Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.4m Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y Offline
      yaboc
      last edited by

      biggsy,

      that is correct, i have one host that i'd like to relay email through our exchange bypassing postfix, because it doesn't seem to work (relaying) with the default postfix forwarder setup.

      i'd prefer to make it as secure as possible and have ipsec in place between the host and our exchange but i can't even telnet to exchange using local ip, which is strange because i can do it from through other tunnels i have set up and the rules are any/any among tunnels.

      i'll try your suggestion and report back but preferably i'd like to get it to work over ipsec if possible.

      thank you!

      1 Reply Last reply Reply Quote 0
      • T Offline
        twaldorf
        last edited by

        Is it possible to have StartTLS with PFS on pfSense 2.1.5-RELEASE (i386) / FreeBSD 8.3-RELEASE-p16 with Postfix 2.10.2 pkg v.2.3.7?

        If it's possible: What do I have to add to custom main.cf options and with which options I have to create a working self signed certificate/key?

        1 Reply Last reply Reply Quote 0
        • P Offline
          pyrodex
          last edited by

          Any chance of getting this to work in 2.2?

          1 Reply Last reply Reply Quote 0
          • F Offline
            FlashPan
            last edited by

            Hi all,

            Hoping someone can help me out with this type of spam I just cannot figure out how to stop.

            Below is the message header for they type of emails I am getting

            In outlook I see and email from Louie.Whaley@bt.com but obviously we can see it's not come from there but bondhub.

            Is it possible to stop this "type" of email without having to manually enter each domain to be blocked/stopped?

            Apologies if this is a rather vague question with little info on my setup as I am not sure what is pertinent to you chaps of what you require and I am the more click, install and depend on gui type to setup this type of stuff.

            What I can say is that I am running:

            pfsense 2.1.5 32 bit
            postfix 2.10.2 pkg v.2.3.7
            mailscanner 4.84.6 v.0.2.6

            I do have other apps like pfblocker and snort running but would prefer to use mailscanner if possible to block this type of stuff.

            Thanks in advance for any replies.  It is most appreciated.

            Received: from mail.XXXX.co.uk (192.168.XXX.XXX) by XXXX.XXXX.corp
            (192.168.XXX.XXX) with Microsoft SMTP Server id 14.3.210.2; Fri, 26 Sep 2014
            14:07:08 +0100
            Received: from 106.247.219.88.rev.sfr.net (106.247.219.88.rev.sfr.net
            [88.219.247.106]) by mail.XXXX.co.uk (Postfix) with ESMTP id E93C867BB for
            xxxx@xxxx.co.uk; Fri, 26 Sep 2014 14:07:01 +0100 (BST)
            Message-ID: ck386wzl.3794015@bondhub.comDate: Fri, 26 Sep 2014 15:13:09 +0100
            From: Louie Whaley louie.whaley@bt.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
            MIME-Version: 1.0
            To: xxxx@xxxx.co.ukSubject: Important - BT Digital File
            Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
            Content-Transfer-Encoding: 7bit
            X-sufu-MailScanner-Information: Please contact the ISP for more information
            X-sufu-MailScanner-ID: E93C867BB.A2828
            X-sufu-MailScanner: Found to be clean
            X-sufu-MailScanner-From: onyxnf@bondhub.com
            X-Spam-Status: No
            Return-Path: onyxnf@bondhub.com
            X-MS-Exchange-Organization-AuthSource: XXXX.XXXX.corp
            X-MS-Exchange-Organization-AuthAs: Anonymous/xxxx@xxxx.co.uk/louie.whaley@bt.com/ck386wzl.3794015@bondhub.com/xxxx@xxxx.co.uk

            1 Reply Last reply Reply Quote 0
            • BismarckB Offline
              Bismarck
              last edited by

              @FlashPan:

              Hoping someone can help me out with this type of spam I just cannot figure out how to stop.

              Hi FlashPan, this can be done easily with postfix:

              1. Setup a proper RBL server List, you can combine as many as you wish if you set a higher RBL threshold. Which could block dynamic ips by default also = 106.247.219.88.rev.sfr.net [88.219.247.106])

              2. Postfix > antispam > Header add this:

              */^Received:.rev.sfr.net / REJECT #will reject ALL dynamic ips from *rev.sfr.net

              /^From:.*@bt.com/ REJECT #will reject all mail from someone@bt.com

              /^Subject:.*(Important - BT Digital File):/ REJECT #will reject all mail with subject Important - BT Digital File

              4. Subscribe additional rules for MailScanner/Spamassassin (google it)

              https://wiki.apache.org/spamassassin/CustomRulesets

              5. You also can write your own rules for MailScanner/Spamassassin:

              https://wiki.apache.org/spamassassin/WritingRules

              place your custom rules in /var/db/spamassassin/3.004000/70_myrules.cf and restart MailScanner. After adding new rules always check your mail log for errors or false positives! But Postfix is easier to handle, so start there.

