Postfix - antispam and relay package
-
it's possible to use them as an outbound smtp proxy ? with the antispam features?
Thanks,
-
Seem to work but it's possible to disable valid recipient functionnality?
Thanks,
-
You can set your internal mail servers on ACLs -> Client Access List, but I don't know if postscreen('zombie blocker') or rbl checks can validade internal mail servers.
You can check other postfix antispam features with 'strong header verification' and ACLs for filter header,MIME and body settings.
For a deep internal mail server antispam search you may need mailscanner.
I'm working on this package now and will be available soon.best regards,
Marcello Coutinho -
how to do my main.cf configuracuion if I have it in centos bit too high I want to pass this pfSense this is my main.cf I want to enable in pfsnese
thanks for the collaboration
General settings
bounce_queue_lifetime = 6h
mailbox_size_limit = 51200000
message_size_limit = 10240000
luser_relay =
recipient_delimiter = +
message_strip_characters = \0Authentication with SASL
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomainEncryption with TLS
smtpd_tls_auth_only = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1Mail restrictions (note: Kolab policies are not implemented)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
kolabpolicy_time_limit = 3600
kolabpolicy_max_idle = 20Mail routing
mailbox_transport = mailpostfilter
content_filter = mailprefilter
transport_maps = hash:/etc/postfix/transportOutbound SMTP authentication
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
unknown_local_recipient_reject_code = 550
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_sasl_type = cyrus
relayhost = [xxxx.com]:587 -
You can put your options on custom main.cf options at gui.
This package was designed to be a relay server only, I do not recomend enabling mailboxes on it.
-
I just want it to pass and I get this
postfix/smtpd[50880]: NOQUEUE: reject: RCPT from unknown[192.168.200.xxx]: 554 5.7.1 mauricio.nino@xxx.com.co: Relay access denied; from= root@localhost.localdomainto= mauricio.nino@xxx.com.coproto=ESMTP helo=<localhost.localdomain></localhost.localdomain>/mauricio.nino@xxx.com.co/root@localhost.localdomain/mauricio.nino@xxx.com.co
-
Include your 192.168.200.xxx internal ip in ACL/fiter map.
-
marcelloc
appreciate your help but I do not work I have this in the log
The truth can not be done now, I only serve as a relay,
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=check_client_access
Oct 11 16:49:45 postfix/smtpd[29361]: check_namadr_access: name unknown addr 192.168.200.14
Oct 11 16:49:45 postfix/smtpd[29361]: check_domain_access: unknown
Oct 11 16:49:45 postfix/smtpd[29361]: dict_cidr_lookup: /usr/local/etc/postfix/cal_cidr: unknown
Oct 11 16:49:45 postfix/smtpd[29361]: check_addr_access: 192.168.200.14
Oct 11 16:49:45 postfix/smtpd[29361]: dict_cidr_lookup: /usr/local/etc/postfix/cal_cidr: 192.168.200.14
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=check_client_access status=0
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=permit
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=permit status=1
Oct 11 16:49:45 postfix/smtpd[29361]: >>> START Helo command RESTRICTIONS <<<
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unknown_helo_hostname
Oct 11 16:49:45 postfix/smtpd[29361]: reject_unknown_hostname: localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: lookup localhost.localdomain type A flags 0
Oct 11 16:49:45 postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45 postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unknown_helo_hostname status=0
Oct 11 16:49:45 postfix/smtpd[29361]: >>> END Helo command RESTRICTIONS <<<
Oct 11 16:49:45 postfix/smtpd[29361]: >>> START Sender address RESTRICTIONS <<<
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unknown_sender_domain
Oct 11 16:49:45 postfix/smtpd[29361]: reject_unknown_address: root@localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: ctable_locate: move existing entry key root@localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: reject_unknown_mailhost: localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: lookup localhost.localdomain type MX flags 0
Oct 11 16:49:45 postfix/smtpd[29361]: dns_query: localhost.localdomain (MX): Host not found
Oct 11 16:49:45 postfix/smtpd[29361]: lookup localhost.localdomain type A flags 0
Oct 11 16:49:45 postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45 postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unknown_sender_domain status=0
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=permit
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=permit status=1
Oct 11 16:49:45 postfix/smtpd[29361]: >>> START Recipient address RESTRICTIONS <<<
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination
Oct 11 16:49:45 postfix/smtpd[29361]: reject_unauth_destination: mauricio.nino@xxxx.com.co
Oct 11 16:49:45 postfix/smtpd[29361]: permit_auth_destination: mauricio.nino@xxxx.com.co
Oct 11 16:49:45 postfix/smtpd[29361]: ctable_locate: move existing entry key mauricio.nino@xxxx.com.co
