Postfix - antispam and relay package
-
Thank you Marcello,
I've enabled it now and it does seem to be doing its job very well. You must have read a lot of documentation to get this going. I spent hours doing that - just trying to figure out what I should have in main.cf as a starting point.
You may have looked at this (and there are already more than enough parameters) but could I suggest a place in the GUI to enter myhostname as a means of overriding the default of using the hostname of the pfSense machine.
Thanks again,
Biggsy -
You must have read a lot of documentation to get this going. I spent hours doing that - just trying to figure out what I should have in main.cf as a starting point.
Yes I did, many many hours. I was on sendmail before :)
You may have looked at this (and there are already more than enough parameters) but could I suggest a place in the GUI to enter myhostname as a means of overriding the default of using the hostname of the pfSense machine.
I'll take a note on this, for now you can change it on genereal -> custom main.cf options
Thanks for you feedback.
-
Hi Marcelloc and everyone else!
First of all, thank you for a great package!
I just installed postfix on my pfsense 2.0 but i got some issues.
When i try to add custom valid recipients it doesn't work.
In the custom list box i add the users e-mail following the hint "user@mycompany.com"The errorlog:
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 2: expected format: key whitespace value
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 3: expected format: key whitespace value
postfix/postmap[37560]: warning: /usr/local/etc/postfix/relay_recipients, line 4: expected format: key whitespace value
and so on…Any ideas?
-
take a look on custom valid recipients field note:
Paste your valid recipients here, one per line. HINT user@mycompany.com OK
there is a value after each email.
the error says
expected format: key whitespace value
sokey= user@mycompany.com
value= OK -
Aha! :) misunderstood the syntax.
Thanks! -
marcelloc thank you for your great job,very userfull and helpfull package i ever used on pfsense.
any plans DKIM(opendkim) support for outgoing mails? - about a month later
-
Do you have any updates on SASL authentication and if/when it may be included in this great package?
I would love to migrate our existing SMTP solution over to this but the lack of authentication is the only thing stopping me.
James,
To try sasl auth you need to fix some missing lib from kerberos
ldd /usr/local/sbin/saslpasswd2
/usr/local/sbin/saslpasswd2:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800647000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800761000)
libgssapi.so.10 => not found (0x0)
libheimntlm.so.10 => not found (0x0)
libkrb5.so.10 => not found (0x0)
libhx509.so.10 => not found (0x0)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8009fb000)
libasn1.so.10 => not found (0x0)
libroken.so.10 => not found (0x0)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x800afd000)
libopie.so.6 => /usr/lib/libopie.so.6 (0x800c16000)
libc.so.7 => /lib/libc.so.7 (0x800d1f000)
libmd.so.5 => /lib/libmd.so.5 (0x800f5b000)The missing libs to get sasl working can be fetched from this url
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/
and saved on /usr/local/lib/
On amd64
cd /usr/local/lib fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10
On i386
cd /usr/local/lib fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10 fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10
after this, try to paste your sasl config com custom field at postfix configuration.
Let me know if it works :)
-
Thanks Marcello.
I'm very new to Postfix so I will have to do some reading before I actually attempt this. I'm not so sure on what I use for my authentication backend. Can you give me some pointers?
-
Thanks Marcello.
I'm very new to Postfix so I will have to do some reading before I actually attempt this. I'm not so sure on what I use for my authentication backend. Can you give me some pointers?
I did not used sals on pfsense, so I do not know the best way to implement this.
try to follow official postfix how to for cyrrus SASL.
http://www.postfix.org/SASL_README.html
I've also asked mauricioniñoavella to post his successfull cyrrus SASL config here.
att,
Marcello Coutinho -
Thank you Marcello.
The first thing i'm trying to implement is some simple anti-spoofing checks.
For example, the Postfix server is configured to accept email for mydomain.com and then to forward on to our internal mail server located within the trusted network zone.
I want Postfix to carry out a check on the MAIL FROM and RCPT TO addresses, it should immediately drop any email where both the sender address and recipient is equal to mydomain.com because these emails would never genuinely hit the Postfix gateway.
Any ideas?
-
This is done on postfix antispam tab.
Set strong header verification, reject when spf fails, etc.
Almost all options has a minihelp on description and default value.
-
Thanks.
I would like to use basic header verification and then build the rest of my config using the custom main.cf options.
Is this possible or not recommended?
If I try adding the below to my custom main.cf (when using basic header verification) I cannot get an SMTP connection into the server
disable_vrfy_command = yes strict_rfc821_envelopes = yes smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
Any ideas?