              Using pfblocker for spam prevention is a BAD idea, because you will miss if a legit email gets blocked etc….

              Good luck!

              1 Reply Last reply Reply Quote 0
              • B Offline
                biggsy
                last edited by

                @FlashPan:

                Subject: Important - BT Digital File

                Hmmm, smells like phish.  Hope your users are clued up about that stuff.

                An example of what Bismarck is recommending in point 1.

                Paste this into your Postfix > Antispam > RBL Server list

                zen.spamhaus.org*2, bl.spamcop.net, 0spam.fusionzero.com
                

                and set your RBL threshold to 2.

                spamhaus catches most of this sort of stuff on my system, hence the *2 to breach the threshold.

                88.219.247.106 is definitely listed.

                1 Reply Last reply Reply Quote 0
                • B Offline
                  biggsy
                  last edited by

                  @pyrodex:

                  Any chance of getting this to work in 2.2?

                  Are you talking about Postfix forwarder on 2.2?  I have had some problems with that.

                  Installing postfix on 2.2 (with a config restored from 2.1.5) I'm getting the following:

                  postfix/postfix-script[56365]: fatal: no Postfix daemon directory /usr/local/libexec/postfix!
                  
                  

                  and

                  
                  php-fpm[7873]: /pkg_mgr_install.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                  php-fpm[7873]: /pkg_mgr_install.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                  
                  

                  Then the following repeats about 5 or 6 times:

                  php-fpm[8074]: /pkg_edit.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                  php-fpm[8074]: /pkg_edit.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                  
                  

                  All this could be due to the restored config but I don't know.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    FlashPan
                    last edited by

                    Thanks Bismark and biggsy,

                    I do have zen.spamhaus.org, bl.spamcop.net, dnsbl.sorbs.net set in my RBL list and the threshold is set to 2 already.  These options have been set for months.  On my firewall I'm set the automatic nat outbound rule generation so none of the rbl servers should be blocked to interogate.

                    Postfix is set the listen on LAN, WAN and loopback (quite a while back I only had Lan or Wan selected - if I remember correctly I think a version upgrade stop mail flowing through and only using all 3 got it working again).

                    Access Lists > Header:

                    /^Subject:/ WARN
                    /^From:/ HOLD
                    /^To:.*@MyDomain.co.uk/ HOLD

                    Antispam > Header verifiction: set to basic as when set to string alot of legit emails do not make it through.

                    Antispam > After greeting tests: all selected

                    In the Mailscanner app under AntiSpam > Spamchecks the only element I have selected is "Spam Checks (yes)"  Nothing else is selected or have a value entered.  Could that be causing some sort of clash?

                    Mailscanner > AntiSpam > Spam Assassin > Features:  All is selected except for Include Binary Attachments and Wait during bayes rebuild

                    Am still at a loss :)

                    One other thing I have noticed is that with the Postfix widget I only see values for Sent, nothing for Rejected etc. - actually I have never seen anything except for Sent.

                    Emails are being rejected as when I use the Search mail feature I can see entries like this:

                    Sep 26 10:12:00 wing@cybercatinc.com steve@XXXX.co.uk reject
                    Sep 26 09:22:16 tejedas@embarq.com steve@XXXX.co.uk reject
                    Sep 26 09:22:16 tejedas@embarq.com j6g05dt3po6rorq@XXXX.co.uk reject

                    (the top 2 recipients are valid the 3rd recipient does not exist)

                    Apologies now, as before I did not give much detail on my setup and now I could be overloading with all the wrong info.  :P

                    Cheers again all and thanks once again for your help.

