Postfix - antispam and relay package

marcelloc

@ccnet:

Two times "smtpd_recipient_restrictions".

Are you sure, the post shows smtpd__clientrestrictions and smtpdrecipient__restrictions

@ccnet:

Pfsense 2.1.5 and last version of package. Something wrong with my setup.

Better using on 2.2 with manual fixes above.

@ccnet:

So i'm a little bit confused the way main.cf is generated from the GUI. Even if I know Postfix can use each list in many restrictions.

Can you explain it better? You mean you know a better config setup to implement on this package?

foetus

Having an issue.

Since I cannot seem to install the LDAP plugin in any way or form (or even find it somewhere..) I can not get a link to Exchange to import a list of valid e-mail accounts.
Is there a way to edit Postfix (used in combination with mailscanner) to allow all e-mail accounts from a domain?

This is not used as an internal relay, just external anti-spam checking.

yes, I know this lowers the security quit a bit. But having everything blocked now with the same recipient error is the other side of the coin.

I really would just like to the the LDAP connection working. But installing the pkg like by the manual gives an error it cannot be found. And I cannot seem to source it anywhere else.
Did anyone manage to install it somehow?

2.1.5 x64 setup.

marcelloc

@foetus:

Having an issue.

Since I cannot seem to install the LDAP plugin in any way or form

Did you tried```
pkg add p5-perl-ldap

foetus

pkg_add pR5-perl-ldap
pkg_add: can't stat package file "pR5-perl-ldap"

that or cannot find package.

Tried your private hosted version from 2012. gives more errors then someone dyslexic quoting Nietzsche.

doktornotor

Yeah, perhaps you could fix your copy/paste skills. Noone told you to install nonsense like pR5-perl-ldap.

mayk

@marcelloc:

Reposting update guide for pfsense 2.2.x only:

Install package via gui
execute code below via console/ssh

fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
pbi_delete postfix-2.11.3_2-amd64
rm -f /usr/pbi/bin/libexec/postfix
rm -f /usr/local/etc/postfix
rm -f /var/spool/postfix
rm -f /var/mail/postfix
rm -f /var/db/postfix
pkg install postfix

fix postfix.inc file with this patch via system patcher package

add this patch via package system patcher

**description:**postfix_inc
patch:

--- postfix.orig.inc 2015-08-18 08:15:00.000000000 +0000
+++ postfix.inc  2015-08-18 08:18:10.000000000 +0000
@@ -36,11 +36,11 @@
 require_once("globals.inc");

 $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pfs_version == "2.1" || $pfs_version == "2.2") {
-       define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m"));
-} else {
+//if ($pfs_version == "2.1" || $pfs_version == "2.2") {
+//     define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m"));
+//} else {
        define('POSTFIX_LOCALBASE','/usr/local');
-}
+//}

 $uname=posix_uname();
 if ($uname['machine']=='amd64')

directory:/usr/local/pkg/

Hi,

thank you for the manual fix. I have tried several times , believing i screwed up somewhere, but still no white smoke .  The error messages stay the same.
Does anyone have more suggestions in this ?  The setup is a carp unit, with a 2.1.4 install upgraded to 2.1.5 and now jumped to 2.2.4 .

Thank you in advance..

jazzl0ver

Hi.

In case someone needs to specify a port in domain forwarding, here is a patch for /usr/local/pkg/postfix.inc:

--- postfix.inc.org     2015-10-29 13:59:12.000000000 +0300
+++ postfix.inc 2015-10-29 14:19:36.000000000 +0300
@@ -263,10 +263,17 @@
        if (is_array($postfix_domains['row'])) {
                foreach ($postfix_domains['row'] as $postfix_row) {
                        $relay_domains .= ' ' . $postfix_row['domain'];
-                       if (!empty($postfix_row['mailserverip']))
-                               $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n";
+                       if (!empty($postfix_row['mailserverip'])) {
+                               if (strrpos($postfix_row['mailserverip'], ":") === false) {
+                                       $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n";
+                               }
+                               else {
+                                       list($t_ip, $t_port) = explode(":", $postfix_row['mailserverip']);
+                                       $transport .= $postfix_row['domain'] . " smtp:[" . $t_ip . "]:" . "$t_port\n";
                                }
                        }
+               }
+       }
        #check cron
        check_cron();
        #check logging
@@ -787,8 +794,15 @@
                } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) {
                        if (empty($post['domain' . substr($key, 12)]))
                                $input_errors[] = "Domain for {$value} cannot be blank.";
-                       if (!is_ipaddr($value) && !is_hostname($value))
-                               $input_errors[] = "{$value} is not a valid IP address or host name.";
+                       if (strrpos($value, ":") === false) {
+                               if (!is_ipaddr($value) && !is_hostname($value))
+                                       $input_errors[] = "{$value} is not a valid IP address or host name.";
+                       }
+                       else {
+                               list($t_ip, $t_port) = explode(":", $value);
+                               if (!is_ipaddr($t_ip) && !is_hostname($t_ip))
+                                       $input_errors[] = "{$value} is not a valid IP address or host name.";
+                       }
                }
        }
 }

