Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.1m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vc6SfV8
      last edited by

      I am also experiencing the same problem as hrtraveler after upgrading to 2.2.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        I've updated database log integration from sqlite2 to sqlite3 but if I send a pull request for it then postfix will not work on 2.1.

        So until we find a way to fix it on current pfsense 2.2 pbi, I suggest to use postfix on 2.1(as a server for exemple on virtual machine)

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • T
          TeeJay
          last edited by

          Having excactly the same problem on a brand new installation. I was looking for a substitute for the Endian Comunnity FW and pfsense certainly looks very promising, but wihout postfix it will not be very usefull to me. Is there any chance this problem will be fixed in the near future?

          1 Reply Last reply Reply Quote 0
          • G
            guyp
            last edited by

            Ran into this today… Really need a quick and dirty fix until it can be fixed fully.

            I can't roll back to the old version, as the FW is 8000 Miles away from me :(

            1 Reply Last reply Reply Quote 0
            • H
              hrtraveler
              last edited by

              @guyp:

              Ran into this today… Really need a quick and dirty fix until it can be fixed fully.

              I can't roll back to the old version, as the FW is 8000 Miles away from me :(

              I was able to get it running by installing the standard FreeBSD package > 'pkg install Postfix' or 'pkg install postfix-tls'.

              Couple things to keep in mind; this places the configuration files in a different location and therefore the webGUI tools for editing the configuration no longer work, nor do the monitoring tools as far as I can tell, in addition the pfsense pkg has Cyrus SASL compiled in so if you fix the dependencies and add the missing libraries it will allow you to forward mail through google (for example), or any server which requires such and encrypted connection, neither of the standard packages for FreeBSD have this compiled in, so it won't work.

              If you need Cyrus SASL you can download the latest postfix-tls source to a FreeBSD 10.1 development machine and compile it in.

              1 Reply Last reply Reply Quote 0
              • thedaveCAT
                thedaveCA
                last edited by

                Any news for 2.2 support or is this still broken?

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  @The:

                  Any news for 2.2 support or is this still broken?

                  Not yet. Pbi is the worst place to find and fix issues. It needs both Pfsense team and package developed free time to check build options,dependencies, lib dirs,etc…

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • T
                    t.hollenbeck
                    last edited by

                    @The:

                    Any news for 2.2 support or is this still broken?

                    I have the same problem. Is there a plan, where is the bug fixed?

                    1 Reply Last reply Reply Quote 0
                    • S
                      snm777
                      last edited by

                      I just had a co-worker upgrade to 2.2 on a production machine and encountered this issue.  I've suggested rolling back to a snapshot, assuming he has one.  if this isn't fixed yet, does anyone have a workaround? I assume that the spool NEEDS to be owned by postfix and not root, and that changing permissions on the spool file will just make things worse?

                      1 Reply Last reply Reply Quote 0
                      • C
                        capitangiaco
                        last edited by

                        I was able to get it running by installing the standard FreeBSD package > 'pkg install Postfix' or 'pkg install postfix-tls'.

                        Couple things to keep in mind; this places the configuration files in a different location and therefore the webGUI tools for editing the configuration no longer work, nor do the monitoring tools as far as I can tell, in addition the pfsense pkg has Cyrus SASL compiled in so if you fix the dependencies and add the missing libraries it will allow you to forward mail through google (for example), or any server which requires such and encrypted connection, neither of the standard packages for FreeBSD have this compiled in, so it won't work.

                        If you need Cyrus SASL you can download the latest postfix-tls source to a FreeBSD 10.1 development machine and compile it in.

                        pkg install Postfix
                        cd /usr/local/etc/postfix
                        ln -fs /usr/pbi/postfix/etc/postfix/ <conf files="">It seems to work!

