Postfix - antispam and relay package
-
Just set the PTR record for both IP address to be the same!
This doesn't work, at least for me, and I'll try to explain why :)
I'm relying on 3 different providers:
- two ISP owing each one of my two public IP
- another (different) provider registering my domain.
In term of DNS management, it means that I'm dealing with PTR records through interfaces provided by each ISP while I manage (public) DNS content from my domain provider's web interface.
So far so good :-) but in order to achieve what you suggest, it would means that I have to configure 2 different A records (one for each public IP) with same hostname. This can be done, although somewhat strange.
Problem is that when customizing PTR, I'm facing an issue with at least one ISP because interface used to customize PTR checks if PTR you set matches IP address. This does make sense but as my DNS contains 2 different IPs for same hostname, it resolves this hostname (round-robin mode) with different IP thus PTR customization is not allowed.From my standpoint, such control from ISP makes sense. It help ensuring consistency between PTR and IP/hostnames.
The right approach, unless I'm wrong, it to set up one banner per public IP.
I did it with my previous Postfix implementation using this syntax:1.1.1.1:smtp inet n - - - - smtpd -o myhostname=host1.domain.com 2.2.2.2:smtp inet n - - - - smtpd -o myhostname=host2.domain.comThis obviously works as expected ;D
Then I do realize that I'm total pfSense noob: I still don't know how to customize master.cf so that content is not erased when configuration is changed using GUI :-[
On top of that, I need to improve my understanding of postscreen => smtpd is then listening on local port only isn't it? -
Replying to myself ;D but hopping it may help other users:
For what I understand, having spent some time reading Postfix and postscreen documentation, unless it can be significantly customized, Postfix forwarder package will not fit with what I'm trying to achieve. It would mean, for each external interface, one postscreen line in master.cf passing to one smtpd defined with its own mailhost and banner.
Nothing really complex from Postfix standpoint but definitely not the way it works for the time being, even aside 2.2 related bugs.Something like:
1.1.1.1:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd1 -o postscreen_greet_banner=whatever...... -o user=postfix -o soft_bounce=yes smtpd1 pass - - n - - smtpd -o myhostname=host1.domain.com -o smtpd_banner=host1.domain.com-xxxxxx 2.2.2.2:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd2 -o postscreen_greet_banner=whatever2...... -o user=postfix -o soft_bounce=yes smtpd2 pass - - n - - smtpd -o myhostname=host2.domain.com -o smtpd_banner=host2.domain.com-xxxxxx -
Two pf machines reverted to 2.1.5 after all + postfix upgraded to 2.2 Postfix failed in exactly the fashion mentioned in #525 this thread. Running in two KVM VM's 64 bit.
Was this ever tested before the release? Did it ever work? What configurations were tested that worked? I waited to upgrade only a few days ago, thought it would be all good.. but not so much. No emails forwarded whatever.
-
I also faced the postfix issue described after upgrading to 2.2
Mar 13 13:24:12 postfix/master[19564]: warning: process /usr/local/libexec/postfix/qmgr pid 11100 exit status 1 Mar 13 13:24:12 postfix/master[19564]: warning: /usr/local/libexec/postfix/qmgr: bad command startup -- throttling Mar 13 13:24:12 postfix/master[19564]: warning: process /usr/local/libexec/postfix/pickup pid 11315 exit status 1 Mar 13 13:24:12 postfix/master[19564]: warning: /usr/local/libexec/postfix/pickup: bad command startup -- throttlingReason is, pickup can't find libspf2.so.2
76972: 0.012799723 access("/lib/libspf2.so.2",0) ERR#2 'No such file or directory' 76972: 0.012872347 access("/usr/lib/libspf2.so.2",0) ERR#2 'No such file or directory' 19564: 28.015840537 wait4(-1,{ EXITED,val=1 },WNOHANG,0x0) = 77346 (0x12e22) 76972: 0.012977425 write(2,"Shared object "libspf2.so.2" not found, required by "pickup"",60) = 60 (0x3c)The package ships with this library, but the linker does'nt seem to pick it up. In any case since this was not the only issue after the upgrade to 2.2 and I was pretty annoyed, here is just a very bad and ugly hack around that.
Login to the firewall
# cd /usr/local/lib # ln -s /usr/pbi/postfix-amd64/local/lib/libspf2.so.2Hope this helps.
-
<snip>In any case since this was not the only issue after the upgrade to 2.2 and I was pretty annoyed, here is just a very bad and ugly hack around that.</snip>
Does anyone know what the status of a new release is with major issues like the broken postfix forwarder addressed?
-
Does anyone know what the status of a new release is with major issues like the broken postfix forwarder addressed?
Completely orthogonal, I'd say :P
-
Hi. It is possible to save contents message to hard disk ? I have pfsense 2.1.5 and postfix services.
-
Hi. It is possible to save contents message to hard disk ? I have pfsense 2.1.5 and postfix services.
NO! This is a firewall, not a mailserver. And the package is a relay.
-
I am almost a newbie on PFsense. Nice project. Thanks!
My patrorm is an old VMware ESXi. Will the Postfix package be able to install on PFsense 2.2.1 as is and could it route to more than one internal mail host? Can I also use the MailScanner package with Postfix and PFsense 2.2.1? -
Unfortunately it's currently broken. This is one of the ongoing issues with pfSense, while the base/core functionality works well, you really can't rely on packages as packages tend to get abandoned and left in broken states on a moderately frequent basis.
You can work around the issue as discussed in this thread, but if you do, you may find that future updates of the package break due to the workaround, leaving you a larger mess to resolve, so given the amount of time it has been since this package was functional, I'd suggest installing postfix on another server and port-forwarding as needed. Your mileage may vary.
-
@The:
Unfortunately it's currently broken. …/... I'd suggest installing postfix on another server and port-forwarding as needed.
