Postfix - antispam and relay package

dsy

Hello

I would like to disable all anti-spam in postfix because I use a custom Milter plugin.
How can I disable reject_unknown_sender_domain or smtpd_helo_required ?

Thank you.

Parameters in "custom mail.cf" field are not applied because of precedence as you can see:

mynetworks = /usr/pbi/postfix-i386/etc/postfix/mynetwork_table
mynetworks_style = host
access_map_reject_code= 554
access_map_defer_code = 451
unverified_recipient_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
smtpd_sender_restrictions = permit # not applied!
smtpd_milters = inet:<milter ip="">:7830
milter_default_action = reject
show_user_unknown_table_name = no
smtpd_helo_required = no # not applied!
bounce_queue_lifetime = 0d
relay_domains = mydomain.com
transport_maps = hash:/usr/pbi/postfix-i386/etc/postfix/transport
local_recipient_maps =
relay_recipient_maps = hash:/usr/pbi/postfix-i386/etc/postfix/relay_recipients
mydestination =
mynetworks_style = host
message_size_limit = 10240000
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes

smtpd_sender_restrictions = reject_unknown_sender_domain,
				permit</milter>

yaboc

@Bismarck:

@biggsy:

postfix 2.11 was released in January and, among other things, it contains the following enhancement:

• A new postscreen_dnsbl_whitelist_threshold feature to allow
      clients to skip postscreen tests based on their DNSBL score.
      This can eliminate email delays due to "after 220 greeting"
      protocol tests, which otherwise require that a client reconnects
      before it can deliver mail. Some providers such as Google don't
      retry from the same IP address, and that can result in large
      email delivery delays.

Any chance of an updated package based on postfix 2.11?

Oh yes please!

second that!

biggsy

Sorry, yaboc, Bismarck is second.  You'll have to go third  :)

If Google is your main problem and you missed this post, give it a try.

It is a bit of a "broad brush" but it's been working well for me.

wawawawa

Hi All

I have the postfix package all set up and working, forwarding all incoming mail to a next hop internal MTA.

I would also like to BCC all mail to an address used by an external mail scanning system.

As far as I understand, this should be as easy as adding the following line to the custom main.cf section in the pfSense WebUI:

always_bcc = archive@ <internal ip="" of="" mta="">However… It's not working.

Does anyone have any suggestions to troubleshoot this or an alternate way to achieve the same end-result.

Many thanks for your time!

Cheers</internal>

malteG

Hi Guys,

i am just new here although i am using pfsense since a while for different purposes in a vmware environment.
So far i am really happy.

But i have one concern & problem i discovered today around the postfix-forwarder package :

Domains added in the "forward" tab shouldn't be added to relay_domains in main.cf per default.
Since transports and relay_domains are two totally different things.

I'd suggest to run a regex over the aggregated relay_recipients and filter out the domain parts and include those automatically
or make a checkbox next to each domain to include it in relay_domains.
But still this doesn't make much sense and i cannot see the reason in defining a specific transport - and then delivery to these domains fails since the recipients in that domain are not listed in relay_recipients…

And yes it makes sense, to separate, just think about having several vpn connections - so you want to send mail from i.e. branch offices to main offices to the internal mail server via vpn, without knowing who is a valid recipient there.
Otherwise callback verify should be enabled, so on delivery attempts to domains in the transport section postfix runs a test against the defined mail server to check if that one is accepting mail for that recipient.

Anyway some might say this should be properly solved with DNS - but i tend to disagree since this is rendering the transports useless.

What do you guys think ?
For now, i fixed it by putting my actual relay_domains into postfix.inc and commented out the part where it adds the transport domains to relay_domains.

wawawawa

@wawawawa:

Hi All

I have the postfix package all set up and working, forwarding all incoming mail to a next hop internal MTA.

I would also like to BCC all mail to an address used by an external mail scanning system.

As far as I understand, this should be as easy as adding the following line to the custom main.cf section in the pfSense WebUI:

always_bcc = archive@ <internal ip="" of="" mta="">However… It's not working.

Does anyone have any suggestions to troubleshoot this or an alternate way to achieve the same end-result.

Many thanks for your time!

Cheers</internal>

Hi All,

Maybe I can give a little more information here!

The config I add in the custom area in the WebUI is not seen when I use```
postconf

I have restarted postfix so it should be generating new config.

Any ideas?

Thanks

yaboc

@biggsy:

Sorry, yaboc, Bismarck is second.  You'll have to go third  :)

If Google is your main problem and you missed this post, give it a try.

