PostFix forwarder - LDAP lookup
-
Dear all,
I have configured the Postfix Forwarder to export account from AD (Windows 2003) on following:
hostname: server01.abc.com
domain: dc=abc,dc=com
username: cn=antispam,cn=abc (abc is OU which antispam account is placed)But when I run command to test, I did not get any account from AD, pls see the error below:
extracting from server01.abc.com…(0)
Total ldap recipients:0 unique:0Any advise to great with Postfix Forwarder?
Many thanks,
DQM -
@DQM:
Any advise to great with Postfix Forwarder?
It looks fine, can you try with a user at cn Users?
-
@DQM:
Any advise to great with Postfix Forwarder?
It looks fine, can you try with a user at cn Users?
Same result, marcelloc ! >:( Any advise?
Thanks,
DQM -
I've just had a bash at this with pfsense 2.1_x64 and windows 2008 r2 and it works fine. wouldn't work with some username though eg Administrator etc
Slightly off topic but is there any advantage to using this apart from the mail not hitting the exchange server at all?
-
Slightly off topic but is there any advantage to using this apart from the mail not hitting the exchange server at all?
It's reduces exchange server load and external link bandwidth as it rejects the email on header checks.
-
@DQM:
Same result, marcelloc ! Any advise?
Are you sure your password is correct? Is there special characters on it?
-
@DQM:
Same result, marcelloc ! Any advise?
Are you sure your password is correct? Is there special characters on it?
Dear marcelloc,
I am sure password is correct. Doest it require Exchange server must be installed already in the Actice Directory org?
Thanks,
-
@DQM:
I am sure password is correct. Doest it require Exchange server must be installed already in the Actice Directory org?
The script extracts email public information from users at AD. if email address is included by exchange server, then it requires Exchange server.
att,
Marcello Coutinho -
Having the same issues binding to LDAP. Any ideas guys? 2008 R2 Domain Controller
Thanks
-
@DQM:
I am sure password is correct. Doest it require Exchange server must be installed already in the Actice Directory org?
The script extracts email public information from users at AD. if email address is included by exchange server, then it requires Exchange server.
att,
Marcello CoutinhoHi Marcello,
After installing Exchange server, it is working well now. But another issue is SPF feature does not work.
I have created TXT record for abc.com(PfSense was able to resolve TXT record of abc.com). After that, I telnet to send mail by smtp command (user1@abc.com send to user1@abc.com), and I can push phishing emails to Postfix Forwarder.Any advise?
Thanks,
DQM -
Dear Marcello,
I'd like to mention the list of task that I did on the Postfix Forwarder on following:
- I cannot insert the customise "smtpd_banner" into main.cf. It seens does not allow saving after reboot the Pfsense box. It only allow saving if don't reboot the box. Right?
- SPF doesn't work once selected "Strong" at Header verification, only work if select "Basic"
- Any changes in the Antispam tab wouldn't send mail to it and got an error message like "501 5.1.7 Bad sender address syntax". After change to "Basic" at Header verification, everything will be ok again.
Could you please help to explain in more details?
Thank you,
DQM -
ive tried and tried to get this to ldap scrape from my DC and it doesnt work. I can connect from 50 ldap clients with the same username as password and it works 100%
can anyone share their configs etc - 2008 R2 Domain Controller.
Is the a guide or document to set this up?
Thanks
-
ive tried and tried to get this to ldap scrape from my DC and it doesnt work. I can connect from 50 ldap clients with the same username as password and it works 100%
can anyone share their configs etc - 2008 R2 Domain Controller.
Is the a guide or document to set this up?
Thanks
Hi voona,
Please follow up the guide below:
Step 1: Install p5-perl-ldap by run command below
i386
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/p5-perl-ldap-0.4300.tbzamd64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/p5-perl-ldap-0.4300.tbzStep 2: Modify adexport.pl file at /usr/local/etc/postfix/adexport.pl
Change the first line of this file to #!/usr/local/bin/perl5.12.4 -w
Step 3: Run command below for testing result
/usr/local/bin/php -q /usr/local/www/postfix_recipients.phpIf you get number of recipient from LDAP, then it is working well
P/S: Make sure that Exchange server or any Mail server which is able to public email address attribute of users to LDAP server was installed on your system.
GL,
DQM -
Ok LDAP is working now i had a space in the username and it didn't like it.