trinidadrancheria

We are running Postfix with the patches and all seems to be fine… HOWEVER, we seem to be seeing a couple of issues...

1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.
Suggestion: I notice you are parsing for the "," when you are saving the list to the reject_rbl_client directive. Can you add something to parse for another character like ":DNS" to put the entry in the reject_rhsbl_client directive?
Or even add a box on the antispam page for DNS Block lists?

2: We have some custom ACL headers that we scan for like /^From:.@.download/ REJECT that seem to work great, but once in a while a couple of the messages get through :P Ideas?

3: On the Access list page Helo box, no matter what we put there it does not reject. Like trying to block the .download domain from even getting past the helo.
It would be REAL nice to be able to drop the connection from a .download domain at the Helo step rather that what is happening now: Its ran through the bloc lists, then finally rejected by the sender address in the from field. A lot of wasted time for messages from a server that will be dropped anyway :P

Thanks in advance!

biggsy

@trinidadrancheria:

1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.

Have you tried using zen.spamhaus.org in the RBL server list?  That seems to work well with IP addresses:

postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25
postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4
postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2
postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103
postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake
postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103

trinidadrancheria

@biggsy:

@trinidadrancheria:

1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.

Have you tried using zen.spamhaus.org in the RBL server list?  That seems to work well with IP addresses:

postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25
postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4
postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2
postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103
postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake
postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103

Yes, I am using Zen. It is an IP address based list. It only accepts IP addresses as it should, and works fine. The Evil Nasty spammers and malware sites like to move around a lot to try and beat the ip based block lists.
The lists that I want to use are based on their domains. They only accept domain names not IP addresses. Many of the best lists are switching to domain based for better blocking.

biggsy

Sorry, I completely misread that first line in your post. :-[

I think you'll have to modify your [i]main.cf and restart postfix manually to make that work.  Unfortunately, the change will be over-written next time you save your config from the GUI.

Bismarck

@trinidadrancheria

1. You need to manually edit /usr/local/pkg/postfix.inc this will keep your changes after a postfix reload but needs to be re edited after a package update. eg.:

…
smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_check,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_rhsbl_helo hostkarma.junkemailfilter.com=127.0.0.2,
**        reject_rhsbl_helo dbl.spamhaus.org,**
permit
…
...
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
**        reject_rhsbl_sender dbl.spamhaus.org, **
permit
…
...
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
reject_rhsbl_reverse_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rhsbl_reverse_client dbl.spamhaus.org,
permit
…

And I guess this is highly ineffective, since Postscreen and RBL server List already reject almost everything and its safer, because you can combine as many rbl lists you like.

http://www.postfix.org/SMTPD_ACCESS_README.html

http://www.postfix.org/POSTSCREEN_README.html

2. You missing a dot before the asterisk and add always a comment to the REJECT, easier to identify false/positives:

/^From:.@__.__.download/ REJECT Spam Rule #20191

3. see 1. & 2.

Here a few commands to check your postfix rules if they match:

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/body_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/header_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/mime_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/helo_check < /root/mail.txt

Just copy the full mail with the header etc. into mail.txt file before execute.

Usefull: http://www.regexr.com/

Best practice is a well configurated Postfix + Mailscanner + sa-updater-custom-channels.sh + clamav-unofficial-sigs.sh = Spam > 1%.

Cheers! ;)

trinidadrancheria

I tried your format
/^From:.@..eu/ REJECT Spam Rule #20191
and is KINDA works…

It does block the .eu TLD, but also hits on addresses like From:bill@mail.eugene.ca.gov
This behavior is expected, since we are starting at the front of the screen. When I do it the right way:  /^From:.@..eu$/ (with the $ to match the end for .eu), the PCRE simulators all work fine. It catches only the .eu TLD.
But when I put it in Postfix with the $ in it, it blocks nothing :P
Am I missing something?

