Postfix - antispam and relay package

marcelloc

Sorry if this has been covered in the many pages before; I took a skim through and didn't find anything. I want to intercept all SMTP traffic (port 25) from the LAN side and redirect it to my own remote mail server, which requires SMTP authentication.

Not implemented on this package. All features were included to act as an inbound smtp server to protect your exchange/internal server.

expert_az

hello,

i entered some sender restritions like

ymail.com REJECT
dengediksiyon_seti@yahoo.com REJECT
best_tanitim_sektorel@rocketmail.com REJECT

in access lits>>sender section of the postfix package.

But can't see these settings on main.cf ?any sync problem between this section of the postfix package and main.cf?

here is part of my main.cf

local_recipient_maps =
mydestination =
mynetworks_style = host
message_size_limit = 15728640
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes

Don't talk to mail systems that don't know their own hostname.

smtpd_helo_required = yes
smtpd_helo_restrictions =

smtpd_sender_restrictions = reject_unknown_sender_domain,
permit

marcelloc

On current config, sender restrictions are applied on sender_access

smtpd_recipient_restrictions = permit_mynetworks,
check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
check_sender_access hash:/usr/local/etc/postfix/sender_access,
reject_spf_invalid_sender,
permit

expert_az

marcelloc i don't see in my main.cf sender_access ,any mistake in my config?

here is my cf.

Allow connections from specified local clients and rbl check everybody else if rbl check are set.

smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
permit

Whitelisting: local clients may specify any destination domain.

#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
permit

postscreen_disable_vrfy_command = yes
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
postscreen_greet_action = enforce
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/cal_cidr
postscreen_dnsbl_action= enforce
postscreen_blacklist_action= enforce
postscreen_dnsbl_sites=b.barracudacentral.org,zen.spamhaus.org,bl.spamcop.net
postscreen_dnsbl_threshold=1

marcelloc

Did you checked antipam settings on postfix gui? Your config looks short

expert_az

i'm using Header verification in basic mode,

expert_az

marcelloc any way to change position of the lines ?

smtpd_recipient_restrictions = permit_mynetworks,
check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
check_sender_access hash:/usr/local/etc/postfix/sender_access,
reject_spf_invalid_sender,
permit

smtpd_recipient_restrictions = permit_mynetworks,
check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
check_sender_access hash:/usr/local/etc/postfix/sender_access,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
reject_spf_invalid_sender,
permit

marcelloc

Yes, it could be done but don't you think it will reduce security if you config for example @hotmail.com on sender_access?

All forged emails from @hotmail.com will be accepted.

Maybe two fields, one to be on top, with no sender restrictions and another after header spam checks.

marcelloc

I've pushed an update without version change putting sender_check above other tests.

Postfix docs says:
Be sure to specify check_sender_access and check_policy_service AFTER reject_unauth_destination or else your system could become an open mail relay., so I did configure reject_unauth_destination on top to prevent open relay configs.

expert_az

marcelloc,i'm going fetch recipients from zimbra ldap,but as described on web gui to enable ldap fetch p5-perl-ldap package must be installed.
when i tried install p5-perl-ldap package from console i'm getting this error:

Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/p5-perl-ldap.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/p5-perl-ldap.tbz' by URL

any idea?

marcelloc

@expert_az:

any idea?

try from my repo:

pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-perl-ldap-0.4300.tbz

expert_az

i get this output ,is this normal?

Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-perl-ldap-0.4300.tbz… Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-NamespaceSupport-1.11.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-SAX-0.96.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-Filter-BufferText-1.01.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-XML-SAX-Writer-0.53.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-GSSAPI-0.28.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Net-SSLeay-1.42.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-IO-Socket-SSL-1.53.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-URI-1.59.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Digest-HMAC-1.03.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Authen-SASL-2.15.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-Convert-ASN1-0.22.tbz... Done.
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt
pkg_add: the package info for package 'postfix-2.8.7,1' is corrupt

marcelloc

are you on amd64 or i386?

expert_az

2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:43:51 EST 2011
FreeBSD 8.1-RELEASE-p6

marcelloc

I've never seen this error during package install.

check if pkg_info return two postfix installs or something.

EDIT:

Let me know if this feature works with zimbra ldap.
It's written for Active directory ldap search.

att,
Marcello Coutinho

expert_az

by the way i can't see postfix package describtion propoerly,see attached screeshot

bsdinstaller-2.0.2011.0913 BSD Installer mega-package
cyrus-sasl-2.1.25_1 RFC 2222 SASL (Simple Authentication and Security Layer)
daq-0.6.2 Data Acquisition abstraction library for snort 2.9+
gettext-0.18.1.1 GNU gettext package
libdnet-1.11_3 A simple interface to low level networking routines
libiconv-1.13.1_1 A character set conversion library
libnet11-1.1.2.1_3,1 A C library for creating IP packets
libpcap-1.1.1_1 Ubiquitous network traffic capture library
libspf2-1.2.9_1 Sender Rewriting Scheme 2 C Implementation
mysql-client-5.1.53 Multithreaded SQL database (client)
p5-Authen-SASL-2.15 Perl5 module for SASL authentication
p5-Convert-ASN1-0.22 Perl5 module to encode and decode ASN.1 data structures
p5-Digest-HMAC-1.03 Perl5 interface to HMAC Message-Digest Algorithms
p5-GSSAPI-0.28 Perl extension providing access to the GSSAPIv2 library
p5-IO-Socket-SSL-1.53 Perl5 interface to SSL sockets
p5-Net-SSLeay-1.42 Perl5 interface to SSL
p5-URI-1.59 Perl5 interface to Uniform Resource Identifier (URI) refere
p5-XML-Filter-BufferText-1.01 Filter to put all characters() in one event
p5-XML-NamespaceSupport-1.11 A simple generic namespace support class
p5-XML-SAX-0.96 Simple API for XML
p5-XML-SAX-Writer-0.53 SAX2 XML Writer
p5-perl-ldap-0.4300 A Client interface to LDAP (includes Net::LDAP)
pcre-8.21_1 Perl Compatible Regular Expressions library
perl-5.12.4_3 Practical Extraction and Report Language
perl-threaded-5.10.1_3 Practical Extraction and Report Language
pkg_info: the package info for package 'postfix-2.8.7,1' is corrupt
snort-2.9.0.5 Lightweight network intrusion detection system

postfix_status.JPG_thumb

marcelloc

That's the corrupt info you see on pkg_add.

if you want to try, this is the cmd to force postfix package reinstall

pkg_add -rf http://files.pfsense.org/packages/amd64/8/All/postfix-2.8.7%2c1.tbz

expert_az

thank you marcelloc,
i will try it after operational hours.

expert_az

but it seems perl ldap installed?am i right?

marcelloc

@expert_az:

but it seems perl ldap installed?am i right?

yes.

p5-perl-ldap-0.4300 A Client interface to LDAP (includes Net::LDAP)

I saw you have two perl versions installed
perl-5.12.4_3 Practical Extraction and Report Language
perl-threaded-5.10.1_3 Practical Extraction and Report Language

If you have missing modules messages on this function, you will need to force a perl version on first line of the script.