Still seem to be errors when installing the mailscanner package.. clamav doesnt install properly can someone point me in the right direction
Cheers
-
Slightly off topic but is there any advantage to using this apart from the mail not hitting the exchange server at all?
It's reduces exchange server load and external link bandwidth as it rejects the email on header checks.
In addition this feature is very valuable as it prevents backscatter.
Backscatter is when a spammer sends emails to an invalid address at your domain with a spoofed sender address. The intended result of this is to spam the intended recipient i.e the spoofed sender with NDR's from your mail server.
If postfix is configured without this check, it will relay every email it receives that passes other enabled checks to your mail server. When your mail server realises it does not know of a valid recipient/mailbox to deliver the mail to, it should send an NDR to the spoofed sender.
NDR's can be disabled, but this is against RFC2821.
-
@DQM:
I'd like to mention the list of task that I did on the Postfix Forwarder on following:
- I cannot insert the customise "smtpd_banner" into main.cf. It seens does not allow saving after reboot the Pfsense box. It only allow saving if don't reboot the box. Right?
Did you tried to include this option on postfix custom options field on gui?
@DQM:
- SPF doesn't work once selected "Strong" at Header verification, only work if select "Basic"
- Any changes in the Antispam tab wouldn't send mail to it and got an error message like "501 5.1.7 Bad sender address syntax". After change to "Basic" at Header verification, everything will be ok again.
I have strong header set and it looks like spf is working, do you have any error message or log you detected it.
If it's a bug during package save settings, I can fix next week. -
@DQM:
I'd like to mention the list of task that I did on the Postfix Forwarder on following:
- I cannot insert the customise "smtpd_banner" into main.cf. It seens does not allow saving after reboot the Pfsense box. It only allow saving if don't reboot the box. Right?
Did you tried to include this option on postfix custom options field on gui?
@DQM:
- SPF doesn't work once selected "Strong" at Header verification, only work if select "Basic"
- Any changes in the Antispam tab wouldn't send mail to it and got an error message like "501 5.1.7 Bad sender address syntax". After change to "Basic" at Header verification, everything will be ok again.
I have strong header set and it looks like spf is working, do you have any error message or log you detected it.
If it's a bug during package save settings, I can fix next week.Dear Marcello,
I have tried to insert the customise "smtpd_banner" by GUI and it is well now. But SPF and any change in the Antispam tab still did not work when "Strong" was selected (I perform testing by SMTP command - telnet to send mail, I did not test by other SMTP server). Does has problem with sending email by command?
Thanks,
DQM -
check config files with basic and strong header check enabled to see if spf options are included or not.
-
Dear Marcello,
Now I have one more problem. It is RBL feature on the PF, it does not work. Below is content of my config file:
/usr/local/etc/postfix/main.cf
#main.cf
#Part of the Postfix package for pfSense
#Copyright (C) 2010 Erik Fonnesbeck
#Copyright (C) 2011 Marcello Coutinho
#All rights reserved.
#DO NOT EDIT THIS FILEmynetworks = /usr/local/etc/postfix/mynetwork_table
mynetworks_style = host
smtpd_banner = mail-gw-01.abc.com ESMTP
relay_domains = abc.com
transport_maps = hash:/usr/local/etc/postfix/transport
local_recipient_maps =
mydestination =
mynetworks_style = host
message_size_limit = 10240000
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yesDon't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
smtpd_helo_restrictions =smtpd_sender_restrictions = reject_unknown_sender_domain,
permitAllow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/usr/local/etc/postfix/sender_access,
check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr
permitWhitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/usr/local/etc/postfix/sender_access,
check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
reject_spf_invalid_sender,
permitsoft_bounce = yes
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_greet_action = enforce
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/cal_cidr
postscreen_dnsbl_action= enforce
postscreen_blacklist_action= enforce
postscreen_dnsbl_sites=zen.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_threshold=2Does my config file has any issues? Could you please help to solve it?
Thank you for your support,
DQM -
Are you sure it's not working?
the setup is fine and rbl lists are applied on postscreen daemon
postscreen_greet_wait = ${stress?2}${stress:6}s postscreen_greet_action = enforce postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/cal_cidr postscreen_dnsbl_action= enforce postscreen_blacklist_action= enforce postscreen_dnsbl_sites=zen.spamhaus.org, bl.spamcop.net postscreen_dnsbl_threshold=2This last arg says that a hostname must be on both lists to get blocked