And thanks for the other guides. I am looking at them now :)

doktornotor

So, for anyone here who's not given up yet and is having issues with https://redmine.pfsense.org/issues/4420 - there's v2.4.5 out. If someone's wiling to undo the manual hacks (stuff like cyrus-sasl2/libspf2 installed via pkg, symlinks etc.) and report back, it'd be appreciated.

mia

Hi, guys!

I have a problem.

I installed pfsense 2.2.4 x64 with postfix. And of course had issue with sqlite. I reinstall postfix using marcelloc instruction:

fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
pbi_delete postfix-2.11.3_2-amd64
rm -f /usr/pbi/bin/libexec/postfix
rm -f /usr/local/etc/postfix
rm -f /var/spool/postfix
rm -f /var/mail/postfix
rm -f /var/db/postfix
pkg install postfix
etc…

now it work. BUT it reject all mails.
Here is a part of log:

Nov 11 10:35:13 pfSense postfix/postscreen[96424]: CONNECT from [209.85.223.170]:33179 to [127.0.0.1]:25
Nov 11 10:35:19 pfSense postfix/postscreen[96424]: PASS NEW [209.85.223.170]:33179
Nov 11 10:35:19 pfSense postfix/smtpd[48617]: connect from mail-io0-f170.google.com[209.85.223.170]
Nov 11 10:35:19 pfSense postfix/smtpd[48617]: warning: unknown smtpd restriction: "reject_spf_invalid_sender"
Nov 11 10:35:19 pfSense postfix/verify[51147]: cache btree:/var/db/postfix/verify_cache full cleanup: retained=5 dropped=0 entries
Nov 11 10:35:19 pfSense postfix/smtpd[48617]: NOQUEUE: reject: RCPT from mail-io0-f170.google.com[209.85.223.170]: 451 4.3.5 Server configuration error; from= <mymail@gmail.com>to= <mymail@mydomain.ru>proto=ESMTP helo= <mail-io0-f170.google.com>Nov 11 10:35:20 pfSense postfix/cleanup[59443]: 1E0D61138ADC: message-id=<20151111083520.1E0D61138ADC@pfSense.localdomain>
Nov 11 10:35:20 pfSense postfix/smtpd[48617]: disconnect from mail-io0-f170.google.com[209.85.223.170]
Nov 11 10:35:20 pfSense postfix/qmgr[57167]: 1E0D61138ADC: from=<double-bounce@pfsense.localdomain>, size=981, nrcpt=1 (queue active)
Nov 11 10:35:20 pfSense postfix/smtp[60115]: 1E0D61138ADC: to=<postmaster@pfsense.localdomain>, orig_to=<postmaster>, relay=none, delay=0.17, delays=0.01/0.01/0.16/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=pfSense.localdomain type=A: Host not found)
Nov 11 10:35:20 pfSense postfix/bounce[68723]: warning: 1E0D61138ADC: undeliverable postmaster notification discarded
Nov 11 10:35:20 pfSense postfix/qmgr[57167]: 1E0D61138ADC: removed</postmaster></postmaster@pfsense.localdomain></double-bounce@pfsense.localdomain></mail-io0-f170.google.com></mymail@mydomain.ru></mymail@gmail.com>

I added in Access Lists -> MyNetworks:
127.0.0.1
192.168.0.247 Exchange IP
192.168.0.250 Pfsense LAN IP
192.168.0.0/24

I found this advise for Postfix forwarder on 2.1_x64

1. Copied /usr/local/etc/postfix to /usr/pbi/postfix-amd64/etc/postfix
2. Once I put 2,6s into the greet wait time under antispam, it seemed to work

but it doesn't work for me(((

It's seem something wrong with postscreen….

pease help me

mia

I've solved my problem. :)
Thanks for awesome package

trinidadrancheria

Tried this… First time I did only the helo lines, did not work, even after reboot. Nothing changed in main.cf
Did the other lines, rebooted, then it reverted with ownership errors on the database files :P
Ideas?

