Postfix - antispam and relay package

darklogic

marcelloc,

I removed the list from my post.

Also, I am having no luck with those domains that are getting rejected that I know are ok e-mails, but maybe misconfigured servers. I am getting a lot of this and I have had about 5 employees ask if something was wrong with the e-mail system. If I can't figure a way to allow these e-mails, I may have to back away from the postfix package. I really don't want to do that… This is the same issue I have been previously posting about.

Thanks,

MDP

marcelloc

First of all, it's not a issue with postfix. It's a issue with remote smtp admin.

Try to include remote server in cidr or call remote admin.

Here is the link for poscreen documentation about whitelist:

http://www.postfix.org/postconf.5.html#postscreen_access_list
PERMANENT WHITE/BLACKLIST TEST
      This test is executed  immediately  after  a  remote  SMTP
      client  connects.  If a client is permanently whitelisted,
      the client will be handed off  immediately  to  a  Postfix
      SMTP server process.

postscreen_access_list (permit_mynetworks)
              Permanent white/blacklist for remote SMTP client IP
              addresses.

darklogic

I'm sorry, I didnt mean to sound like I was saying something is wrong with your package. I just don't have any clear way to resolve this issue with so many misconfigured e-mail servers.

There is little documentation for your package and the docs that are being provided are for a project other than a package for pfsense. If I knew all the ends and outs of this package, I guess I would know the answer, and if I knew the answer on how to configure this mod with little documentation to follow, I guess I might even be able to develope it, but I don't know.

Even you main.cf file states in it, not to modify?

I like this package, I really want to use it, but the documentation being provided is not for the pfsense package.

Thanks For All You Help,

MDP

marcelloc

the link was for postscreen documentation to show you that putting the remote smtp ip in CIDR while using postscreen does not open your server to relay.

You just step over postscreen and connect direct to postfix daemon where there are other tests.

Sorry if it seemed offensive, was not my intention.

darklogic

marcelloc,

I was not taking it offensive, I was trying to clear up the fact that I am no developer or coder. It takes me some time to understand what's going on in the guts of the program. Basically I don't have your knowledge and therefore I don't understand some of the lingo or even the documentation that is being provided. I understand that this package is still new and in RC1 stage right now and some things should not be exspected. In all reality, I have no reason to complain as this package is free and you are spending your free time to develope it, and I thank you for that truely.

So what I got from your last post is if you add the public IP of the sender in the Client Access List in the CIDR form box. It will pass the message from that domain address that is getting blocked or any address coming from that domain IP? Is that correct?

Thanks for your time,

MDP

darklogic

OK, so I added some of the IP's xxx.xxx.xxx.xxx OK to the CIDR list. In the logs I see where is starts the connection, states the IP is whitelisted in postscreen and then I get the same reject message? Does something else need to be done?

Any ideas?

Thanks,

marcelloc

No ideas.

I will try to find a way to reduce security checks for specific domains.

darklogic

Sounds good, thanks.

MDP

marcelloc

Try to include the wrong hello host from remote domain in /etc/hosts file.

mauricioniñoavella

I'm trying to colleagues include, relay host that I may just mail forwarder to an external server with me autenticaion and generates this error if anyone can help me

postfix/smtpd[5191]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

thanks for the help

mauricioniñoavella

hello

marcelloc

You had confirmed that the package already endured STARTTLS and is filing this prolem please collaborate or me to do

postfix/smtpd[21954]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

ldd /usr/local/sbin/saslpasswd2
/usr/local/sbin/saslpasswd2:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800647000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800761000)
libgssapi.so.10 => not found (0x0)
libheimntlm.so.10 => not found (0x0)
libkrb5.so.10 => not found (0x0)
libhx509.so.10 => not found (0x0)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8009fb000)
libasn1.so.10 => not found (0x0)
libroken.so.10 => not found (0x0)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x800afd000)
libopie.so.6 => /usr/lib/libopie.so.6 (0x800c16000)
libc.so.7 => /lib/libc.so.7 (0x800d1f000)
libmd.so.5 => /lib/libmd.so.5 (0x800f5b000)

eri--

That's missing dependency of the package i think or missing libraries in base of pfSense.
It is not a missing compile flag of the package itself.

Just general comment here while i saw this though.

mauricioniñoavella

This is for
Forum and BSD developers pfSense
I do not understand why people who work in this great project, such as pfSense, stop the publication of a package, which is not compatible with pfSense.
Please do not degrade this great software such as pfSense without offending anyone, first of all congratulate marcelloc and Postfix antispam and relay package has problems.
But I do recommend working to improve, and we who belong to the family of pfSense, are the ones who try and give them guidelines for improving pfSense.
PfSense do not compare with other systems or software firewalls, for there is but I have reviewed (ClearOs Linux), and has a very simple setup SMTP Relay with Authentication. (relay host)
I hope this is taken into account
regards

Mauricio

marcelloc

This is for
Forum and BSD developers pfSense

I'm not a pfsense developer, I'm a pfSense user just like you. I've decided to stop waiting for packages that do what I need and started writing features to improve them.

The first version of postfix forwarder was just a forwarder, with no options, including SASL.

I've spent many hours in postfix documentation to write a gui that helps administrators on configuring this great mail server and also looking for a better compilation to include features such as PCRE, SPF and SASL.