                    1 Reply Last reply Reply Quote 0
                    • BismarckB Offline
                      Bismarck
                      last edited by

                      First in Search Mail > Message Fields: mark all and search again, this will show you much more information. Or even better you login via putty/ssh and watch the logs live:

                      tail -f /var/log/maillog
                      

                      Access Lists > Header:
                      /^Subject:/ WARN
                      /^From:/ HOLD
                      /^To:.*@MyDomain.co.uk/ HOLD

                      scratch that, you have just c&p the example stuff there, this would be a valid list:

                      #Remove sensitive information from email headers
                      /^Received: from MTA.LOCAL*/ IGNORE
                      /^Received:.*with ESMTPS/ IGNORE
                      /^X-Originating-IP:/ IGNORE
                      /^User-Agent:/ IGNORE
                      # SPAM
                      /^Received:.*rev.sfr.net / REJECT 
                      /^From:.*@bt.com/ REJECT
                      /^Subject:.*(Important - BT Digital File):/ REJECT 
                      # HAM
                      /^From:.*@XXXX.co.uk / OK
                      

                      Antispam > After greeting tests: all selected

                      You may take this into account. (thanks biggsy)

                      Emails are being rejected as when I use the Search mail feature I can see entries like this:
                      Sep 26 10:12:00 wing@cybercatinc.com steve@XXXX.co.uk reject
                      Sep 26 09:22:16 tejedas@embarq.com steve@XXXX.co.uk reject
                      Sep 26 09:22:16 tejedas@embarq.com j6g05dt3po6rorq@XXXX.co.uk reject
                      (the top 2 recipients are valid the 3rd recipient does not exist)

                      Postfix  > Access Lists > MyNetworks

                      Your IPs should be listed here, like:

                      192.168.0.7 # internal mailhost
                      192.168.0.1 # pfs lan
                      127.0.0.1   # pfs loopback
                      

                      and enable Postfix  > Recipients > AD etc..

                      Cheers!  ;)

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        FlashPan
                        last edited by

                        Thanks for all the info Bismarck.  At the moment I'm not using the options uner #SPAM as I'm still; liking to get this tuff generally blocked without manual intervention…great info though for me in the future.

                        Am not sure why I would want to whitelist google servers?  Surely that is only going to effect email coming in from google/gmail and nothing else?

                        I've added my ip's under Postfix  > Access Lists > MyNetworks

                        Have been sending through some test spam/virus emials but it look like my logs have now randomly corrupted I think as when I search for anything the results are blank or give something starting with Warning: sqlite_query(): no such column: mail_status.info in /usr/local/www/postfix.php on line 606 Warning:

                        For Postfix  > Recipients I've set Custom Valid recipients as I've not installed the p5-perl-ldap package yet.

                        Cheers again  :D

                        1 Reply Last reply Reply Quote 0
                        • Y Offline
                          yaboc
                          last edited by

                          my postfix service doesn't stop from the services page and even when i disable the forwarder and rebbot pfsense it seems to be running. im on the current version (pf + package). any ideas why? can i kill it from cli?

                          1 Reply Last reply Reply Quote 0
                          • J Offline
                            jaredadams
                            last edited by

                            Can someone enlighten me as to which setting(s) in the configuration causes this check?

                            NOQUEUE: reject: RCPT from unknown[X.X.X.X]: 550 5.7.1 Client host rejected: cannot find your hostname, [X.X.X.x]; from= email@domain.comto= email@mycompany.comproto=ESMTP helo=<[X.X.X.X]>/email@mycompany.com/email@domain.com

                            1 Reply Last reply Reply Quote 0
                            • BismarckB Offline
                              Bismarck
                              last edited by

                              @jaredadams:

                              Can someone enlighten me as to which setting(s) in the configuration causes this check?

                              NOQUEUE: reject: RCPT from unknown[X.X.X.X]: 550 5.7.1 Client host rejected: cannot find your hostname, [X.X.X.x]; from= email@domain.comto= email@mycompany.comproto=ESMTP helo=<[X.X.X.X]>/email@mycompany.com/email@domain.com

                              Postfix > Antispam

                              Helo Hostname

                              Default: Checked

                              Reject unknow helo hostname during smtp communication.

                              1 Reply Last reply Reply Quote 0
                              • F Offline
                                FlashPan
                                last edited by

                                Hi,

                                Well after some reinstall (well many) and different configs I think I've mainly got this working to block spam (mainly).

                                I found this website http://www.crynwr.com/spam/ and from here you can send yourself test emails which should trigger a block etc and then this site will email you the conversation/outcome.

                                Sadly though I still seem to have a couple of issues .  My widget still does not show up anything but the Sent stats.  In Search Mail, No Queue, I can see emails being rejected (eg sent to a non existant emails address).  Ideas anyone?