Oct 11 16:49:45 postfix/smtpd[29361]: NOQUEUE: reject: RCPT from unknown[192.168.200.14]: 554 5.7.1 mauricio.nino@itac.com.co: Relay access denied; from= root@localhost.localdomainto= mauricio.nino@xxx.com.coproto=ESMTP helo=<localhost.localdomain></localhost.localdomain>/mauricio.nino@xxx.com.co/root@localhost.localdomain/mauricio.nino@itac.com.co
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination status=2
Oct 11 16:49:45 postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.7.1 mauricio.nino@xxxx.com.co: Relay access denied
Oct 11 16:49:45 postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45 postfix/smtpd[29361]: < unknown[192.168.200.14]: DATA
Oct 11 16:49:45 postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.5.1 Error: no valid recipients
Oct 11 16:49:45 postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45 postfix/smtpd[29361]: < unknown[192.168.200.14]: RSET
Oct 11 16:49:45 postfix/smtpd[29361]: > unknown[192.168.200.14]: 250 2.0.0 Ok
Oct 11 16:49:45 postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45 postfix/smtpd[29361]: < unknown[192.168.200.14]: QUIT
Oct 11 16:49:45 postfix/smtpd[29361]: > unknown[192.168.200.14]: 221 2.0.0 Bye
Oct 11 16:49:45 postfix/smtpd[29361]: match_hostname: unknown ~? 192.168.200.0/23
Oct 11 16:49:45 postfix/smtpd[29361]: match_hostaddr: 192.168.200.14 ~? 192.168.200.0/23
Oct 11 16:49:45 postfix/smtpd[29361]: disconnect from unknown[192.168.200.14]![postfix relay.png_thumb](/public/imported_attachments/1/postfix relay.png_thumb)
![postfix relay.png](/public/imported_attachments/1/postfix relay.png)/mauricio.nino@xxxx.com.co -
marcelloc,
Thanks for all the hard work!
I have one question…
can i use the postfix forwarder to forward my mail to GMAIL server... i'm doing this now with a centos/postfix install... below is the pertinent config file entries..
SASL authentication
smtp_tls_security_level=encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transportTLS
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/git01.pem
smtp_tls_key_file = /etc/postfix/certs/git01.key
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/git01.pem
smtpd_tls_key_file = /etc/postfix/certs/git01.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtp_cname_overrides_servername = no
#debug_peer_list=smtp.gmail.com
#debug_peer_level=3 -
Did you tried to include your config in custom main.cf options and of course transfer your files to pfsense?
I'm not sure if other options will affect you setup but could work.
-
marcelloc
Oct 11 16:49:45 postfix/smtpd[29361]: dns_query: localhost.localdomain (MX): Host not found
Oct 11 16:49:45 postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45 postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45 postfix/smtpd[29361]: NOQUEUE: reject: RCPT from unknown[192.168.200.14]: 554 5.7.1 mauricio.nino@itac.com.co: Relay access denied; from= root@localhost.localdomainto= mauricio.nino@itac.com.coproto=ESMTP helo=<localhost.localdomain></localhost.localdomain>/mauricio.nino@itac.com.co/root@localhost.localdomain/mauricio.nino@itac.com.co
Oct 11 16:49:45 postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination status=2
Oct 11 16:49:45 postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.5.1 Error: no valid recipientsmauricioniñoavella,
see what postfix is rejecting and correct it.
It looks like you tried to send a email with an invalid sender.
If you need this sender, create this domain in dns server that pfsense uses.att,
Marcello Coutinho -
marcelloc
greeting
I tried to do everythingCurrent issue if tusabes Nose to issue
generates this error since I only use smtp_sasl
mailserver postfix/smtpd[20836]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
mailserver postfix/smtpd[20836]: connect from unknown[xxxx.xxxx.xxxx.xxx]
mailserver postfix/smtpd[20836]: disconnect from unknown[xxxx.xxxx.xxxx.xxx]I hit it in the
custom main.cf options
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
relayhost = [smtp.xxx.com]:587thanks for your collaboration
-
Seems that many people need SASL auth, I will put in postfix forwarder TODO list.
-
Too bad I could bother you confirm if it works as a relay Services: Postfix relay and antispam (postfix forwarder) and also worked with
STARTTLSthanks for your collaboration
-
Hello,
I must say I am glad to see this package. Mail proxies and mail forwarders with filtering is a must have these days. I am new to this package and was wondering if there is any documentation on how to configure and set it up for use. Some of the setting are unclear to me.
I am not sure what the binding setting is for the WAN, LAN, and loopback and can't find anything that explains it better or what basic settings should be set to. Also, when I removed my SMTP port forward form NAT and rules to use this package, I am having trouble recieving mails. I went to mxtoolbox.com and did a diagnostics test and I don't get a header response or anything. It just says host times out from inactivity.
I really did not change any of the default setting from the install and yes I did add the domain with a forwarding internal address.
