Postfix - antispam and relay package
-
Mmm… Then I must ask what mail forwarder is pfsense going to replace it with?
I don't believe any replacement is planned for this. https://redmine.pfsense.org/issues/5374
-
Mmm… Then I must ask what mail forwarder is pfsense going to replace it with?
I don't believe any replacement is planned for this. https://redmine.pfsense.org/issues/5374
Does that also mean all the other mail apps like mailscanner, spamassasin, clamav ect will be falling away? Last I checked the Postfix was a MTA that sent all emails to 127.0.0.1 on the pfsense box were they were then scanned and filtered accordingly, PostFix would then send them on there way when they were done. Unless I am understanding wrong, how would I filter my mail now without PostFix?
-
Unless I am understanding wrong, how would I filter my mail now without PostFix?
On your mailserver perhaps? I don't get the idea of running postfix, spam filters and co. on a firewall… Regardless, take this with pfSense developers, I'm not one.
-
Unless I am understanding wrong, how would I filter my mail now without PostFix?
On your mailserver perhaps? I don't get the idea of running postfix, spam filters and co. on a firewall… Regardless, take this with pfSense developers, I'm not one.
Meant how would I filter my mail without PostFix "On pfSense", but I appreciate your honest replies. What a pity I liked pfSense. Cheers.
-
I'm migrating the package for 2.3.
If you use pfsense as an UTM, packages postfix, varnish, squid, mailscanner give it layer 7 ability on these protocols.
For me it's really usefull.
-
I'm migrating the package for 2.3.
If you use pfsense as an UTM, packages postfix, varnish, squid, mailscanner give it layer 7 ability on these protocols.
For me it's really usefull.
Now that is some good news for a change. PostFix "IS" one of the best used packages on pfSense. To scrap it would be going backwards. Happy days :)
-
-
Sadly SPF is broken now:
unused parameter: spf_mark_only=yes
This was a very useful option to fight sender address forgery.
Any idea how to fix?
//Edit
This could be a option?py27-postfix-policyd-spf-python works great and easy to setup! :)$ pkg install py27-postfix-policyd-spf-python Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 6 package(s) will be affected (of 0 checked): New packages to be INSTALLED: py27-postfix-policyd-spf-python: 1.3.2 py27-authres: 0.800 py27-spf: 2.0.12_1 py27-dns: 2.3.6_1 python2: 2_3 py27-ipaddr: 2.1.10_1 The process will require 856 KiB more space. 152 KiB to be downloaded. Proceed with this action? [y/N]: y Fetching py27-postfix-policyd-spf-python-1.3.2.txz: 100% 38 KiB 38.5kB/s 00:01 Fetching py27-authres-0.800.txz: 100% 26 KiB 26.7kB/s 00:01 Fetching py27-spf-2.0.12_1.txz: 100% 34 KiB 35.0kB/s 00:01 Fetching py27-dns-2.3.6_1.txz: 100% 31 KiB 32.0kB/s 00:01 Fetching python2-2_3.txz: 100% 1 KiB 1.1kB/s 00:01 Fetching py27-ipaddr-2.1.10_1.txz: 100% 22 KiB 22.1kB/s 00:01 Checking integrity... done (0 conflicting) [1/6] Installing python2-2_3... [1/6] Extracting python2-2_3: 100% [2/6] Installing py27-dns-2.3.6_1... [2/6] Extracting py27-dns-2.3.6_1: 100% [3/6] Installing py27-authres-0.800... [3/6] Extracting py27-authres-0.800: 100% [4/6] Installing py27-spf-2.0.12_1... [4/6] Extracting py27-spf-2.0.12_1: 100% [5/6] Installing py27-ipaddr-2.1.10_1... [5/6] Extracting py27-ipaddr-2.1.10_1: 100% [6/6] Installing py27-postfix-policyd-spf-python-1.3.2... [6/6] Extracting py27-postfix-policyd-spf-python-1.3.2: 100% Message from py27-postfix-policyd-spf-python-1.3.2: # # To configure Postfix # This package must be integrated with Postfix to be effective: 1\. Add to your postfix master.cf: policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/local/bin/policyd-spf 2\. Configure the Postfix policy service in your main.cf so that the "smtpd_recipient_restrictions" includes a call to the policyd-spf policy filter. If you already have a "smtpd_recipient_restrictions" line, you can add the "check_policy_service" command anywhere *after* the line which reads "reject_unauth_destination" (otherwise you're system can become an open relay). smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policyd-spf ... policyd-spf_time_limit = 3600 3\. Please consult the postfix documentation for more information on these and other settings you may wish to have in the "smtpd_recipient_restrictions" configuration. 4\. Reload postfix.
