Postfix - antispam and relay package

biggsy

Hi Marcello,

I have an IronPort box that's been trying to bounce the same mail to my mail server, on the hour for nearly three days.

The sender address is being rejected for obvious reasons:

NOQUEUE: reject: RCPT from ironport2-out.teksavvy.com[206.248.154.182]: 450 4.1.8 mailman-bounces@localhost.localdomain: Sender address rejected: Domain not found; from= mailman-bounces@localhost.localdomain…

I tried to whitelist the server, blacklist it and a bunch of other things but the reject_unknown_sender_domain still kicks in and, becasue it's only a 450 response, they try again an hour later.

I thought I'd try "soft_bounce=no" but the GUI won't allow me to set that.

I can get soft_bounce=yes by setting soft bounce to "enabled" in the GUI but selecting either "Only in PostScreen" or "Disabled" just clears soft_bounce from main.cf.

I thought Disabled should set soft_bounce=no but wanted to ask what you think?/mailman-bounces@localhost.localdomain /mailman-bounces@localhost.localdomain

marcelloc

The best way to receive this bounce is to send an email to remote site sysadmin explaining his server misconfiguration.
To workaround for this misconfigured server, enable dns forwarder service and add missing domain/host as a Host Override.

I thought Disabled should set soft_bounce=no but wanted to ask what you think?

postfix documentation says that soft_bounce default value is no, so if it's not declared, then soft_bounce=no.

soft_bounce (default: no)
Safety net to keep mail queued that would otherwise be returned to the sender. This parameter disables locally-generated bounces, and prevents the Postfix SMTP server from rejecting mail permanently, by changing 5xx reply codes into 4xx. However, soft_bounce is no cure for address rewriting mistakes or mail routing mistakes.

Example:

soft_bounce = yes

att,
Marcello Coutinho

ics

Hi,

My Postfix rejects emails from a server with the error : "Client host rejected: cannot find your hostname"
However, the IP address is perfectly resolvable.
And in maillog :
"warning: ...: hostname domain.net verification failed: hostname nor servname provided, or not known"

I tried to add the IP address in MyNetworks, no change.

Do you know what is misconfigured ?

Thanks

marcelloc

The ip address is resolvable, but hostname that server sent on smtp header is?

Sometimes this wrong hostname is sent on servername or helo info.

ics

postfix says :
RCPT from unknown[IP_Address]: 450 4.7.1 Client host rejected: cannot find your hostname
The helo is correct and correspond to the IP address when resolved.

The hostname in smtp header is the HELO ?
If not where can I find it in the log ?

Anyway, why is it still rejected while the IP is in MyNetworks ?

marcelloc

@ics:

Anyway, why is it still rejected while the IP is in MyNetworks ?

even on MyNetworks, the email must be correct.
The mynetworks will allow this ip to relay to any domain.

Add this ipname on dns forwarder host override list and check if it pass the resolv test.

att,
Marcello Coutinho

ics

@marcelloc:

Add this ipname on dns forwarder host override list and check if it pass the resolv test.

It works.

Thank you

arosenau

Has anyone been able to get this to work using Gmail as a relay? I get the following errors when I try and relay through gmail using this package

Jul 12 23:50:51
postfix/smtp[17005]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

Jul 12 23:50:51
postfix/smtp[17005]: cannot load Certificate Authority data: disabling TLS support

Jul 12 23:50:51
postfix/smtp[17005]: warning: TLS library problem: 17005:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'):

Jul 12 23:50:51
postfix/smtp[17005]: warning: TLS library problem: 17005:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129:

Jul 12 23:50:51
postfix/smtp[17005]: warning: TLS library problem: 17005:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274:

I think the most important error is this one
postfix/smtp[17005]: cannot load Certificate Authority data: disabling TLS support

and I would assume that is because it can't find the smtp_tls_CAfile which I also can't find anywhere on the pfsense box, so I can't specify the correct path in my main.cf file.

