Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.1m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zlyzwy
      last edited by

      @marcelloc:

      Hi all,

      Postfix compilation on x64 now includes cyrus-SASL2 and TLS.

      who need or want to test it, reinstall or remove/install postfix package.

      No changes in gui for this option. Include all your SASL and/or TLS config in custom main.cf options

      att,
      Marcello Coutinho

      Hi marcelloc,

      First, thanks for your great work.

      Do you have any guide or sample what should I include in main.cf to support TLS?

      I am sorry I can't find any reference in these posts.

      Thanks!

      Zlyzwy

      1 Reply Last reply Reply Quote 0
      • I
        ics
        last edited by

        Hi all,

        All emails appears in status "hold" in the search mail option.
        Is it normal ?
        Yet I receive all emails…

        Does it mean that a copy of all emails is kept in postfix ?
        If yes, the disk might be full soon...

        In the "third party antispam settings" of postfix, the message hold mode is "auto mode".
        Is it a recommended configuration ?
        What the advantage of manual mode ? And what should we put in ACL headers in such a mode (I'm a newbie)?

        Thanks

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          @zlyzwy:

          Do you have any guide or sample what should I include in main.cf to support TLS?

          Paste postfix config for TLS on custom options at gui.

          As I did not implemented SASL/TLS yet, I don't know how to help you, but google does  ;)

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @ics:

            All emails appears in status "hold" in the search mail option.
            Is it normal ?

            It should only happens when you have select mailscanner integration but did not configured,installed or started mailscanner daemon

            @ics:

            Does it mean that a copy of all emails is kept in postfix ?

            No, it means that messages will stay on disk until mailscanner finishes his job on these messages.

            @ics:

            In the "third party antispam settings" of postfix, the message hold mode is "auto mode".
            Is it a recommended configuration ?
            What the advantage of manual mode ? And what should we put in ACL headers in such a mode (I'm a newbie)?

            I use manual mode as I can do some tests or choose the way I hold messages to mailscanner

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @miken32:

              Sorry if this has been covered in the many pages before; I took a skim through and didn't find anything. I want to intercept all SMTP traffic (port 25) from the LAN side and redirect it to my own remote mail server, which requires SMTP authentication.

              Not implemented on this package. All features were included to act as an inbound smtp server to protect your exchange/internal server.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • E
                expert_az
                last edited by

                hello,

                i entered some sender restritions like

                ymail.com REJECT
                dengediksiyon_seti@yahoo.com REJECT
                best_tanitim_sektorel@rocketmail.com REJECT

                in access lits>>sender  section of the postfix package.

                But can't see these settings on main.cf ?any sync problem between this section of the postfix package and main.cf?

                here is part of my main.cf

                local_recipient_maps =
                mydestination =
                mynetworks_style = host
                message_size_limit = 15728640
                default_process_limit = 100
                #Just reject after helo,sender,client,recipient tests
                smtpd_delay_reject = yes

                Don't talk to mail systems that don't know their own hostname.

                smtpd_helo_required = yes
                smtpd_helo_restrictions =

                smtpd_sender_restrictions = reject_unknown_sender_domain,
                permit

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  On current config, sender restrictions are applied on sender_access

                  smtpd_recipient_restrictions = permit_mynetworks,
                                                  check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                                                  check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                                                  reject_invalid_helo_hostname,
                                                  reject_unknown_recipient_domain,
                                                  reject_non_fqdn_helo_hostname,
                                                  reject_non_fqdn_recipient,
                                                  reject_unauth_destination,
                                                  reject_unauth_pipelining,
                                                  reject_multi_recipient_bounce,
                                                  check_sender_access hash:/usr/local/etc/postfix/sender_access,
                                                  reject_spf_invalid_sender,
                                                  permit

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • E
                    expert_az
                    last edited by

                    marcelloc i don't see in my main.cf sender_access ,any mistake in my config?

                    here is my cf.

                    Allow connections from specified local clients and rbl check everybody else if rbl check are set.

                    smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                    check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                    permit

                    Whitelisting: local clients may specify any destination domain.

                    #,
                    smtpd_recipient_restrictions = permit_mynetworks,
                    reject_unauth_destination,
                    permit

                    postscreen_disable_vrfy_command = yes
                    postscreen_non_smtp_command_enable = yes
                    postscreen_non_smtp_command_action = enforce
                    postscreen_pipelining_enable = yes
                    postscreen_pipelining_action = enforce
                    postscreen_bare_newline_enable = yes
                    postscreen_bare_newline_action = enforce
                    postscreen_greet_action = enforce
                    postscreen_access_list = permit_mynetworks,
                    cidr:/usr/local/etc/postfix/cal_cidr
                    postscreen_dnsbl_action= enforce
                    postscreen_blacklist_action= enforce
                    postscreen_dnsbl_sites=b.barracudacentral.org,zen.spamhaus.org,bl.spamcop.net
                    postscreen_dnsbl_threshold=1

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      Did you checked antipam settings on postfix gui? Your config looks short

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • E
                        expert_az
                        last edited by

                        i'm using Header verification in basic mode,

                        1 Reply Last reply Reply Quote 0
                        • E
                          expert_az
                          last edited by

                          marcelloc any way to change position of the lines ?

