Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.1m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LinuxTracker
      last edited by

      Finally set this up today and have read through the thread.

      I seem to be missing something in the basic configuration.

      Notes: I disabled the port 25 NAT and associated rule.
      A new rule to allow port 25 to WAN Address is in place and is logged.
      I let it run for 15+min.

      My Port 25 Rules block 1k spam connects/hour.  I find I've grown attached to them. /notes

      Problem:
      If I bind to Postfix to WAN, Postfix receives and passes mail correctly; but Port 25 Rules are ignored.
      When I bind to loopback-only, I don't see any indication that any mail is reaching Postfix.

      In both cases, the Rule Logs show traffic being passed to the WAN address.

      What am I missing?

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Hi linuxtracker,

        When you listen postfix on loopback only, you need a Nat rule to forward traffic from wan address to localhost.

        In both cases, you need to put block rules before allow rules on firewall tab.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • L
          LinuxTracker
          last edited by

          @marcelloc:

          In both cases, you need to put block rules before allow rules on firewall tab.

          Crap.  That is exactly what I did.  I know better too.

          Now I have to go wear the hat for the rest of the day.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            No intention to call you dunce, I was just posting full info to solve your problem.
            Sorry.  :(

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • L
              LinuxTracker
              last edited by

              @marcelloc:

              No intention to call you dunce, I was just posting full info to solve your problem.
              Sorry.

              I wasn't irritated with you.  I was poking fun at myself for making a rookie mistake.

              If you hadn't set me straight, I'd probably still be banging my head against it.

              So - Thank you.

              1 Reply Last reply Reply Quote 0
              • D
                digdug3
                last edited by

                Is it possible to forward all incoming domains to another mail server after the email address had been checked?
                So * to ip x.x.x.x

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  You can configure smart relay options, but I think it's not a good idea as postfix will accept any email, including relay atempts and your internal server will miss the external IP address to do spam checks.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • D
                    digdug3
                    last edited by

                    @marcelloc:

                    You can configure smart relay options, but I think it's not a good idea as postfix will accept any email, including relay atempts and your internal server will miss the external IP address to do spam checks.

                    Ok, but is it possible to add the domains just like the valid recipients? e.g. a txt file from an external url?

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @digdug3:

                      Ok, but is it possible to add the domains just like the valid recipients? e.g. a txt file from an external url?

                      I think it's not a good idea as this setup may forward many open relay attempts to your internal server and it will not be able to test external ip as you  'proxied' connection with postifx ip.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • M
                        miken32
                        last edited by

                        Sorry if this has been covered in the many pages before; I took a skim through and didn't find anything. I want to intercept all SMTP traffic (port 25) from the LAN side and redirect it to my own remote mail server, which requires SMTP authentication.

                        So I guess two parts here; doing a redirect from the actual SMTP server to my local Postfix which is installed via this package, and then getting Postfix to talk to the remote server and send the mail on.

                        I guess part one can be done with outbound NAT? For part two everything I see online for a relayhost with SMTP authentication requires additional files and encryption libraries. Is it possible with this package?

                        Thanks a lot if anyone can help.

                        1 Reply Last reply Reply Quote 0
                        • Z
                          zlyzwy
                          last edited by

                          @marcelloc:

                          Hi all,

                          Postfix compilation on x64 now includes cyrus-SASL2 and TLS.

                          who need or want to test it, reinstall or remove/install postfix package.

                          No changes in gui for this option. Include all your SASL and/or TLS config in custom main.cf options

                          att,
                          Marcello Coutinho

                          Hi marcelloc,

                          First, thanks for your great work.

                          Do you have any guide or sample what should I include in main.cf to support TLS?

                          I am sorry I can't find any reference in these posts.

                          Thanks!

                          Zlyzwy

                          1 Reply Last reply Reply Quote 0
                          • I
                            ics
                            last edited by

                            Hi all,

                            All emails appears in status "hold" in the search mail option.
                            Is it normal ?
                            Yet I receive all emails…

                            Does it mean that a copy of all emails is kept in postfix ?
                            If yes, the disk might be full soon...

                            In the "third party antispam settings" of postfix, the message hold mode is "auto mode".
                            Is it a recommended configuration ?
                            What the advantage of manual mode ? And what should we put in ACL headers in such a mode (I'm a newbie)?

