relay off the pfsense box. My mail server would not act as an open relay.

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      @darklogic:

                                      I am going to assume that they are misconfigured host because I know they are not spam emails.

                                      Did you tested name resolution oh the remote host header info?

                                      @darklogic:

                                      Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?

                                      When using postscreen, the documentations says(correct me if I'm wrong) that this only prevents blocking.
                                      When postscreen is disabled, any ip on CIDR allows relay on your server.

                                      Can you test this with any other external ip?

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        darklogic
                                        last edited by

                                        I have been using mxtoolbox.com for testing. One of the domains I am trying to figure out why it is getting blocked is clemansnelson.com

                                        When I do a test on mxtoolbox.com for mail.clemansnelson.com I get the following.

                                        220 CNASRV.CNA.local Microsoft ESMTP MAIL Service ready at Fri, 21 Oct 2011 12:59:31 -0400

                                        OK - 24.123.130.226 resolves to mail.clemansnelson.com
                                        Warning - Reverse DNS does not match SMTP Banner
                                        0 seconds - Good on Connection time
                                        Not an open relay.
                                        5.335 seconds - Warning on Transaction time

                                        Thanks,

                                        MDP

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          darklogic
                                          last edited by

                                          How would I go about disabling postscreen just to see if the mails start to come through. I thought I did disable once by simply unselecting the after greeting checks and disabling Zombie Blocker?

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            Can you see that there is a warning for this domain on your test?

                                            I've made some tests here and  mail.clemansnelson.com has a valid dns entry and it's related as SPF for clemansnelson.com.

                                            check if your dns has same info and if postfix erros say that worng hostname is mail.clemansnelson.com or something else.

                                            If you disable postscreen, the error will remain as it is done in header check.

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.