                        I cannot test mailscanner cause I've trouble with php after the upgrade:
                        [18-Feb-2015 13:17:51 Europe/Rome] PHP Fatal error:  Cannot redeclare platform_booting() (previously declared in /etc/inc/globals.inc:168) in /etc/inc/globals.inc on line 176

                        _function platform_booting($on_console = false) {
                                global $g;

                        if ($g['booting'] || file_exists("{$g['varrun_path']}/booting"))
                                        if ($on_console == false || php_sapi_name() != 'fpm-fcgi')
                                                return true;

                        return false;
                        }_

                        the mailscanner pkg istallation stops itself with this error.

                        Giaco</conf>

                        1 Reply Last reply Reply Quote 0
                        • C
                          capitangiaco
                          last edited by

                          found this:
                          https://github.com/pfsense/pfsense-packages/commit/e8f9ffe9459a922375e43472d13246d3d356e60e
                          I am now able to remove and reinstall mailscanner.

                          Giaco

                          1 Reply Last reply Reply Quote 0
                          • D
                            dreadnought
                            last edited by

                            Argh… upgraded to 2.2, postfix forwarder down in flames along with our email. Not a trivial matter.

                            Tried (trying?) to restore a full 2.1.5 backup and the GUI is a mess and things (including postfix forwarder) still seem broken.

                            Selecting OpenVPN results in:

                            Fatal error: Call-time pass-by-reference has been removed in /usr/local/www/vpn_openvpn_server.php on line 333

                            Selecting postfix forwarder results in:

                            Fatal error: Call-time pass-by-reference has been removed in /usr/local/www/pkg_edit.php on line 143

                            Main page shows 2.1.5-RELEASE (amd64) as well as the "Packages are currently being reinstalled in the background." which doesn't seem to actually mean anything.

                            Has anyone been successful restoring a full backup (2.1.5?) after encountering the borked postfix forwarder on 2.2?

                            1 Reply Last reply Reply Quote 0
                            • D
                              dreadnought
                              last edited by

                              When I try to reboot our Netgate chimes as if it's going to reboot, but then this appears:

                              Fatal error: Call-time pass-by-reference has been removed in /etc/inc/shaper.inc on line 395

                              So it seems as if we can't reboot either.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dreadnought
                                last edited by

                                For the benefit of others running into this issue… rebooting and halting the system did not work, even though they triggered the reboot and halt chimes on our Netgate running pfsense. After a hard reboot (and some praying) our services, including postfix forwarder and OpenVPN, began working again under the restored 2.1.5.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rbflurry
                                  last edited by

                                  Found out the hard way that this is intended to relay mail to an internal server and not a hosted server (host monster, Bluehost)

                                  Because of SPF and the fact that this package cant do SRS.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    chris4916
                                    last edited by

                                    I'm, kind of, discovering pfSense in prod  :-[
                                    Now that I've migrated to pfSense, and although I do understand that from guru's standpoint, pfSense acts as firewall and should only be used as firewall  ;)  I would like to run some additional "embedded" services. I know this is not theoretically correct but this is however the most convenient way to provide services locally.

                                    This said, I'm also facing issues while trying to run Postfix relay on 2.2. So, for the time being and waiting for fix, I'm not relaying but forward packets to mail server on DMZ  :-\

                                    Unless I misunderstand the way it works, once this package will be fixed, there is one feature that will still prevent me to use it as a relay. Let me try to explain:

                                    • for fail-over purpose, I'm relying on 2 different ISP, meaning 2 WAN, 2 IP
                                    • I've one single domain managed by third provider. Using this provider's web interface, I'm able to customize public DNS for this domain, including MX, SPF
                                    • each ISP permits to customize PTR

                                    So far so good but… if I want to use pfSense Postfix relay (assuming issues with 2.2 are fixed) it will not work for some senders in case sender performs SMTP Reverse DNS control because this package doesn't permit to customize banner per listening IP from GUI.

                                    I may find a way to customize master.cf and hard-code the right banner here for each interface but it would be nice to have this capability directly from GUI. Or is there something is misunderstand?