@Bismarck:

@trinidadrancheria

1. You need to manually edit /usr/local/pkg/postfix.inc this will keep your changes after a postfix reload but needs to be re edited after a package update. eg.:

…
smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_check,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_rhsbl_helo hostkarma.junkemailfilter.com=127.0.0.2,
**        reject_rhsbl_helo dbl.spamhaus.org,**
permit
…
...
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
**        reject_rhsbl_sender dbl.spamhaus.org, **
permit
…
...
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
reject_rhsbl_reverse_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rhsbl_reverse_client dbl.spamhaus.org,
permit
…

And I guess this is highly ineffective, since Postscreen and RBL server List already reject almost everything and its safer, because you can combine as many rbl lists you like.

http://www.postfix.org/SMTPD_ACCESS_README.html

http://www.postfix.org/POSTSCREEN_README.html

2. You missing a dot before the asterisk and add always a comment to the REJECT, easier to identify false/positives:

/^From:.@__.__.download/ REJECT Spam Rule #20191

3. see 1. & 2.

Here a few commands to check your postfix rules if they match:

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/body_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/header_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/mime_check < /root/mail.txt

postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/helo_check < /root/mail.txt

Just copy the full mail with the header etc. into mail.txt file before execute.

Usefull: http://www.regexr.com/

Best practice is a well configurated Postfix + Mailscanner + sa-updater-custom-channels.sh + clamav-unofficial-sigs.sh = Spam > 1%.

Cheers! ;)

trinidadrancheria

I ma wondering if I did not have the right section, since I have the header verification box set to basic? After stepping through the PHP should I be putting it here?

Original:

Don't talk to mail systems that don't know their own hostname.

smtpd_helo_required = yes
{$reject_unknown_helo_hostname}

smtpd_sender_restrictions = reject_unknown_sender_domain,
RBLRBLRBL

Allow connections from specified local clients and rbl check everybody else if rbl check are set.

smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr
RBLRBLRBL

Whitelisting: local clients may specify any destination domain.

#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
SPFSPFSPFRBLRBLRBL

Modified:

Don't talk to mail systems that don't know their own hostname.

smtpd_helo_required = yes
{$reject_unknown_helo_hostname}

smtpd_sender_restrictions = reject_unknown_sender_domain,
                                reject_rhsbl_reverse_client dbl.spamhaus.org,
RBLRBLRBL

Allow connections from specified local clients and rbl check everybody else if rbl check are set.

smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr <–------- I see a missing , in the INC, put it in?
RBLRBLRBL

Whitelisting: local clients may specify any destination domain.

#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
                                reject_rhsbl_reverse_client dbl.spamhaus.org,
                                reject_rhsbl_sender dbl.spamhaus.org,
                                reject_rhsbl_client dbl.spamhaus.org,
SPFSPFSPFRBLRBLRBL

I would be using MailScanner, but I am running PFSense 2.2.4 and they say mailscanner does not work, or there is something we need to do to install it right, but my other thread went unanswered to see if it is working :P

trinidadrancheria

@trinidadrancheria:

I tried your format
/^From:.@..eu/ REJECT Spam Rule #20191
and is KINDA works…

It does block the .eu TLD, but also hits on addresses like From:bill@mail.eugene.ca.gov
This behavior is expected, since we are starting at the front of the screen. When I do it the right way:  /^From:.@..eu$/ (with the $ to match the end for .eu), the PCRE simulators all work fine. It catches only the .eu TLD.
But when I put it in Postfix with the $ in it, it blocks nothing :P
Am I missing something?

And thanks for the other guides. I am looking at them now :)

In case someone else was having the same issue, I found a work around for PostFix not recognizing both the ^ (begin) and the $ (end) for an entry in the access list.
Instead of
/^From:.@..eu/ which would hit on things like bill@ci.eureka.ca.gov as well as bill@sample.eu, which is NOT what we want.
New way using word boundary
/^From:.@..eu\b/ only hits on bill.sample.eu
Now we can reject senders from certain TLDs properly :D
(The reason I did not use HELO is A: It never worked for me, and B: (BIG one) spammers are using US servers to spoof .eu in the from address so the HELO does not match).
:)

trinidadrancheria

Marceloc are you the one I talk to about patches for PF sense postfix?
I am working on a patch to implement the DNS blacklist to the package through a patch with its own list section, but it would be nice if we can add it right to the next version.
Once tested, can I send the patch to you to see what you think?

Also is there a official place to get full documentation on how the patchfile syntax?