Postfix - antispam and relay package

biggsy · Dec 31, 2011, 10:34 AM

Hi Marcello,

I have installed this package and it really does look very good but I haven't enabled it yet - just figuring out the configuration. A bit of background:

I run my own mailserver for a couple of domains.
My ISP's mailserver redirects any mail sent to me at ISPdomain.com to me at mydomain.com.
Port 25 outbound is blocked by my ISP (fairly standard), so my mailserver must smarthost outbound emails through their mailserver. 25 inbound is open.

A couple of questions:

Is there any special configuration needed to allow for the smarthosting?
Is outbound email from my mailserver automatically subject to the same Postfix rules as email coming from my ISP or direct to my mailserver? If so, any way to bypass that?
I can't find a way to get entries into smtpd_helo_restrictions - e.g., reject_non_fqdn_hostname. Am I missing something?

Thanks,
Biggsy

marcelloc · Dec 31, 2011, 12:52 PM

Is there any special configuration needed to allow for the smarthosting?

Include this on genereal -> custom main.cf options:
relayhost = your.server.com

Is outbound email from my mailserver automatically subject to the same Postfix rules as email coming from my ISP or direct to my mailserver? If so, any way to bypass that?

configure your internal servers in Access List -> MyNetworks

I can't find a way to get entries into smtpd_helo_restrictions - e.g., reject_non_fqdn_hostname. Am I missing something?

choose strong on Antispam -> Header verification
I also suggest enabling postscreen and all its features

After configuring it, check main.cf file in view config tab

biggsy · Jan 1, 2012, 11:23 PM

Thank you Marcello,

I've enabled it now and it does seem to be doing its job very well. You must have read a lot of documentation to get this going. I spent hours doing that - just trying to figure out what I should have in main.cf as a starting point.

You may have looked at this (and there are already more than enough parameters) but could I suggest a place in the GUI to enter myhostname as a means of overriding the default of using the hostname of the pfSense machine.

Thanks again,
Biggsy

marcelloc · Jan 2, 2012, 1:23 AM

@biggsy:

You must have read a lot of documentation to get this going. I spent hours doing that - just trying to figure out what I should have in main.cf as a starting point.

Yes I did, many many hours. I was on sendmail before :)

@biggsy:

You may have looked at this (and there are already more than enough parameters) but could I suggest a place in the GUI to enter myhostname as a means of overriding the default of using the hostname of the pfSense machine.

I'll take a note on this, for now you can change it on genereal -> custom main.cf options

Thanks for you feedback.

FiSHswe · Jan 8, 2012, 12:13 AM

Hi Marcelloc and everyone else!
First of all, thank you for a great package!
I just installed postfix on my pfsense 2.0 but i got some issues.
When i try to add custom valid recipients it doesn't work.
In the custom list box i add the users e-mail following the hint "user@mycompany.com"

The errorlog:
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 2: expected format: key whitespace value
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 3: expected format: key whitespace value
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 4: expected format: key whitespace value
and so on…

Any ideas?

marcelloc · Jan 8, 2012, 1:25 AM

take a look on custom valid recipients field note:

Paste your valid recipients here, one per line. HINT user@mycompany.com OK

there is a value after each email.

the error says

expected format: key whitespace value
so

key= user@mycompany.com
value= OK

FiSHswe · Jan 8, 2012, 8:13 AM

Aha! :) misunderstood the syntax.
Thanks!

expert_az · Jan 9, 2012, 2:30 PM

marcelloc thank you for your great job,very userfull and helpfull package i ever used on pfsense.
any plans DKIM(opendkim) support for outgoing mails?

marcelloc · Feb 28, 2012, 3:53 PM

@jamesc:

Do you have any updates on SASL authentication and if/when it may be included in this great package?

I would love to migrate our existing SMTP solution over to this but the lack of authentication is the only thing stopping me.

James,

To try sasl auth you need to fix some missing lib from kerberos

ldd /usr/local/sbin/saslpasswd2
/usr/local/sbin/saslpasswd2:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800647000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800761000)
libgssapi.so.10 => not found (0x0)
libheimntlm.so.10 => not found (0x0)
libkrb5.so.10 => not found (0x0)
libhx509.so.10 => not found (0x0)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8009fb000)
libasn1.so.10 => not found (0x0)
libroken.so.10 => not found (0x0)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x800afd000)
libopie.so.6 => /usr/lib/libopie.so.6 (0x800c16000)
libc.so.7 => /lib/libc.so.7 (0x800d1f000)
libmd.so.5 => /lib/libmd.so.5 (0x800f5b000)

The missing libs to get sasl working can be fetched from this url

http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

and saved on /usr/local/lib/

On amd64

cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

On i386


cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10

after this, try to paste your sasl config com custom field at postfix configuration.