                                    PS: I know that state-of-the-art implementation if I need complete fail-over would be to deploy 2 different MTA behind 2 différent FW, furthermore having each FW made of highly available pfSense using CARP.... but this is totally over-kill and I will end up with more problems due to complexity than real improved levle of service. What I would like to handle is WAN fail-over, with only one single pfSense cluster.  Does it make sense ?

                                    Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      guyp
                                      last edited by

                                      Just set the PTR record for both IP address to be the same!

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        chris4916
                                        last edited by

                                        @guyp:

                                        Just set the PTR record for both IP address to be the same!

                                        This doesn't work, at least for me, and I'll try to explain why  :)

                                        I'm relying on 3 different providers:

                                        • two ISP owing each one of my two public IP
                                        • another (different) provider registering my domain.

                                        In term of DNS management, it means that I'm dealing with PTR records through interfaces provided by each ISP while I manage (public) DNS content from my domain provider's web interface.
                                        So far so good :-) but in order to achieve what you suggest, it would means that I have to configure 2 different A records (one for each public IP) with same hostname. This can be done, although somewhat strange.
                                        Problem is that when customizing PTR, I'm facing an issue with at least one ISP  because interface used to customize PTR checks if PTR you set matches IP address. This does make sense but as my DNS contains 2 different IPs for same hostname, it resolves this hostname (round-robin mode) with different IP thus PTR customization is not allowed.

                                        From my standpoint, such control from ISP makes sense. It help ensuring consistency between PTR and IP/hostnames.
                                        The right approach, unless I'm wrong, it to set up one banner per public IP.
                                        I did it with my previous Postfix implementation using this syntax:

                                        1.1.1.1:smtp  inet  n  - - - -  smtpd -o myhostname=host1.domain.com
                                        2.2.2.2:smtp  inet  n  - - - -  smtpd -o myhostname=host2.domain.com
                                        

                                        This obviously works as expected ;D

                                        Then I do realize that I'm total pfSense noob: I still don't know how to customize master.cf so that content is not erased when configuration is changed using GUI  :-[
                                        On top of that, I need to improve my understanding of postscreen => smtpd is then listening on local port only isn't it?

                                        Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          chris4916
                                          last edited by

                                          Replying to myself  ;D but hopping it may help other users:

                                          For what I understand, having spent some time reading Postfix and postscreen documentation, unless it can be significantly customized, Postfix forwarder package will not fit with what I'm trying to achieve.  It would mean, for each external interface, one postscreen line in master.cf passing to one smtpd defined with its own mailhost and banner.
                                          Nothing really complex from Postfix standpoint but definitely not the way it works for the time being, even aside 2.2 related bugs.

                                          Something like:

                                          
                                          1.1.1.1:smtp    inet  n       -       n       -       1       postscreen
                                                  -o smtpd_service_name=smtpd1
                                                  -o postscreen_greet_banner=whatever......
                                                  -o user=postfix
                                                  -o soft_bounce=yes
                                          smtpd1     pass  -       -       n       -       -       smtpd
                                                  -o myhostname=host1.domain.com
                                                  -o smtpd_banner=host1.domain.com-xxxxxx
                                          2.2.2.2:smtp    inet  n       -       n       -       1       postscreen
                                                  -o smtpd_service_name=smtpd2
                                                  -o postscreen_greet_banner=whatever2......
                                                  -o user=postfix
                                                  -o soft_bounce=yes
                                          smtpd2     pass  -       -       n       -       -       smtpd
                                                  -o myhostname=host2.domain.com
                                                  -o smtpd_banner=host2.domain.com-xxxxxx
                                          
                                          

                                          Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hcoin
                                            last edited by

                                            Two pf machines reverted to 2.1.5 after all + postfix upgraded to 2.2  Postfix failed in exactly the fashion mentioned in #525 this thread.  Running in two KVM VM's 64 bit.

                                            Was this ever tested before the release?  Did it ever work?  What configurations were tested that worked?  I waited to upgrade only a few days ago, thought it would be all good.. but not so much.  No emails forwarded whatever.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.