Any ideas? I'm sure its something simple i missed. :P

marcelloc

@arosenau:

Any ideas? I'm sure its something simple i missed. :P

you will need some libs from freebsd to get it working.

take a look on my repo.
i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

arosenau

@marcelloc:

@arosenau:

Any ideas? I'm sure its something simple i missed. :P

you will need some libs from freebsd to get it working.

take a look on my repo.
i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

Can you point me in the right direction on how to get these installed? I am familiar with apt and yum in the Linux world, but I don't know how package management works in the freebsd/pfsense world.

marcelloc

@arosenau:

Can you point me in the right direction on how to get these installed?

Just download the missing libs to /usr/local/lib using fetch cmd on console/ssh and try again.

att,
Marcello Coutinho

arosenau

@marcelloc:

Just download the missing libs to /usr/local/lib using fetch cmd on console/ssh and try again.

att,
Marcello Coutinho

So I got those packages downloaded and stopped and started post fix but I'm still having the same errors. Also I didn't mention in my first post that I also get an error that says " Must issue a STARTTLS command first. y5sm20759670igb.11 (in reply to MAIL FROM command))" I would assume I"m getting this error because it can't load the Certificate Authority data and it disabled TLS support.

marcelloc

@arosenau:

Jul 12 23:50:51
postfix/smtp[17005]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

The postfix message looks for libs on /usr/local/lib/sasl2/ instead of /usr/local/lib like I've posted.

can you try to copy these libs to /usr/local/lib/sasl2/ and teste again?

att,
Marcello Coutinho

arosenau

@marcelloc:

The postfix message looks for libs on /usr/local/lib/sasl2/ instead of /usr/local/lib like I've posted.

can you try to copy these libs to /usr/local/lib/sasl2/ and teste again?

att,
Marcello Coutinho

Still doesn't work, although the error now looks slightly different "unsupported file layout"

Jul 16 22:12:40 postfix/smtp[9495]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/libgssapi.so.10: unsupported file layout 
Jul 16 22:12:40 postfix/smtp[9495]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/libgssapi.so.10: unsupported file layout 
Jul 16 22:12:40 postfix/smtp[9495]: cannot load Certificate Authority data: disabling TLS support 
Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'): 
Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129: 
Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274: 
Jul 16 22:12:40 postfix/smtp[9495]: 0EE7440B28F: to=<armyreciepent@gmail.com>, relay=smtp.gmail.com[209.85.225.108]:587, delay=0.64, delays=0.37/0.02/0.21/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.108] said: 530 5.7.0 Must issue a STARTTLS command first. ud8sm20864816igb.4 (in reply to MAIL FROM command)) 
Jul 16 22:12:40 postfix/cleanup[9348]: A5BBD40B298: message-id=<20120716221240.A5BBD40B298@relay> 
Jul 16 22:12:40 postfix/bounce[9782]: 0EE7440B28F: sender non-delivery notification: A5BBD40B298 
Jul 16 22:12:40 postfix/qmgr[53688]: A5BBD40B298: from=<>, size=2493, nrcpt=1 (queue active) 
Jul 16 22:12:40 postfix/qmgr[53688]: 0EE7440B28F: removed 
Jul 16 22:12:40 postfix/smtp[9495]: A5BBD40B298: to=<xxx@mydomain.com>, relay=smtp.gmail.com[209.85.225.109]:587, delay=0.16, delays=0.01/0/0.12/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.109] said: 530 5.7.0 Must issue a STARTTLS command first. k5sm9875094igq.12 (in reply to MAIL FROM command)) 
Jul 16 22:12:40 postfix/qmgr[53688]: A5BBD40B298: removed</xxx@mydomain.com></armyreciepent@gmail.com>

marcelloc

@arosenau:

Still doesn't work, although the error now looks slightly different "unsupported file layout"

It normally means you have copied files from a different arch. (i386 files on amd64 for example)

arosenau

@marcelloc:

It normally means you have copied files from a different arch. (i386 files on amd64 for example)

Yep that was the issue there. I didn't build this box and just assumed it was 64 bit and turns out it is only 32 bit. So that solved those errors although it still doesn't work and I have the below errors, all concerning TLS.

