Postfix - antispam and relay package
-
This is for
Forum and BSD developers pfSenseI'm not a pfsense developer, I'm a pfSense user just like you. I've decided to stop waiting for packages that do what I need and started writing features to improve them.
The first version of postfix forwarder was just a forwarder, with no options, including SASL.
I've spent many hours in postfix documentation to write a gui that helps administrators on configuring this great mail server and also looking for a better compilation to include features such as PCRE, SPF and SASL.
I do not understand why people who work in this great project, such as pfSense, stop the publication of a package, which is not compatible with pfSense.
Sorry but i did not understood your post. Postfix is compatible with pfsense.
But I do recommend working to improve, and we who belong to the family of pfSense, are the ones who try and give them guidelines for improving pfSense.
You are using a huge free open source firewall and do you really think you are doing a favor to pfSense's team? Unbelievable!
I have reviewed (ClearOs Linux), and has a very simple setup SMTP Relay with Authentication. (relay host)
What are you waiting for? Config and internal machine with it and put your mail system on.
I suggest you to read the section Helping out in pfsense website
Here is the link if you are waiting somebody to look it for you.
http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77 -
mauricioniñoavella
I'm not sure if I understand the nature of your e-mail either. Postfix is somthing new to pfsense. marcelloc has done a wonderful job on this package. The only thing I am struggling with is the limited documentation that explains how to configure this package with pfsense. marcelloc has help me a lot with that and I much appreciate his time and efforts to creat a package that I feel should be yet another great package that is part of the base pfsense system. As I have posted before in the past, there are many sistuation that people just need a fast processing router/firewall such as ISP or large internal networks and then there is the rest of us that need a lot more such as a UTM (Unified Threat Management System).
I personally have used ClearOS AKA ClarkConnect for years. Yes it is a great product, but it is a Server, Firewall, and Proxy UTM. You are comparing apples to oranges. I will agree that ClearOS has a great and easy to use mail forwarder feature, but it is very leaky with SPAM even with spamassasin and clamav attached to it. A few other good products I have used that have mail forwarding with filtering is Astatro, Endian, IPCop, Zentyal, Vyatta, and SME Server. So far the best non leaky SPAM forwarder/SPAM filter systems I have came across has been Endian and this new Postfix package marcelloc has made. The funny thing is that the pfsense package does not even have any spamassisin or clamav intergrated into it, and it does a better job than other projects that do. Once marcelloc gets all this added into the package, I am sure it will be one of the best. But, it is in RC1 status right now, so for the love of GOD, give the man some time and don't bite the hand that feeds.
I personaly use multiple firewalls for different uses. So far, I have came to the conclusion after years of using these top 3 products for security. Untangle hands down blows almost everyone out of the water. Astaro Home edition could be there with Untangle if they didn't limit to 50 IP's. pfsense, well this software just does everything. I have my use for it and have faith that it will become more UTM like. pfSense has been my answer to solve many problems when others could not. If pfsense had a solid foundation with everything is currently does and then made IDS/IPS, Web proxy filter, Mail Filter, WAF (Web Application Firewall), which I am supprised to see that the package has not been picked up by someone yet for updating to 2.0 version.
pfSense already has many great features, but could really dominate the market if they supported these UTM features in their base system. I believe a lot of people would agree that a basic stateful NAT firewall is not enough security these days if you have users browsing the web, let a lone if you host anything on you internal network.
marcelloc, thanks for this UTM like package
-
marcelloc
I apologize but do not misunderstand me, only I want is to congratulate you for great work, and definiately not put in doubt, I am a lover of pfSense is best,The idea of posting in the forum is not for misunderstanding or disagreement is only because as darklogic is more than documentation,
suddenly I'm a little confused with the package does not work and you bothered sending you personal messages, but I see no light, ie how to solve the relay hosts, again, I apologize and I am hoping that this is a great package.I apologize to you and the forum, but there are things that improve with your help and with a bit of time is the best
but reiterated that it should have done enough testing before release
with pfSense version 2.0regards
and a thousand thanks for your charisma and collaboration
-
Darklogic,
try this setup on your postfix:
First go to on diagnostics -> edit file
type /etc/hosts in 'Save / Load from path:' then press load
WITH CAUTION, include the ip address and the wrong helo info from remote domain you want to receive email.24.123.130.226 CNASRV.CNA.local
press save button.
Go to postfix configuration and add custom cf options:
disable_dns_lookups = yes
Save config and see what will happen with your server.
If it works, also check if /etc/hosts file keeps the info after a reboot.I saw no options to relax reject_unknown_client_hostname.
This is the postfix documentation for this option:
disable_dns_lookups (default: no) Disable DNS lookups in the Postfix SMTP and LMTP clients. When disabled, hosts are looked up with the getaddrinfo() system library routine which normally also looks in /etc/hosts. DNS lookups are enabled by default.