                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @zlyzwy:

                              Do you have any guide or sample what should I include in main.cf to support TLS?

                              Paste postfix config for TLS on custom options at gui.

                              As I did not implemented SASL/TLS yet, I don't know how to help you, but google does  ;)

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @ics:

                                All emails appears in status "hold" in the search mail option.
                                Is it normal ?

                                It should only happens when you have select mailscanner integration but did not configured,installed or started mailscanner daemon

                                @ics:

                                Does it mean that a copy of all emails is kept in postfix ?

                                No, it means that messages will stay on disk until mailscanner finishes his job on these messages.

                                @ics:

                                In the "third party antispam settings" of postfix, the message hold mode is "auto mode".
                                Is it a recommended configuration ?
                                What the advantage of manual mode ? And what should we put in ACL headers in such a mode (I'm a newbie)?

                                I use manual mode as I can do some tests or choose the way I hold messages to mailscanner

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  @miken32:

                                  Sorry if this has been covered in the many pages before; I took a skim through and didn't find anything. I want to intercept all SMTP traffic (port 25) from the LAN side and redirect it to my own remote mail server, which requires SMTP authentication.

                                  Not implemented on this package. All features were included to act as an inbound smtp server to protect your exchange/internal server.

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    expert_az
                                    last edited by

                                    hello,

                                    i entered some sender restritions like

                                    ymail.com REJECT
                                    dengediksiyon_seti@yahoo.com REJECT
                                    best_tanitim_sektorel@rocketmail.com REJECT

                                    in access lits>>sender  section of the postfix package.

                                    But can't see these settings on main.cf ?any sync problem between this section of the postfix package and main.cf?

                                    here is part of my main.cf

                                    local_recipient_maps =
                                    mydestination =
                                    mynetworks_style = host
                                    message_size_limit = 15728640
                                    default_process_limit = 100
                                    #Just reject after helo,sender,client,recipient tests
                                    smtpd_delay_reject = yes

                                    Don't talk to mail systems that don't know their own hostname.

                                    smtpd_helo_required = yes
                                    smtpd_helo_restrictions =

                                    smtpd_sender_restrictions = reject_unknown_sender_domain,
                                    permit

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      On current config, sender restrictions are applied on sender_access

                                      smtpd_recipient_restrictions = permit_mynetworks,
                                                                      check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                                                                      check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                                                                      reject_invalid_helo_hostname,
                                                                      reject_unknown_recipient_domain,
                                                                      reject_non_fqdn_helo_hostname,
                                                                      reject_non_fqdn_recipient,
                                                                      reject_unauth_destination,
                                                                      reject_unauth_pipelining,
                                                                      reject_multi_recipient_bounce,
                                                                      check_sender_access hash:/usr/local/etc/postfix/sender_access,
                                                                      reject_spf_invalid_sender,
                                                                      permit

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        expert_az
                                        last edited by

                                        marcelloc i don't see in my main.cf sender_access ,any mistake in my config?

                                        here is my cf.

                                        Allow connections from specified local clients and rbl check everybody else if rbl check are set.

                                        smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                                        check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                                        permit

                                        Whitelisting: local clients may specify any destination domain.

                                        #,
                                        smtpd_recipient_restrictions = permit_mynetworks,
                                        reject_unauth_destination,
                                        permit

                                        postscreen_disable_vrfy_command = yes
                                        postscreen_non_smtp_command_enable = yes
                                        postscreen_non_smtp_command_action = enforce
                                        postscreen_pipelining_enable = yes
                                        postscreen_pipelining_action = enforce
                                        postscreen_bare_newline_enable = yes
                                        postscreen_bare_newline_action = enforce
                                        postscreen_greet_action = enforce
                                        postscreen_access_list = permit_mynetworks,
                                        cidr:/usr/local/etc/postfix/cal_cidr
                                        postscreen_dnsbl_action= enforce
                                        postscreen_blacklist_action= enforce
                                        postscreen_dnsbl_sites=b.barracudacentral.org,zen.spamhaus.org,bl.spamcop.net
                                        postscreen_dnsbl_threshold=1

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          Did you checked antipam settings on postfix gui? Your config looks short

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            expert_az
                                            last edited by

                                            i'm using Header verification in basic mode,

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.