I do not understand why people who work in this great project, such as pfSense, stop the publication of a package, which is not compatible with pfSense.

Sorry but i did not understood your post. Postfix is compatible with pfsense.

But I do recommend working to improve, and we who belong to the family of pfSense, are the ones who try and give them guidelines for improving pfSense.

You are using a huge free open source firewall and do you really think you are doing a favor to pfSense's team? Unbelievable!

I have reviewed (ClearOs Linux), and has a very simple setup SMTP Relay with Authentication. (relay host)

What are you waiting for? Config and internal machine with it and put your mail system on.

I suggest you to read the section Helping out in pfsense website
Here is the link if you are waiting somebody to look it for you.
http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

darklogic

mauricioniñoavella

I'm not sure if I understand the nature of your e-mail either. Postfix is somthing new to pfsense. marcelloc has done a wonderful job on this package. The only thing I am struggling with is the limited documentation that explains how to configure this package with pfsense. marcelloc has help me a lot with that and I much appreciate his time and efforts to creat a package that I feel should be yet another great package that is part of the base pfsense system. As I have posted before in the past, there are many sistuation that people just need a fast processing router/firewall such as ISP or large internal networks and then there is the rest of us that need a lot more such as a UTM (Unified Threat Management System).

I personally have used ClearOS AKA ClarkConnect for years. Yes it is a great product, but it is a Server, Firewall, and Proxy UTM. You are comparing apples to oranges. I will agree that ClearOS has a great and easy to use mail forwarder feature, but it is very leaky with SPAM even with spamassasin and clamav attached to it. A few other good products I have used that have mail forwarding with filtering is Astatro, Endian, IPCop, Zentyal, Vyatta, and SME Server. So far the best non leaky SPAM forwarder/SPAM filter systems I have came across has been Endian and this new Postfix package marcelloc has made. The funny thing is that the pfsense package does not even have any spamassisin or clamav intergrated into it, and it does a better job than other projects that do. Once marcelloc gets all this added into the package, I am sure it will be one of the best. But, it is in RC1 status right now, so for the love of GOD, give the man some time and don't bite the hand that feeds.

I personaly use multiple firewalls for different uses. So far, I have came to the conclusion after years of using these top 3 products for security. Untangle hands down blows almost everyone out of the water. Astaro Home edition could be there with Untangle if they didn't limit to 50 IP's. pfsense, well this software just does everything. I have my use for it and have faith that it will become more UTM like. pfSense has been my answer to solve many problems when others could not. If pfsense had a solid foundation with everything is currently does and then made IDS/IPS, Web proxy filter, Mail Filter, WAF (Web Application Firewall), which I am supprised to see that the package has not been picked up by someone yet for updating to 2.0 version.

pfSense already has many great features, but could really dominate the market if they supported these UTM features in their base system. I believe a lot of people would agree that a basic stateful NAT firewall is not enough security these days if you have users browsing the web, let a lone if you host anything on you internal network.

marcelloc, thanks for this UTM like package

mauricioniñoavella

marcelloc
I apologize but do not misunderstand me, only I want is to congratulate you for great work, and definiately not put in doubt, I am a lover of pfSense is best,

The idea of ​​posting in the forum is not for misunderstanding or disagreement is only because as darklogic is more than documentation,
suddenly I'm a little confused with the package does not work and you bothered sending you personal messages, but I see no light, ie how to solve the relay hosts, again, I apologize and I am hoping that this is a great package.

I apologize to you and the forum, but there are things that improve with your help and with a bit of time is the best

but reiterated that it should have done enough testing before release
with pfSense version 2.0

regards

and a thousand thanks for your charisma and collaboration

marcelloc

Darklogic,

try this setup on your postfix:

First go to on diagnostics -> edit file
type /etc/hosts in 'Save / Load from path:' then press load
WITH CAUTION, include the ip address and the wrong helo info from remote domain you want to receive email.

24.123.130.226 CNASRV.CNA.local

press save button.

Go to postfix configuration and add custom cf options:

disable_dns_lookups = yes

Save config and see what will happen with your server.
If it works, also check if /etc/hosts file keeps the info after a reboot.

I saw no options to relax  reject_unknown_client_hostname.

This is the postfix documentation for this option:

disable_dns_lookups (default: no)
Disable DNS lookups in the Postfix SMTP and LMTP clients. When disabled, hosts are looked up with the getaddrinfo() system library routine which normally also looks in /etc/hosts.

DNS lookups are enabled by default.

darklogic

marcelloc,

It looks like it works. I have not had a chance to reboot yet. I will keep an eye on this and see how it pans out. Also, I like the new pfblocker you and tommyboy are working on.

Thanks for the detailed configuration info.

MDP

darklogic

marcelloc,

I added a couple more into the /etc/hosts and then saved the config. For some reason it is removing the entries. They will just randomly drop off the list, but I can see where dynamic dhcp client on the internal network are getting added to this list? The only entry that is not getting removed is the example one I used and you used in your post?

Not sure what I am doing wrong. It corrected the issue with only the first manually added host and IP.

Thanks,

MDP

marcelloc

For internal clients, the best way is to include their hostnames on your local dns.

Setup your pfSense box to use your internal dns.

But, if you are using dns Forwarder on pfsense, you can also include these host info on it.

And don't forget to save postfix config after any host change.