-
marcelloc,
It looks like it works. I have not had a chance to reboot yet. I will keep an eye on this and see how it pans out. Also, I like the new pfblocker you and tommyboy are working on.
Thanks for the detailed configuration info.
MDP
-
marcelloc,
I added a couple more into the /etc/hosts and then saved the config. For some reason it is removing the entries. They will just randomly drop off the list, but I can see where dynamic dhcp client on the internal network are getting added to this list? The only entry that is not getting removed is the example one I used and you used in your post?
Not sure what I am doing wrong. It corrected the issue with only the first manually added host and IP.
Thanks,
MDP
-
For internal clients, the best way is to include their hostnames on your local dns.
Setup your pfSense box to use your internal dns.
But, if you are using dns Forwarder on pfsense, you can also include these host info on it.
And don't forget to save postfix config after any host change.
-
marcelloc
regards
what a pity to disturb, look I'm working and making changes to the cfg and Services: Postfix relay and spam, but not working.
not to do just what I want is a postfix relay host, that I may have a serviodor forwarder external mail, which is in zimbra
using a generic account with authentication and security is, with STARTTLS
as I have written before I had the problems that no longer do.
thanks
for your collaboration -
mauricioniñoavella,
As we saw in ermal post, package cyrrus has a missing dependencie in pfsense. Its not a missing compile arg, so there is nothing I can do to Fix it.
For now, postfix Forwarder Does not has SASL option.
If you want a quick solution for that, buy some commercial support hours as ask pfsense team to Fix it.
If you google for you problem, you will find that openldap client requires cyrrus too.
good luck on your trouble shooting.
-
marcelloc
then you confirm that the problem is not yours, rom problems pfSense team, then you spor angry about this that you wroteI see you work for us.
many thanks for your collaboration
-
marcelloc
then you confirm that the problem is not yours, rom problems pfSense team, then you spor angry about this that you wroteI see you work for us.
many thanks for your collaboration
mauricioniñoavella,
you must understand one thing.
pfsense's team released version 2.0 with no need of cyrrus-sasl library, so the problem is not with pfsense's team.
Packages are contributions and almost created and maintained by community, so when a package has a problem, the problem is not on pfsense2.0.
When somebody builds a package, all ports compilation is done by pfsense team BUT it does not means that is fully supported by them.
Pfsense is one thing, packages is another thing completely apart of base project.
if you don't like the way libraries are missing on pfsense, try installing freebsd packages on labs.
I'm not angry about anything in pfsense's project, its perfect to me.
-
marcelloc
To my pfSense also is an excellent project.
In fact I think it is good to realize this problem, as I have experienced that served to improve your package. And that the community forum to find out.
It is very important to account for other versions as I could incorporate cyrrus-sasl library, I hope you will contribute to have been able to let you know this,
Thank you very much for your input.
To think this forum, to share and we want this project. As is pfSense, and do not take as a destructive criticism but a constructive criticism.
I hope you take it in practice because it is a benefit to all who participated in this forum, showing the possible problems that arise in the project, to improve it.
The Free BSD Project was born to be a complete Unix-like operating system free software, software that respects your freedom. and best of all and for all.I will be working to bring you the package for continuous improvement in your work is excellent, because I think an excellent system, and wait when you merge with relay host including cyrrus-sasl.
thanks
Mauricio
-
HI all,
I've just released package version 2.2 with:
-
Sqlite database log support
-
Widget for dashboard with mail stats
-
Search email tool for diagnostics
-
checkbox to enable or not smtp_valid_hostname_check
-
few more help info for easier setup
-
-
Awsome news. I hope this corrects my issue. I will post something here in a bit that I have encountered.
-
OK, so the rejects that I have been getting seems to occure when the remote host excepts e-mail on a different public IP than the one it sends from. I discovered this by talking with some IT people that I have been getting all these legitamite e-mail rejects on the helo host not found. They have something like an ironport or barracuda acting as a mail gateway behind a firewall in bound SMTP on a particular IP and then their mail server has a statis 1-to-1 NAT rule that translates outbound sending of mail on a different IP.
I have not idea how to even resolve this since it tries the verify back to an IP that does not listen or forward mail back to the internal mail server.
Please let me know if this is not a clear enough write up on what I am saying.
Thanks for all you do marcelloc
-
The helo smtp info can be easily configured by email admins, including Micro$oft. The default option is something internal like hostname.local if you do not use any server for relay to internet.
Unckeck this option and see how postfix deals with your spammers.
On my clients networks, I do only accept mail from server that are not misconfigured.
-
on your check box for helo check. I see it says checked for default. So if I check it, I am assuming it will check helo and if it is unchecked it will not check helo?
Thanks,
-
ahhh, I think your updated package has worked. I am starting to recieve these e-mails now. I just recieved the ones from earlier today.
This makes me feel so much better.
Thanks marcelloc
-
Great news. In few days you will have many logs on Database. Take a look on dashboard postfix widget and on search mail.
-
I am currently looking into it. Great work marcelloc.