                          smtpd_recipient_restrictions = permit_mynetworks,
                                                          check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                                                          check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                                                          reject_invalid_helo_hostname,
                                                          reject_unknown_recipient_domain,
                                                          reject_non_fqdn_helo_hostname,
                                                          reject_non_fqdn_recipient,
                                                          reject_unauth_destination,
                                                          reject_unauth_pipelining,
                                                          reject_multi_recipient_bounce,
                                                          check_sender_access hash:/usr/local/etc/postfix/sender_access,
                                                          reject_spf_invalid_sender,
                                                          permit

                          smtpd_recipient_restrictions = permit_mynetworks,
                                                          check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
                                                          check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
                                                          check_sender_access hash:/usr/local/etc/postfix/sender_access,
                                                          reject_invalid_helo_hostname,
                                                          reject_unknown_recipient_domain,
                                                          reject_non_fqdn_helo_hostname,
                                                          reject_non_fqdn_recipient,
                                                          reject_unauth_destination,
                                                          reject_unauth_pipelining,
                                                          reject_multi_recipient_bounce,
                                                          reject_spf_invalid_sender,
                                                          permit

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            Yes, it could be done but don't you think it will reduce security if you config for example @hotmail.com on sender_access?

                            All forged emails from @hotmail.com will be accepted.

                            Maybe two fields, one to be on top, with no sender restrictions and another after header spam checks.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              I've pushed an update without version change putting sender_check above other tests.

                              Postfix docs says:
                              Be sure to specify check_sender_access and check_policy_service AFTER reject_unauth_destination or else your system could become an open mail relay., so I did configure reject_unauth_destination on top to prevent open relay configs.

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • E
                                expert_az
                                last edited by

                                marcelloc,i'm going fetch recipients  from zimbra ldap,but as described on web gui to enable ldap fetch  p5-perl-ldap package must be installed.
                                when i tried install p5-perl-ldap package from console i'm getting this error:

                                Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/p5-perl-ldap.tbz: File unavailable (e.g., file not found, no access)
                                pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/p5-perl-ldap.tbz' by URL

                                any idea?

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  @expert_az:

                                  any idea?

                                  try from my repo:

                                  pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-perl-ldap-0.4300.tbz

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    expert_az
                                    last edited by

                                    i get this output ,is this normal?

                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-perl-ldap-0.4300.tbz… Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-NamespaceSupport-1.11.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-SAX-0.96.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-Filter-BufferText-1.01.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-SAX-Writer-0.53.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-GSSAPI-0.28.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Net-SSLeay-1.42.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-IO-Socket-SSL-1.53.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-URI-1.59.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Digest-HMAC-1.03.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Authen-SASL-2.15.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Convert-ASN1-0.22.tbz... Done.
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
                                    pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      are you on amd64 or i386?

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        expert_az
                                        last edited by

                                        2.0.1-RELEASE (amd64)
                                        built on Mon Dec 12 18:43:51 EST 2011
                                        FreeBSD 8.1-RELEASE-p6

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          I've never seen this error during package install.

                                          check if pkg_info return two postfix installs or something.

                                          EDIT:

                                          Let me know if this feature works with zimbra ldap.
                                          It's written for Active directory ldap search.

                                          att,
                                          Marcello Coutinho

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            expert_az
                                            last edited by

                                            by the way i can't see postfix package describtion propoerly,see attached screeshot

                                            bsdinstaller-2.0.2011.0913 BSD Installer mega-package
                                            cyrus-sasl-2.1.25_1 RFC 2222 SASL (Simple Authentication and Security Layer)
                                            daq-0.6.2          Data Acquisition abstraction library for snort 2.9+
                                            gettext-0.18.1.1    GNU gettext package
                                            libdnet-1.11_3      A simple interface to low level networking routines
                                            libiconv-1.13.1_1  A character set conversion library
                                            libnet11-1.1.2.1_3,1 A C library for creating IP packets
                                            libpcap-1.1.1_1    Ubiquitous network traffic capture library
                                            libspf2-1.2.9_1    Sender Rewriting Scheme 2 C Implementation
                                            mysql-client-5.1.53 Multithreaded SQL database (client)
                                            p5-Authen-SASL-2.15 Perl5 module for SASL authentication
                                            p5-Convert-ASN1-0.22 Perl5 module to encode and decode ASN.1 data structures
                                            p5-Digest-HMAC-1.03 Perl5 interface to HMAC Message-Digest Algorithms
                                            p5-GSSAPI-0.28      Perl extension providing access to the GSSAPIv2 library
                                            p5-IO-Socket-SSL-1.53 Perl5 interface to SSL sockets
                                            p5-Net-SSLeay-1.42  Perl5 interface to SSL
                                            p5-URI-1.59        Perl5 interface to Uniform Resource Identifier (URI) refere
                                            p5-XML-Filter-BufferText-1.01 Filter to put all characters() in one event
                                            p5-XML-NamespaceSupport-1.11 A simple generic namespace support class
                                            p5-XML-SAX-0.96    Simple API for XML
                                            p5-XML-SAX-Writer-0.53 SAX2 XML Writer
                                            p5-perl-ldap-0.4300 A Client interface to LDAP (includes Net::LDAP)
                                            pcre-8.21_1        Perl Compatible Regular Expressions library
                                            perl-5.12.4_3      Practical Extraction and Report Language
                                            perl-threaded-5.10.1_3 Practical Extraction and Report Language
                                            pkg_info: the package info for package 'postfix-2.8.7,1' is corrupt
                                            snort-2.9.0.5      Lightweight network intrusion detection system

                                            postfix_status.JPG
                                            postfix_status.JPG_thumb

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.