-
This options are applied to header checks, it could not be alone on configuration.
Check current config file on view configuration postfix tab.
This way you can check what is applied to postfix.
-
This is my main.cf
/usr/local/etc/postfix/main.cf #main.cf\ #Part of the Postfix package for pfSense #Copyright (C) 2010 Erik Fonnesbeck #Copyright (C) 2011 Marcello Coutinho #All rights reserved. #DO NOT EDIT THIS FILE mynetworks = /usr/local/etc/postfix/mynetwork_table mynetworks_style = host disable_vrfy_command = yes strict_rfc821_envelopes = yes smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_client_restrictions = reject_unknown_client_hostname, reject_unauth_pipelining, reject_multi_recipient_bounce, permit relay_domains = mydomain.com transport_maps = hash:/usr/local/etc/postfix/transport local_recipient_maps = mydestination = mynetworks_style = host message_size_limit = 10240000 default_process_limit = 100 #Just reject after helo,sender,client,recipient tests smtpd_delay_reject = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_sender_restrictions = reject_unknown_sender_domain, permit # Allow connections from specified local clients and rbl check everybody else if rbl check are set. smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre, check_client_access cidr:/usr/local/etc/postfix/cal_cidr, permit # Whitelisting: local clients may specify any destination domain. #, smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_spf_invalid_sender, permit postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/cal_cidr postscreen_dnsbl_action= drop postscreen_blacklist_action= drop
As you can see, the smtpd_sender_restrictions section appears twice, one is from my custom main.cf and the second is what you get as standard with basic header verification.
Are you saying this is not a valid configuration?
-
I don't know how postfix handles with two smtpd_sender_restrictions on config file.
Why don't you use strong header check and configure your internal servers on acls?
-
That seems to work, thanks. I just like to do things from scratch because it helps me learn :)
I'm currently logging to /var/log/maillog. I only want to retain 30 days worth of logs, is there a way I can set this up?
Also, how can I manage 'dead messages', is it possible to delete these from the queue?
-
These extra steps can be done via shell/php scripts
-
Could the .db files just be deleted from /var/db/postfix or would I need to run some SQL to perform the maintenance?
-
You mean per day log files in db format?
If so, just delete it to cleanup disk.
-
Yes that's correct, e.g:
2012-03-01.db
2012-03-02.db
2012-03-03.db
2012-03-04.dbDo I just delete the .db file, simple as that?
Thanks for all your advice Marcello, you have been very helpful while i've been getting to grips with this excellent package :-)
-
-
Marcello, I notice when I disable the anvil daemon I get these warning messages in the log:
Mar 6 13:16:58 smtp postfix/smtpd[19050]: warning: connect to private/anvil: Connection refused Mar 6 13:16:58 smtp postfix/smtpd[19050]: warning: problem talking to server private/anvil: Connection refused
When I run the postfix upgrade-configuration command, this is what happens:
[2.0.1-RELEASE][root@smtp.lab.local]/var/log(51): postfix upgrade-configuration Editing /usr/local/etc/postfix/master.cf, adding missing entry for anvil service Editing /usr/local/etc/postfix/master.cf, adding missing entry for postscreen TCP service
Then these lines are added back into master.cf:
anvil unix - - n - 1 anvil #smtp inet n - n - 1 postscreen
-
The disable anvil option was added to avoid delays between connections(maybe just for debug).
If you do not have this issue, leave it enabled.
-
I have internal clients relaying directly to the Postfix box and the helper text suggests it should be disabled in this scenario?
anvil - Postfix session count and request rate control. You can disable it if your server relays mail from internal clients to internet.
-
I do. :)
Take a look on mailscanner topic.
-
Great package, thanks. I used to install postfix manually, and this makes life a lot easier especially on NanoBSD installs.
I have one simple request: could you add fields for relayhost and smtp_fallback_relay, as I'm just using it as a relay?
-
Great package, thanks. I used to install postfix manually, and this makes life a lot easier especially on NanoBSD installs.
I have one simple request: could you add fields for relayhost and smtp_fallback_relay, as I'm just using it as a relay?
Try to paste this options on custom field.
-
I do. :)
Take a look on mailscanner topic.
I did, but no mention of the anvil daemon on there, unless i'm missing something obvious?
-
I did, but no mention of the anvil daemon on there, unless i'm missing something obvious?
If you are having no issues with anvil, just leave it enabled.
-
Try to paste this options on custom field.
This works of course, a decent UI for it was just a suggestion :).