Jul 17 00:47:50 postfix/smtp[11692]: cannot load Certificate Authority data: disabling TLS support 
Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'): 
Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129: 
Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274: 
Jul 17 00:47:50 postfix/smtp[11692]: DDAE740B293: to=<myrecipient@gmail.com>, relay=smtp.gmail.com[209.85.225.109]:587, delay=0.65, delays=0.37/0.08/0.17/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.109] said: 530 5.7.0 Must issue a STARTTLS command first. g5sm10214882ign.4 (in reply to MAIL FROM command)) 
Jul 17 00:47:50 postfix/cleanup[11555]: 841B240B29D: message-id=<20120717004750.841B240B29D@relay> 
Jul 17 00:47:50 postfix/bounce[11894]: DDAE740B293: sender non-delivery notification: 841B240B29D 
Jul 17 00:47:50 postfix/qmgr[56809]: 841B240B29D: from=<>, size=2491, nrcpt=1 (queue active) 
Jul 17 00:47:50 postfix/qmgr[56809]: DDAE740B293: removed 
Jul 17 00:47:50 postfix/smtp[11692]: 841B240B29D: to=<myuser@mydomain.com>, relay=smtp.gmail.com[209.85.225.108]:587, delay=0.17, delays=0.01/0/0.12/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.108] said: 530 5.7.0 Must issue a STARTTLS command first. pp4sm21477529igb.5 (in reply to MAIL FROM command)) 
Jul 17 00:47:50 postfix/qmgr[56809]: 841B240B29D: removed</myuser@mydomain.com></myrecipient@gmail.com>

arosenau

So I ended up solving the TLS errors by downloading the following cert bundle. Is this the correct bundle? It is working now but is this the long term solution?

http://curl.haxx.se/ca/cacert.pem

marcelloc

I think this TLS ca missing cert is from remote site certificate.

the ca_root certificate package on freebsd ports is ca_root_nss-3.13.5

Mailscanner package installs it, but the way you did(if you trust http://curl.haxx.se site) also installed the ca bundle certs file.

schedule from time to time an ca_bundle file update.

Unubtanium

So if i am not way leftfield, would i go about stopping backscatter coming in with something like this:
OR have i blown a logic fuse :P

By put this in header check under ACL

/^(From|Return-Path):.*\b(user@domain.tld)\b/
reject forged sender address in $1: header: $2

And putting this in body checks

/^[> ](From|Return-Path):.\b(user@domain.tld)\b/
reject forged sender address in $1: header: $2

I am a bit confused after reading this: http://www.postfix.org/BACKSCATTER_README.html
DO i have to manually have to change the user@domain to my local domain users so it would be user@mydomain.com and or will
it check my Valid recipients and block ALL external emails that comes from the internet with my Valid recipients as from field?
???

And would this also help stopping me from being a source for backscatter? or again have i blown a fuse??

marcelloc

@Unubtanium:

I am a bit confused after reading this: http://www.postfix.org/BACKSCATTER_README.html
DO i have to manually have to change the user@domain to my local domain users so it would be user@mydomain.com and or will
it check my Valid recipients and block ALL external emails that comes from the internet with my Valid recipients as from field?
???

All postfix antispam settings(spf checks, helo checks, etc..) and valid recipients can do a really good job on rejecting junk/misconfigured mail servers.
If you want to apply these backscatter rules, you need to change user@domain to your domain.

@Unubtanium:

And would this also help stopping me from being a source for backscatter? or again have i blown a fuse??

Do you have any postfix log with these backscatter on your domain?

att,
Marcello Coutinho