It is a bit of a "broad brush" but it's been working well for me.

ha as long as it gets implemented i can wait ;) thanks for the google list biggsy, but there are other emails that we get from same domain / multiple MTAs and it's annoying. sometimes it can take hours for the mail to finally come through.

also i noticed 'permit' is used per line whereas the HINT says to use OK / REJECT
i put OK and see if it works for google servers.

Thanks

Bismarck

@biggsy:

Sorry, yaboc, Bismarck is second.  You'll have to go third  :)

If Google is your main problem and you missed this post, give it a try.

It is a bit of a "broad brush" but it's been working well for me.

Thanks biggsy, but unfortunately google is not the only problem, I'm tweaking my whitelist (yahoo, hotmail etc…) since few days but its a demanding job over time, so postscreen_dnsbl_whitelist_threshold would be a great help here.

jaredadams

Hi, I'm looking for some clarification on settings.  Currently I have a good amount of legit email bouncing off the Helo tests

Jun 24 09:16:51 pfsense postfix/smtpd[47197]: NOQUEUE: reject: RCPT from outbound1.notrealdomain.com[12.xx.xxx.82]: 550 5.7.1 <ironport1.notrealdomain.com>: Helo command rejected: Host not found</ironport1.notrealdomain.com>

I think our problem is the mismatch in hostnames.  I dont want to turn off the helo tests completely as they serve a good function for when no helo at all is recieved back, but I'd like to be able to ignore these mismatches.

Bismarck

@jaredadams:

Hi, I'm looking for some clarification on settings.  Currently I have a good amount of legit email bouncing off the Helo tests

Jun 24 09:16:51 pfsense postfix/smtpd[47197]: NOQUEUE: reject: RCPT from outbound1.notrealdomain.com[12.xx.xxx.82]: 550 5.7.1 <ironport1.notrealdomain.com>: Helo command rejected: Host not found</ironport1.notrealdomain.com>

I think our problem is the mismatch in hostnames.  I dont want to turn off the helo tests completely as they serve a good function for when no helo at all is recieved back, but I'd like to be able to ignore these mismatches.

https://forum.pfsense.org/index.php?topic=63343.0

Try in helo acl field:

/ironport1.notrealdomain.com/ OK (this is for HELO)

and in CIDR field:

12.xx.xxx.82 OK (this is for legitimate clients without or wrong rDNS)

gnordli

I am using the postfix forwarder on pfsense.

Outbound email sent to google is getting tagged as spam and ending up in people's spam folder.

I have done some testing using http://www.allaboutspam.com/email-server-test/ and it passes everything except for BATV and DKIM.

From what I have read the lack of DKIM can cause google to mark it as spam.

Any ideas on setting DKIM up on pfsense?

thanks,

Geoff

toddh

Hello,

I am new to pfSense and am looking at using it to replace some postfix - spamassassin - clam gateways.  We have a mail server behind and we want to forward several domains.

For the Recipients we are exporting the user list to Postfix via clean text url and that is working perfectly.

Does anyone have a way to automate/read the Forwarding Domains rather than enter them manually?

In our current system we export the transport file to the gateways.  The transport file is used for both the transport_map and the relay_domains.  I started working on this then realizes someone else probably has come across the same issue.

Thanks!

Todd

yaboc

Hi,

I've been using postfix forwarder for about a year now which listens on loopback and delivers mail to internal exchange. However i can't telnet either the main WAN on 25 that postfix forwarder listens on on exchange (on it's own separate IP).

We must allow one host to be able to relay the mail. How would i set this up ?

Also not sure if this will make things easier or more complicated but we have the ability to connect with the host with IPSEC and relay directly to exchange however I can't telnet to exchange even via the IPSEC via the local exchange IP.

Would postfix forwarder have any say in it as well ? Catching mail on 25 that goes through VPN? Anything i have to set up to get this working?

Thanks

yaboc

biggsy

Toddh,

The list of relay domains and their corresponding destination IPs is held in /usr/pbi/postfix-amd64/etc/postfix/transport

I think this is just used to build /usr/pbi/postfix-amd64/etc/postfix/transport**.db** using the command

postmap  /usr/pbi/postfix-amd64/etc/postfix/transport

The transport.db file is then used by postfix, rather the plaintext transport file.

You could try creating a new transport file in the right format and run the above command but I suspect both would be overwritten if postfix is restarted.

biggsy

Yaboc,

Are you saying that you want an external host to go directly to your Exchange server, bypassing postfix?