-
For me, postfix+friends on pfsense a major administrative convenience. And, it is in keeping with the spirit of what is is a 'firewall' does (if only in an expanded sense). Most of the spam traffic won't even succeed in connecting, the ones that do cause internet 'internet spam service check' requests to leave from the firewall without having to take up bandwidth on the lan, and most of the evil attachments never make it past the firewall either. It also (I hope still will) allow one 'clamav' install to manage scanning web traffic for the squid suite and also the mailscanner/email.
Also, having the 'postfix and associated packages" stack in PF allows me to leverage pf's certificate management, destination email domain routing, failover, load balancing for email. That internal domain routing bit is a security plus as traffic for domain X never travels lan segments used by those on domains A, B and C, an obvious security plus. Also it allows the internal smtp world to be very fast and lean as it needs minimal security and no need for the add-on 'nasty-checking' packages.
Remember one of the main spam defences is having the mail exchanger's reverse dns match the common name in the ssl certificate. Anytime information can be kept in one place and closer to where it's used is an admin win.
Last, the postfix config for the lan side can use the lmtp protocol which is a major overhead saver (no per message setups/teardowns).
It calls for a multiprocessor setup, lots of ram and lots of disk. I know that is not exactly what comes to mind using the word 'embedded', but the above is my $0.02 on why it's worth it.
If it were to be removed, I'd have to create not just port forward to a new subnet but a vlan just to isolate incoming email traffic, then – well, it would result in an economic bonanza for the people who sell those coffee thingys.
-
Sadly SPF is broken now:
Bismarck, have you been able to install from Available Packages? I missed a few days of 2.3 updates but haven't seen the postfix package listed.
-
Hi biggsy,
the packages should still be there:
http://files.pfsense.org/packages/10/All/postfix-2.11.3_2-amd64.pbi
regards
-
The pull request still needs to be aproved first.
-
Hello marcelloc,
since 2.2.x Postfix doesn't write spam logs to the sqlite database, thus you can't search for spam and the widget doesn't display any spam records.
This makes it really hard to track false positives. :'(
Please help!
//edit
when I execute it via putty after I send a spam test, it does write the spam record to the database file!?
[root@pfsense~]$ /usr/local/bin/php -q /usr/local/www/postfix.php 01min /usr/bin/grep '^Jan 15 09:25.*\(MailScanner\|postfix.cleanup\|postfix.smtp\|postfix.error\|postfix.qmgr\)' /var/log/maillog Found logs to 2016-01-15.db ####################################### SPAM:SpamAssassin (nicht zwischen gespeichert, Wertung=1004.701, benoetigt 3, FSL_HELO_NON_FQDN_1 0.00, GTUBE 1000.00, HTML_MESSAGE 0.00, PYZOR_CHECK 1.98, RDNS_NONE 0.00, TVD_RCVD_SINGLE 1.21, ZONK_PHISH_BODY 1.50)5E1EA1C2B99zonk ####################################### ####################################### SPAM:SpamAssassin (nicht zwischen gespeichert, Wertung=1004.701, benoetigt 3, FSL_HELO_NON_FQDN_1 0.00, GTUBE 1000.00, HTML_MESSAGE 0.00, PYZOR_CHECK 1.98, RDNS_NONE 0.00, TVD_RCVD_SINGLE 1.21, ZONK_PHISH_BODY 1.50)4E48D1C2BFBzonk ####################################### writing to database...writing to database... writing to local db 2016-01-15...ok
maybe a timeing problem?
-
The pull request still needs to be aproved first.
Thank you for working on this, Marcello. Is there any news?
-
FYI
I did a fresh install of pfSense 2.2.6 last week and the Postfix package did work out of the box, expect the search mail & widget sqlite bug, wich can be fixed by fetching the postfix.php/postfix.widget.php from:
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
So NO need to delete Postfix and install it via pkgng!
Regards ;)
-
Thank you for working on this, Marcello. Is there any news?
yes, I'll need to change the syslog function that enables /var/log/maillog.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
Yes it's filtering email, spam and viruses with MailScanner, I run it as my productive system since 2 weeks now, no lib errors or crashes.
Thank you for your hard work, much appreciated!
-
Hi Marcello, I'm trying pfsense 2.3 beta, and one of the essential
packages for me is postfix, but the same does not appear in the list
of available packages, you had said at the forum, which would sit in
this package postfix for version 2.3 . As it would be possible to
install that version of package postfix in pfsense 2.3 beta. Greetings
and thank you very much for the excellent work he has done. Excuse the
bad English. -
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
Hi Biggsy, this is working with the current package Postfix 2.11.3/pfSense 2.2.6.
To enable:
postscreen_dnsbl_whitelist_threshold=-1
edit /usr/local/pkg/postfix.inc around line 629 and add this:
$postfix_main .= "postscreen_dnsbl_whitelist_threshold=-1\n";
and restart the Postfix service.
So no more hardcodeed IPs in Client Access List / CDIR needed, for google outbound mail server etc. ;)
marcelloc, maybe you can make this a option in the Postfix menu?
- A new postscreen_dnsbl_whitelist_threshold feature to allow