Let me know if it works :)

jamesc · Feb 28, 2012, 10:47 AM

Thanks Marcello.

I'm very new to Postfix so I will have to do some reading before I actually attempt this. I'm not so sure on what I use for my authentication backend. Can you give me some pointers?

marcelloc · Feb 28, 2012, 2:17 PM

@jamesc:

Thanks Marcello.

I'm very new to Postfix so I will have to do some reading before I actually attempt this. I'm not so sure on what I use for my authentication backend. Can you give me some pointers?

I did not used sals on pfsense, so I do not know the best way to implement this.

try to follow official postfix how to for cyrrus SASL.

http://www.postfix.org/SASL_README.html

I've also asked mauricioniñoavella to post his successfull cyrrus SASL config here.

att,
Marcello Coutinho

jamesc · Feb 29, 2012, 9:41 AM

Thank you Marcello.

The first thing i'm trying to implement is some simple anti-spoofing checks.

For example, the Postfix server is configured to accept email for mydomain.com and then to forward on to our internal mail server located within the trusted network zone.

I want Postfix to carry out a check on the MAIL FROM and RCPT TO addresses, it should immediately drop any email where both the sender address and recipient is equal to mydomain.com because these emails would never genuinely hit the Postfix gateway.

Any ideas?

marcelloc · Feb 29, 2012, 11:51 AM

This is done on postfix antispam tab.

Set strong header verification, reject when spf fails, etc.

Almost all options has a minihelp on description and default value.

jamesc · Mar 1, 2012, 2:31 PM

Thanks.

I would like to use basic header verification and then build the rest of my config using the custom main.cf options.

Is this possible or not recommended?

If I try adding the below to my custom main.cf (when using basic header verification) I cannot get an SMTP connection into the server

disable_vrfy_command = yes
strict_rfc821_envelopes = yes

smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

Any ideas?

marcelloc · Mar 1, 2012, 2:37 PM

This options are applied to header checks, it could not be alone on configuration.

Check current config file on view configuration postfix tab.

This way you can check what is applied to postfix.

jamesc · Mar 1, 2012, 2:47 PM

This is my main.cf

/usr/local/etc/postfix/main.cf
#main.cf\
#Part of the Postfix package for pfSense
#Copyright (C) 2010 Erik Fonnesbeck
#Copyright (C) 2011 Marcello Coutinho
#All rights reserved.
#DO NOT EDIT THIS FILE

mynetworks = /usr/local/etc/postfix/mynetwork_table
mynetworks_style = host
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

smtpd_client_restrictions = reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
relay_domains = mydomain.com
transport_maps = hash:/usr/local/etc/postfix/transport
local_recipient_maps =
mydestination =
mynetworks_style = host
message_size_limit = 10240000
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
smtpd_helo_restrictions = 

smtpd_sender_restrictions = reject_unknown_sender_domain,
				permit

# Allow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
				check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
				permit

# Whitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks, 
				reject_unauth_destination,
				reject_spf_invalid_sender,
				permit

postscreen_access_list = permit_mynetworks,
			cidr:/usr/local/etc/postfix/cal_cidr
postscreen_dnsbl_action= drop
postscreen_blacklist_action= drop

As you can see, the smtpd_sender_restrictions section appears twice, one is from my custom main.cf and the second is what you get as standard with basic header verification.

Are you saying this is not a valid configuration?

marcelloc · Mar 1, 2012, 3:10 PM

I don't know how postfix handles with two smtpd_sender_restrictions on config file.

Why don't you use strong header check and configure your internal servers on acls?

jamesc · Mar 2, 2012, 4:07 PM

That seems to work, thanks. I just like to do things from scratch because it helps me learn :)

I'm currently logging to /var/log/maillog. I only want to retain 30 days worth of logs, is there a way I can set this up?

Also, how can I manage 'dead messages', is it possible to delete these from the queue?

marcelloc · Mar 2, 2012, 4:49 PM

These extra steps can be done via shell/php scripts

jamesc · Mar 5, 2012, 11:15 AM

Could the .db files just be deleted from /var/db/postfix or would I need to run some SQL to perform the maintenance?