-
Can this package be used as a secondary MX in it's current form? ie. No internal email servers.
My primary email server is co-located at another location then this pfsense box.I honestly haven't installed the package yet, as I still have a bad taste in my mouth after installing
spamd once, and there being no warning that it would automatically start eatting email without it
being configured.I've previously used the jails package and used ran a jail for email, but after being blown away for a clean
2.0 upgrade, and noticing this package, I thought it would be rather nice if it was able to do this.I have read the thread, and searched the forum / wiki, and either this hasn't been answered, or I'm not searching
for the right phrases.I know I could rtfm, and probably make this package do what I need, but that is not really what I am after, unless
there is a text box or some such for custom strings that will survive a package reinstall/upgrade/etc.If it's not directly supported, could it be added to the todo list?
As a secondary question, (while cringing..) has anyone tried this package with the spamd package? Just wondering
if a warning should be added on here about those.. I'm guessing the way spamd grabs control it wouldn't be compatible
with this package.. -
This package is not compatible with spamd if you want to use postfix to filter spam and bad configured/fake servers. Both need to be the fist contact from remote server.
Afaik, Spamd needs a forward mail server so That's why postfix first release was done for.
Postfix package has a lot of reports to help you identify What happened to rejected Message and postscreen(anti zombie)+ rbls + spf + header checks are very good on Message filtering.
Something this package does not act as a mail server and no plans to be, so no local mailboxes, just an inbound/outbound filter to another smtp server(s).
Mailscanner package implements more filtering options and antivirus to this MTA filtering solution.
If you are really good on postfix and believe That you have better config files to run postfix on pfsense, you can install postfix package itself and configure it by hand using filer package. This way all custom setup you have can be applied, just like I supose you did on jails.
Postfix forwarder has a custom field to save options That are not on gui.
Att,
Marcello Coutinho -
Something this package does not act as a mail server and no plans to be, so no local mailboxes, just an inbound/outbound filter to another smtp server(s).
A secondary MX wouldn't have local mailboxes (well a dedicated backup MX anyways). and is essentially the same thing, except storing the emails for
a potentially longer period of time if the primary mail server is down.So, is the answer the same? If so, that's fine, again I can use my Jail solution, but a neat little appliance package would be cool.
-
Backup mx holding Messages until mx1 is back can be done wih this package. :)
I have also edited previous post while you where answering, take a look.
I think you will like postfix forwarder package. ;)
-
Great, glad to hear. Actually I know very little about postfix, I've historically been a qmail guy.
Any pointers on setting it up as a backup mx? or am I going to need to add custom fields?I think I will attempt to setup a vm (to be on the safe side) to test this with later this evening
if I get a chance. -
Configure your mx1 to accept relay from mx2 and add mx1 on postfix config as an internal server.
Quite simple and full gui support for this setup. :)
Most all options has help,hints and link to oficial postfix documentation.
Just to know, I was a sendmail guy before decide to migrate this antispam solution to postfix.
-
Perfect, I'll be giving it a shot. Thanks for the information.
Yeah, I used sendmail for a # of years before moving to qmail for an anti-spam solution
as amavisd wasn't really cutting it back then.I'm tired of trying to figure out qmail logs when things break though, so I've been meaning
to try out postfix, and this is the perfect opportunity to kick the tires a little. -
Figured I would report my success. The package looks great.
It looks like Anvil Daemon is more or less required, otherwise
it spits out errors in the maillog, and seems to cause a small
connection delay as well (at least on my setup).I turned off most of the protections, since it is a secondary
MX, and I wasn't doing any filtering previously, at least until
I have a chance to read up more as to what the settings do.I am however however excited by the Valid recipients from clear
text url option. That will cut out a lot of the junk that gets stuck
in the secondary MX.I'll need to read more about that, and find out the format of the
text file, and how often it polls, but that is a very nice option.Thanks for the good work.
-
The format is
Email@domain.com ok
Admin@domain.com ok
.
.
.As my active directory is on local lan, I've setup a 1h update frequecy.
-
Thanks, I haven't had a chance to try that.. I do have another problem that you may be able to help me with.
It seems adding:
myhostname=mx02.example.com
smtp_helo_name=mx02.example.comis ignored by postfix, at first it wasn't being added to main.cf, but finally that started working, however is being ignored.
postconf -d | grep example
mydomain = example.local
myhostname = pfsense.example.localas well as smtp_helo_name = not being respected if changed either.
I'm attempting to change the name to my correct external hostname so other email servers (including my primary) don't get
upset due to the .local address