Postfix - antispam and relay package

jamesc

Thanks.

I would like to use basic header verification and then build the rest of my config using the custom main.cf options.

Is this possible or not recommended?

If I try adding the below to my custom main.cf (when using basic header verification) I cannot get an SMTP connection into the server

disable_vrfy_command = yes
strict_rfc821_envelopes = yes

smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

Any ideas?

marcelloc

This options are applied to header checks, it could not be alone on configuration.

Check current config file on view configuration postfix tab.

This way you can check what is applied to postfix.

jamesc

This is my main.cf

/usr/local/etc/postfix/main.cf
#main.cf\
#Part of the Postfix package for pfSense
#Copyright (C) 2010 Erik Fonnesbeck
#Copyright (C) 2011 Marcello Coutinho
#All rights reserved.
#DO NOT EDIT THIS FILE

mynetworks = /usr/local/etc/postfix/mynetwork_table
mynetworks_style = host
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

smtpd_client_restrictions = reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
relay_domains = mydomain.com
transport_maps = hash:/usr/local/etc/postfix/transport
local_recipient_maps =
mydestination =
mynetworks_style = host
message_size_limit = 10240000
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
smtpd_helo_restrictions = 

smtpd_sender_restrictions = reject_unknown_sender_domain,
				permit

# Allow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
				check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
				permit

# Whitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks, 
				reject_unauth_destination,
				reject_spf_invalid_sender,
				permit

postscreen_access_list = permit_mynetworks,
			cidr:/usr/local/etc/postfix/cal_cidr
postscreen_dnsbl_action= drop
postscreen_blacklist_action= drop

As you can see, the smtpd_sender_restrictions section appears twice, one is from my custom main.cf and the second is what you get as standard with basic header verification.

Are you saying this is not a valid configuration?

marcelloc

I don't know how postfix handles with two smtpd_sender_restrictions on config file.

Why don't you use strong header check and configure your internal servers on acls?

jamesc

That seems to work, thanks.  I just like to do things from scratch because it helps me learn  :)

I'm currently logging to /var/log/maillog.  I only want to retain 30 days worth of logs, is there a way I can set this up?

Also, how can I manage 'dead messages', is it possible to delete these from the queue?

marcelloc

These extra steps can be done via shell/php scripts

jamesc

Could the .db files just be deleted from /var/db/postfix or would I need to run some SQL to perform the maintenance?

marcelloc

You mean per day log files in db format?

If so, just delete it to cleanup disk.

jamesc

Yes that's correct, e.g:

2012-03-01.db
2012-03-02.db
2012-03-03.db
2012-03-04.db

Do I just delete the .db file, simple as that?

Thanks for all your advice Marcello, you have been very helpful while i've been getting to grips with this excellent package :-)

marcelloc

@jamesc:

Do I just delete the .db file, simple as that?

Yes  :)

jamesc

Marcello, I notice when I disable the anvil daemon I get these warning messages in the log:

Mar  6 13:16:58 smtp postfix/smtpd[19050]: warning: connect to private/anvil: Connection refused
Mar  6 13:16:58 smtp postfix/smtpd[19050]: warning: problem talking to server private/anvil: Connection refused

When I run the postfix upgrade-configuration command, this is what happens:

[2.0.1-RELEASE][root@smtp.lab.local]/var/log(51): postfix upgrade-configuration
Editing /usr/local/etc/postfix/master.cf, adding missing entry for anvil service
Editing /usr/local/etc/postfix/master.cf, adding missing entry for postscreen TCP service

Then these lines are added back into master.cf:

anvil	  unix	-	-	n	-	1	anvil
#smtp      inet  n       -       n       -       1       postscreen

marcelloc

The disable anvil option was added to avoid delays between connections(maybe just for debug).

If you do not have this issue, leave it enabled.

jamesc

I have internal clients relaying directly to the Postfix box and the helper text suggests it should be disabled in this scenario?

anvil - Postfix session count and request rate control.
You can disable it if your server relays mail from internal clients to internet.

marcelloc

I do. :)

Take a look on mailscanner topic.

ktims

Great package, thanks. I used to install postfix manually, and this makes life a lot easier especially on NanoBSD installs.

I have one simple request: could you add fields for relayhost and smtp_fallback_relay, as I'm just using it as a relay?

marcelloc

@ktims:

Great package, thanks. I used to install postfix manually, and this makes life a lot easier especially on NanoBSD installs.

I have one simple request: could you add fields for relayhost and smtp_fallback_relay, as I'm just using it as a relay?

Try to paste this options on custom field.

jamesc

@marcelloc:

I do. :)

Take a look on mailscanner topic.

I did, but no mention of the anvil daemon on there, unless i'm missing something obvious?

marcelloc

@jamesc:

I did, but no mention of the anvil daemon on there, unless i'm missing something obvious?

If you are having no issues with anvil, just leave it enabled.

ktims

@marcelloc:

Try to paste this options on custom field.

This works of course, a decent UI for it was just a suggestion :).

Sn3ak

Can this package be used as a secondary MX in it's current form? ie. No internal email servers.
My primary email server is co-located at another location then this pfsense box.

I honestly haven't installed the package yet, as I still have a bad taste in my mouth after installing
spamd once, and there being no warning that it would automatically start eatting email without it
being configured.

I've previously used the jails package and used ran a jail for email, but after being blown away for a clean
2.0 upgrade, and noticing this package, I thought it would be rather nice if it was able to do this.

I have read the thread, and searched the forum / wiki, and either this hasn't been answered, or I'm not searching
for the right phrases.

I know I could rtfm, and probably make this package do what I need, but that is not really what I am after, unless
there is a text box or some such for custom strings that will survive a package reinstall/upgrade/etc.

If it's not directly supported, could it be added to the todo list?

As a secondary question, (while cringing..)  has anyone tried this package with the spamd package? Just wondering
if a warning should be added on here about those.. I'm guessing the way spamd grabs control it wouldn't be compatible
with this package..