Postfix - antispam and relay package
-
When you use Postfix/TLS, you should fix the DROWN Attack vulnerability:
openssl dhparam -out /usr/pbi/postfix-amd64/etc/postfix/dh2048.pem 2048and add this, below your TLS config in the custom main.cf options:
# Whenever the built-in defaults are sufficient, let the built-in # defaults stand by deleting any explicit overrides. # Disable deprecated SSL protocol versions. See: # http://www.postfix.org/postconf.5.html#smtp_tls_protocols # http://www.postfix.org/postconf.5.html#smtpd_tls_protocols # # Default in all supported stable Postfix releases since July 2015. # Defaults for the mandatory variants never allowed SSLv2. # smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 tlsproxy_tls_protocols = $smtpd_tls_protocols # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols # Disable export and low-grade ciphers. See: # http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers # http://www.postfix.org/postconf.5.html#smtp_tls_ciphers # # Default in all supported stable Postfix releases since July 2015. # smtpd_tls_ciphers = medium smtp_tls_ciphers = medium # Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See # http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs # http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file # http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade # # The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0. # smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem smtpd_tls_eecdh_grade = strong # Trimmed cipherlist improves interoperability with old Exchange servers # and reduces exposure to obsolete and rarely used crypto. See: # http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers # http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers # smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2Source: https://drownattack.com/postfix.html
DROWN Test: https://test.drownattack.com/
Postfix/TLS: http://www.checktls.com/perl/TestReceiver.pl
SSL Labs Test: https://dev.ssllabs.com/ssltest/Regards
-
Hi - any news for Postfix on 2.3? I see that it's not currently in the package list for the Beta.
-
Perhaps Marcello is very busy but I'm hoping we will hear some news too.
-
I've sent two updates today and one is missing to complete changes requested by renato
https://github.com/pfsense/FreeBSD-ports/pull/23
https://github.com/pfsense/pfsense/pull/2844 -
Many thanks for the update and also your hard work.
-
Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)
Based on my reading of this thread the above combination works without modification… is this correct?
Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?
pkg_add -r p5-perl-ldap Results: pkg_add: Command not Found
pkg add -r p5-perl-ldap Results: No Such File: -r
pkg add p5-perl-ldap Results: No Such File: p5-perl-ldap
What is it that I am missing?
-
Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)
Based on my reading of this thread the above combination works without modification… is this correct?
Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?
pkg_add -r p5-perl-ldap Results: pkg_add: Command not Found
pkg add -r p5-perl-ldap Results: No Such File: -r
pkg add p5-perl-ldap Results: No Such File: p5-perl-ldap
What is it that I am missing?
pkg install p5-perl-ldap
pkg help
For more information on the different commands see 'pkg help <command></command>'.
https://wiki.freebsd.org/pkgng
Cheers.
-
Bismarck,
Thanks! I am new to FreeBSD, so its a learning curve from Fedora.
-
Tell me it's a mistake….???
-
Tell me it's a mistake….???
Can't believe Postfix + so many other packages were removed. Time to find another solution people…
-
Marcello.
Em ontem foi oficialmente lançado pfsense estável versão 2.3, no entanto eu tenho atualizado e instalado um novo e o pacote postfix não é saídas disponíveis, listados na parcela de repos. Alguém pode me dizer o que acontece, porque se o oficial pfsense veio não sair com o pacote postfix.
In yesterday was released officially pfsense stable version 2.3, however I have updated and installed a new one and the postfix package is not available exits listed on the parcel of repos. Someone can tell me what happens, because if the officer came pfsense not come out with the postfix package.
Thanks.
En el día de ayer fue lanzado oficialmente estable la versión de pfsense 2.3, sin embargo he actualizado e instalado uno nuevo y el paquete postfix no esta disponible ni sale listado en la paquetería de los repos. Alquien me puede decir que pasa, porque si salio oficial el pfsense no salio junto el paquete postfix.
Muchas gracias.
-
I believe that Postfix will eventually appear in 2.3 as a post release addition. If you scroll back a page, Marcelloc has shown that development is still in progress linking to github. For me, this is the only reason I'm holding back from rolling out 2.3 so the sooner the better 8)
-
I believe that Postfix will eventually appear in 2.3 as a post release addition. If you scroll back a page, Marcelloc has shown that development is still in progress linking to github. For me, this is the only reason I'm holding back from rolling out 2.3 so the sooner the better 8)
Postfix will be the reason most people stay away from 2.3, pfSense is no longer a UTM…
-
It also is, but it has taken a long, long time, Macello, he said that he was preparing postfix to 2.3 for the problems that occurred in 2.2, and could not devote himself to both versions at once, that was done much, he has now gone 2.3, and still postfix still waiting.
He was ancioso by this version 2.3, in itself, I taste from RC, leaving here without postfix, something almost impresindible for me and one of the marvelous things that pfSense employment.
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
Not arguing with that but the GUI does make it easier to get up and running.
Sadly, it seems that the Postfix Forwarder is not one of the mostly widely used packages and doesn't seem to be a priority for the core team.
As dannyboy1121 pointed out, marcelloc has ported the package but he has also suggested some other changes to make life easier for packages to log. The package and the other change haven't been accepted yet. Hoping that will happen before 2.3.1 but I'm not optimistic about that.
-
Thank you for working on this, Marcello. Is there any news?
yes, I'll need to change the syslog function that enables /var/log/maillog.
Dear, Marcello.
I have a problem.
She described https://forum.pfsense.org/index.php?topic=110620.0You are given a solution to the problem. I executed the command
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
I have not changed. :'(
-
postfix is postfix, if you really need it functional, scp /your/config/files/* root@newserver:/your/new/config/files/
works…
you can check logs with cat /var/log/maillog | grep whatyouwanttosearchherethere is no point on complaining and saying that pfsense is a bad product or is no longer a UTM or all that 'sadness' (for not saying another word) trying to make the developers feel bad for you guys. they will fix it at some point. if you cant live without the graphical interface, set a VM, some forwarding rules and run it from there.
if you are unhappy, get a grip and start coding a patch yourself apply it, test it and share it here. any volunteer? ;)
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
While indeed it's a bsd system at the end as you say, the 'postfix' pfsense package does more than 'pretty up' the postfix interface. Not least, it provides all the integrated config backup/setup xml config capability, the status/queue monitoring screens, etc. etc.
For those pfsense experts who not doing email managing, here are the key things you need to know:
-
this package is an email router, an email firewall. It is NOT an 'email server' or 'email system'. Think 'branch' not 'leaf'.
-
one of the most powerful things that anti-spam systems use to approve 'legit' email is to check whether the reverse DNS (ip->DNS) matches (DNS->ip) of the system claiming to be the sender of the email. If the system at that IP has a certificate with a CN that matches the DNS, the odds of having outbound email be wrongly marked as spam are less. Way less. PF already supports a cert manager which it needs for its own https purpose that matches the need for a forwarder. The edge router is just 'the right place' for the email router to live as well.
-
any 'real' email install has two or more ISPs or 'WAN' providers. Just think of all the avoidable plumbing necessary to avoid asymmetric routing if the emailer 'store and foreward' point is NATTed downstream of pfsense.
-
internet 'email exchangers' have two or more systems with different IP addresses set up in the DNS. It's a perfect fit for two pf boxes using pfsync. A common admin GUI for both.
I hope this helps motivate those who care mostly about packet routing to comprehend the appropriateness of the postfix package hosted on pfsense.
-
-
https://github.com/pfsense/pfsense/pull/2844
Looks like the Postfix package maybe will arrive with pfSense 2.3.1?