                                I think I've found another issue as well.  I read this on another forum but I think it may have been quite old so not sure if still valid and of course I cannot find the page again as I did not save it.

                                Anyhow below you will see an email header that came into to me to day.  Go through Postfix and Mailsanner with no flags.

                                I think I read it correctly but postfix cannot block email if it passes through or relays through multiple email servers.

                                Anyone seen or aware of this type of thing?

                                As always of tip my cap to you call and thank  you very much for your help past, present and future :)

                                Cheers

                                Received: from xxx.xxx.co.uk (192.168.100.4) by xxx.xxx.corp
                                (192.168.xxx.xxx) with Microsoft SMTP Server id 14.3.210.2; Wed, 1 Oct 2014
                                13:17:22 +0100
                                Received: from ns5.lucidity.ie (ns5.lucidity.ie [69.36.8.164]) by
                                xxx.xxx.co.uk (Postfix) with ESMTP id 0C678696B for xxxx@xxxx.co.uk;
                                Wed,  1 Oct 2014 13:17:10 +0100 (BST)
                                Received: from fieldandstream.ie ([::ffff:109.229.186.118])  (AUTH: LOGIN
                                mick@fieldandstream.ie)  by ns5.lucidity.ie with esmtp; Wed, 01 Oct 2014
                                13:11:58 +0100  id 0017605C.542BEF8E.00006496
                                Received: from rly04.hottestmile.com ([Wed, 01 Oct 2014 16:11:00 +0400]) by
                                smtp.doneohx.com with ESMTP; Wed, 01 Oct 2014 16:11:00 +0400
                                Received: from [42.30.29.127] by mail.webhostings4u.com with SMTP; Wed, 01 Oct
                                2014 16:06:05 +0400
                                Received: from relay.2yahoo.com ([200.137.192.220]) by mtu67.syds.piswix.net
                                with SMTP; Wed, 01 Oct 2014 15:50:57 +0400
                                Received: from relay37.vosimerkam.net ([Wed, 01 Oct 2014 15:43:37 +0400]) by
                                mailout.endmonthnow.com with ASMTP; Wed, 01 Oct 2014 15:43:37 +0400
                                Received: from unknown (HELO public.micromail.com.au) (Wed, 01 Oct 2014
                                15:41:09 +0400) by smtp18.yenddx.com with ESMTP; Wed, 01 Oct 2014 15:41:09
                                +0400
                                Message-ID: 7D9E9F4C.AEEB6E0F@fieldandstream.ie
                                Date: Wed, 1 Oct 2014 15:41:09 +0400
                                Reply-To: "Barclays@email.barclays.co.uk" mick@fieldandstream.ieFrom: "Barclays@email.barclays.co.uk" mick@fieldandstream.ieMIME-Version: 1.0
                                To: steve@sueandsteves.co.ukCC: steve@suej.co.uk, steve@suffolk.gov.uk, steve@suffolk.police.uk,
                                steve@suffolkcartlodges.co.uk, steve@suffolkfada.co.uk,
                                xxxx@xxxx.co.uk, steve@sugarhouse.co.uk, steve@sumarts.co.uk,
                                steve@sumlock.co.uk, steve@summe.co.uk, steve@summerbreak.co.uk,
                                steve@summerleaze.co.uk, steve@summerlin.co.uk, steve@summitbikes.co.ukSubject: =?ISO-8859-1?B?VHJhbnNhY3Rpb24gbm90IGNvbXBsZXRl?=
                                Content-Type: text/plain; charset="us-ascii"
                                Content-Transfer-Encoding: 7bit
                                X-sufu-MailScanner-Information: Please contact the ISP for more information
                                X-sufu-MailScanner-ID: 0C678696B.A7F57
                                X-sufu-MailScanner: Found to be clean
                                X-sufu-MailScanner-From: mick@fieldandstream.ie
                                X-Spam-Status: No
                                Return-Path: mick@fieldandstream.ie
                                X-MS-Exchange-Organization-AuthSource: xxx.xxx.corp
                                X-MS-Exchange-Organization-AuthAs: Anonymous/steve@summitbikes.co.uk/steve@summerlin.co.uk/steve@summerleaze.co.uk/steve@summerbreak.co.uk/steve@summe.co.uk/steve@sumlock.co.uk/steve@sumarts.co.uk/steve@sugarhouse.co.uk/xxxx@xxxx.co.uk/steve@suffolkfada.co.uk/steve@suffolkcartlodges.co.uk/steve@suffolk.police.uk/steve@suffolk.gov.uk/steve@suej.co.uk/steve@sueandsteves.co.uk/mick@fieldandstream.ie/mick@fieldandstream.ie/xxxx@xxxx.co.uk

                                1 Reply Last reply Reply Quote 0
                                • BismarckB Offline
                                  Bismarck
                                  last edited by

                                  @FlashPan:

                                  Anyhow below you will see an email header that came into to me to day.  Go through Postfix and Mailsanner with no flags.