If so, would it not be easier to create a rule on your WAN, above the postfix one, to pass port 25 from that source host to the Exchange server?

yaboc

biggsy,

that is correct, i have one host that i'd like to relay email through our exchange bypassing postfix, because it doesn't seem to work (relaying) with the default postfix forwarder setup.

i'd prefer to make it as secure as possible and have ipsec in place between the host and our exchange but i can't even telnet to exchange using local ip, which is strange because i can do it from through other tunnels i have set up and the rules are any/any among tunnels.

i'll try your suggestion and report back but preferably i'd like to get it to work over ipsec if possible.

thank you!

twaldorf

Is it possible to have StartTLS with PFS on pfSense 2.1.5-RELEASE (i386) / FreeBSD 8.3-RELEASE-p16 with Postfix 2.10.2 pkg v.2.3.7?

If it's possible: What do I have to add to custom main.cf options and with which options I have to create a working self signed certificate/key?

pyrodex

Any chance of getting this to work in 2.2?

FlashPan

Hi all,

Hoping someone can help me out with this type of spam I just cannot figure out how to stop.

Below is the message header for they type of emails I am getting

In outlook I see and email from Louie.Whaley@bt.com but obviously we can see it's not come from there but bondhub.

Is it possible to stop this "type" of email without having to manually enter each domain to be blocked/stopped?

Apologies if this is a rather vague question with little info on my setup as I am not sure what is pertinent to you chaps of what you require and I am the more click, install and depend on gui type to setup this type of stuff.

What I can say is that I am running:

pfsense 2.1.5 32 bit
postfix 2.10.2 pkg v.2.3.7
mailscanner 4.84.6 v.0.2.6

I do have other apps like pfblocker and snort running but would prefer to use mailscanner if possible to block this type of stuff.

Thanks in advance for any replies.  It is most appreciated.

Received: from mail.XXXX.co.uk (192.168.XXX.XXX) by XXXX.XXXX.corp
(192.168.XXX.XXX) with Microsoft SMTP Server id 14.3.210.2; Fri, 26 Sep 2014
14:07:08 +0100
Received: from 106.247.219.88.rev.sfr.net (106.247.219.88.rev.sfr.net
[88.219.247.106]) by mail.XXXX.co.uk (Postfix) with ESMTP id E93C867BB for
xxxx@xxxx.co.uk; Fri, 26 Sep 2014 14:07:01 +0100 (BST)
Message-ID: ck386wzl.3794015@bondhub.comDate: Fri, 26 Sep 2014 15:13:09 +0100
From: Louie Whaley louie.whaley@bt.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: xxxx@xxxx.co.ukSubject: Important - BT Digital File
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-sufu-MailScanner-Information: Please contact the ISP for more information
X-sufu-MailScanner-ID: E93C867BB.A2828
X-sufu-MailScanner: Found to be clean
X-sufu-MailScanner-From: onyxnf@bondhub.com
X-Spam-Status: No
Return-Path: onyxnf@bondhub.com
X-MS-Exchange-Organization-AuthSource: XXXX.XXXX.corp
X-MS-Exchange-Organization-AuthAs: Anonymous/xxxx@xxxx.co.uk/louie.whaley@bt.com/ck386wzl.3794015@bondhub.com/xxxx@xxxx.co.uk

Bismarck

@FlashPan:

Hoping someone can help me out with this type of spam I just cannot figure out how to stop.

Hi FlashPan, this can be done easily with postfix:

1. Setup a proper RBL server List, you can combine as many as you wish if you set a higher RBL threshold. Which could block dynamic ips by default also = 106.247.219.88.rev.sfr.net [88.219.247.106])

2. Postfix > antispam > Header add this:

*/^Received:.rev.sfr.net / REJECT #will reject ALL dynamic ips from *rev.sfr.net

/^From:.*@bt.com/ REJECT #will reject all mail from someone@bt.com

/^Subject:.*(Important - BT Digital File):/ REJECT #will reject all mail with subject Important - BT Digital File

4. Subscribe additional rules for MailScanner/Spamassassin (google it)

https://wiki.apache.org/spamassassin/CustomRulesets

5. You also can write your own rules for MailScanner/Spamassassin:

https://wiki.apache.org/spamassassin/WritingRules

place your custom rules in /var/db/spamassassin/3.004000/70_myrules.cf and restart MailScanner. After adding new rules always check your mail log for errors or false positives! But Postfix is easier to handle, so start there.

Using pfblocker for spam prevention is a BAD idea, because you will miss if a legit email gets blocked etc….

Good luck!