+1
That's pretty clear and obvious.
What is somewhat frustrating is that such comment and conclusion should come from pfSense.
It would be much easier to have pfSense interface not allowing any additional package as package support and reliability is at least questionable rather than having pfSense allowing to install it easily in a way that could make some people thinking that packages are fully part of pfSense :-\ -
I installed postfix and mailscanner and then uninstalled them. Does this cause any problems in the future?
-
I agree that package support is not always the greatest, but you also have to understand that Developers of these packages do it on their own free time and usually without any monetary gain. There are just a handful of Developers that I see maintaining packages at this time.
Its the fact in "Open Source" where a handful code and the balance profit from their work.
Suggestions -
- Support pfSense with a Gold Subscription
- Post bug reports that have enough detail for a Dev to be able to reproduce.
- Take the time to help Test Packages as no Dev can see all possible conditions by himself. Each network is different. So participation is really key.
- Support the Devs in other ways to keep them interested to maintain and upgrade their package(s) at each version change of pfSense.
Also realize that the Devs are planning on changing PHP to Python in v3.0. What does this mean? Well, a lot of work for the Developers to re-code all of their work and/or the work of the previous maintainer.
And I don't mean to say this in any Negative way.. we all love to use pfSense and for myself, I try to contribute in as many ways as I can, as that commitment is returned back to me in other ways. Lets keep pfSense Strong!
My 2 Cents!
-
As I noted elsewhere, the PBI disaster does not help either; no surprise people are not exactly keen to maintain the packages.
-
Could someone give a link or otherwise explain "the PBI disaster" as it relates to pfsense (mentioned upstream)?
The glowing PR of PBI explains that it's 'fully automatic' – except for the custom pre-remove and post-install scripts that are, as it explains, 'sometimes necessary'. So, 'mostly fully automatic' would have been better.
-
The thing is utterly broken. It produces whacky hardlinks to non-existent libraries because it seems to pick up dead symlinks instead (tons of packages after 2.2 was released), it is unable to find the libraries it itself ships with the package (recently sudo with 2.2.1 upgrade), and in general is just a nightmare for packaging. BSD does not exactly excel in the package managers department, but I have never seen such broken packaging format like PBI. Self-contain my ass. In general "works" like the DLL hell on Windows.
-
The only workaround I found for this is
-
install package from pfsense gui
-
go to console, remove pbi packages(not the gui)
-
Install postfix package via pkg ng
The main postfix binary works fine but all other sub process it starts die with missing libs.
I don't know if writing a guide to use pkg ng will help or add a lot of extra problems.
-
-
I agree that package support is not always the greatest, but you also have to understand that Developers of these packages do it on their own free time and usually without any monetary gain. There are just a handful of Developers that I see maintaining packages at this time.
This is crystal clear and I fully share your comment.
I'm not blaming anyone and especially not those trying to develop packages and making it available to the community :-[
However it has tons of negative side effect with potential users not understanding that "package" is not "pfSense", especially, and this is my main point, because communication from pfSense or from NetGate or even from gurus here doesn't state this clearly enough, from my own standpoint ;) -
# cd /usr/local/lib # ln -s /usr/pbi/postfix-amd64/local/lib/libspf2.so.2Also:
ln -s /usr/pbi/postfix-amd64/local/lib/libsasl2.so.3 ln -s /usr/pbi/postfix-amd64/local/lib/libpcre.so.3 -
I have been going a little nuts trying to get a simple mail relay (smart host) up and running for my local subnet, which is just about the easiest thing to do in Postfix. I was getting stuck on error messages such as "no mechanism available" and "No worthy mechs found" trying to authenticate against my ISP's relay.
In addition to linking libspf2, libpcre, and libsasl2 from /usr/pbi/postfix-amd64/local/lib, you also need to link the mechanism libraries found in /usr/pbi/postfix-amd64/local/lib/sasl2. If I knew more about FreeBSD, I would suggest updating ld.so.conf with these paths or setting a LD_LIBRARY_PATH in the environment instead of creating symlinks all over the filesystem. Alternatively, you can just install the required libraries directly from FreeBSD, which is what I did, with the following command:
pkg install libspf2 pcre cyrus-saslRestart Postfix Forwarder in the webConfigurator and you should be good to go. I've been using System > Advanced > Notifications > Test SMTP to test it. Make sure to set your email server to localhost, port to 25, From (e.g. admin@yourhost.example.com), Notification (e.g. your personal email address), and leave everything else blank/default.
Here's my "custom main.cf options" (for the time being, I'm going to try to lock it down and enable TLS now that I've got it working):
relayhost = [smtp.comcast.net]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwdUPDATE: TLS was pretty easy to turn on (following the pfSense documentation) after solving the above issues. Here's my final config:
relayhost = [smtp.comcast.net]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd smtp_tls_security_level = secure smtp_tls_CAfile = /etc/ssl/cert.pem smtp_tls_loglevel = 1Apr 11 20:15:06 cerberus postfix/smtp[13917]: Verified TLS connection established to smtp.comcast.net[68.87.20.6]:587: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)See the screenshots for the rest of my "smart host" configuration. The most important part is to set it to "Listen on" loopback and your LAN interface(s), and to set MyNetworks in Access Lists to the loopback subnet and your local subnet(s). I also dumbed down the antispam settings but I'm not sure if is necessary; SMTP clients in MyNetworks might not be subject to antispam rules.
UPDATE 2: The update from 2.2.1 to 2.2.2 blew away my sasl_passwd file (I uninstalled all my packages before the update and reinstalled everything afterwards), but that was easy enough to regenerate. I moved it to /etc/postfix to prevent it from happening in the future. Everything else seems to still work fine (except for the known sqlite2/3 issue).