                                  I think I read it correctly but postfix cannot block email if it passes through or relays through multiple email servers.

                                  X-sufu-MailScanner-Information: Please contact the ISP for more information
                                  X-sufu-MailScanner-ID: 0C678696B.A7F57
                                  X-sufu-MailScanner: Found to be clean
                                  X-sufu-MailScanner-From: mick@fieldandstream.ie
                                  X-Spam-Status: No

                                  Return-Path: mick@fieldandstream.ie
                                  X-MS-Exchange-Organization-AuthSource: xxx.xxx.corp
                                  X-MS-Exchange-Organization-AuthAs: Anonymous

                                  Looks okay for me, this mail passed postfix and mailscanner.

                                  1 Reply Last reply Reply Quote 0
                                  • B Offline
                                    biggsy
                                    last edited by

                                    @FlashPan:

                                    I think I read it correctly but postfix cannot block email if it passes through or relays through multiple email servers.

                                    I don't think you read that correctly.  Do you have a reference?

                                    A lot of email will pass through multiple email servers en route - say, for example, from my mail server to my ISP's mail server to my friend's ISP's mail server and then to his mail server.  We both run postfix forwarder on pfSense.

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      FlashPan
                                      last edited by

                                      Sadly no I cannot find the webpage again.

                                      My suspicions arose just because of so many relays and the content was definitley spam (trying to make you think it was from Barclays bank- with a non Barclays bank weblink to click on) plus the sender emails address was poorly made to look like it was from the bank as well.

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        pyrodex
                                        last edited by

                                        @biggsy:

                                        @pyrodex:

                                        Any chance of getting this to work in 2.2?

                                        Are you talking about Postfix forwarder on 2.2?  I have had some problems with that.

                                        Installing postfix on 2.2 (with a config restored from 2.1.5) I'm getting the following:

                                        postfix/postfix-script[56365]: fatal: no Postfix daemon directory /usr/local/libexec/postfix!
                                        
                                        

                                        and

                                        
                                        php-fpm[7873]: /pkg_mgr_install.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                                        php-fpm[7873]: /pkg_mgr_install.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                                        
                                        

                                        Then the following repeats about 5 or 6 times:

                                        php-fpm[8074]: /pkg_edit.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                                        php-fpm[8074]: /pkg_edit.php: The command '/usr/local/sbin/postfix reload' returned exit code '1', the output was 'cd: /usr/local/libexec/postfix: No such file or directory'
                                        
                                        

                                        All this could be due to the restored config but I don't know.

                                        Yup this is the same problem I had and I had the same issue on a fresh install too trying everything to get it to work.

                                        1 Reply Last reply Reply Quote 0
                                        • BismarckB Offline
                                          Bismarck
                                          last edited by

                                          FlashPan you definitely need to fine tune your rbl list:

                                          Received: from fieldandstream.ie ([::ffff:109.229.186.118])

                                          Summary information for 109.229.186.118/32
                                          Note: Times shown are for the latest entry only!
                                          Found 2 network entries and 0 host/domain entries.

                                          Problem Entries, (listings will cause email problems.)
                                          1 "Hacked" entries [04:29:20 13 Sep 2011 GMT+00].
                                          6 "Spam" entries [17:17:17 30 Aug 2014 GMT+00].

                                          http://www.anti-abuse.org/multi-rbl-check-results/?host=109.229.186.118

                                          And how often do you update your spamassassin rule subscriptions?

                                          1 Reply Last reply Reply Quote 0
                                          • F Offline
                                            FlashPan
                                            last edited by

                                            Sigh  ???  this is what I am not understanding ;)

                                            My options under Antispam > RBL Server List all seem correct.

                                            zen.spamhaus.org*2, bl.spamcop.net, dnsbl.sorbs.net

                                            As for spamassassin, you just gave me an answer in antoehr threas but think I may have borked the package as now it will not star for some reason.

                                            Getting very close to pulling hair out time :)

                                            Thanks Bismark you are going above and beyond here.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.