Could someone help or post a basic setup that would get this working. It is a little hard to figure settings with no documentation or explinations of settings.
Thanks,
MDP
-
at docs.pfsense.com has some info but not so detailed.
the basic setup is:
-
remove nat from port 25
-
create a wan rule to permit smtp traffic to wan address
-
check enable postfix option
-
choose at least wan loopback interfaces
-
fill your domain/internal smtp info
Many options has recommend, default and link option to postfix documentation.
I recommend enable all antispam settings too.
att,
Marcello Coutinho -
-
Hey thanks very much for the info. I will give a try. I really like the concept of this package and have waited a while to see something like this come out for pfsense, so thanks for all your hard work.
I do have one question for your response. When you say WAN loopback interface, do you mean select the WAN interface only, the loopback interface only, or both?
Thanks Again,
-
So I have e-mails forwarding ok now and thanks for the basic info for that. Just curious, as I seen in early to mid last month a post you made about mailscanner, and was wondering if this will become part of the base install of the postfix forwarder package?
Currently I am unsure how to implement this ability and not really sure on what the ACLs/Filter maps tab does.
If you made this package an all inclusive install with all the components needed for a full SMTP filter, that would be sweet.
Thanks
-
Mailscanner + spamassassin will be released soon as a new package with more then 500 options to filter spam. As I told in other posts, I'm waiting Mailscanner package compilation by core team. But if you know how mailscanner works you can add freebsd package and configure it.
Can you feedback in % how postfix + all antispam settings reduced spam messages on mailboxes?
-
Yeah, I will post some stats in a about a week. I will compare report files from our other filtering system and see what a rough % in reduction maybe. I can say that I have noticed a difference already just from last night when I enabled it. I am seeing a lot of RBLS blocks and invalide host address blocks. Normally this would get cought by our other filter, but not always for some reason.
For the most part, it seems to be working very well and I am excited for the Mailscanner package.
I have been playing around with the ACLs/Filter Maps section and was wondering if a manual blacklist block and whitelist allow will be added?
Thanks,
-
The ACLs allow you to block or permit ips, subjects, atachments and Also filter message body.
Take a look at samples below each field.
-
Ahhh yes, I am starting to understand how you are laying this out. This all makes sense now. I guess I have just been getting to use to check boxes and enable buttons way to much LOL.
Thanks again for the info.
Take Care
MDP
-
hello
marcelloc
I can confirm you this module can function as a relay host, thatis I work as an SMTP forwarder to an external mail Server using STARTTLS
I congratulate you for your great support for this great pauqete, Proxies and redirects mail, I'm new in this package I would like know if there is some configuration information, as a forwarder (SMTP) mail to an external Server "Outbound Relay Hosts"
Could anyone help me with the basic configuration to work as mail forwarder to an external server authentication through a little priest specified. It's a bit difficult to understand the configuration without documentation or configuration give some tics.
thanks for your collaboration
-
mauricioniñoavella,
The basic setup is already in this topic.
http://forum.pfsense.org/index.php/topic,40622.msg217539.html#msg217539All features in postfix forwarder package was include after many hours reading official postfix documentation.
Many features in this packages, has samples or direct links to postfix website, take a look.
Also you have the options to see the result of gui setup in View confi files tab.
Some docs about SASL say that are many implementations for it in postfix, now I'm trying to find one compatible with pfsense.
see considerations on enabling TLS
http://www.postfix.org/TLS_README.html -
marcelloc
I have a e-mail that seems to be getting blocked, which I think is a false positive. Here is the log I get back. Note that I removed the actual domain name and IP.
postfix/smtpd[32719]: NOQUEUE: reject: RCPT from mail.example.org[XXX.XXX.XXX.XXX]: 450 4.7.1 <ex02.example.local>: Helo command rejected: Host not found; from= someone@example.orgto= someone@mydomain.comproto=ESMTP helo= <ex02.example.local>I added this filter rule in the header to allow. This did not seem to work, but when I added a different rule to REJECT a different domain name, it worked.
/^From:.*@example.org/ OK
Any idea on this?
Thanks,
MDP</ex02.example.local>/someone@mydomain.com/someone@example.org</ex02.example.local>
-
The host that remote server announce on Helo smtp command Does not exist.
This is one of the header verification tests.
-
Hi all,
Postfix compilation on x64 now includes cyrus-SASL2 and TLS.
who need or want to test it, reinstall or remove/install postfix package.
No changes in gui for this option. Include all your SASL and/or TLS config in custom main.cf options
att,
Marcello Coutinho -
marcelloc,
I am getting a lot of these messages and I have seen a lot of them that are from domains and users I know. What can I do to stop these false positives. Here is the message I recieve minus real IP and domain names.
postfix/smtpd[61721]: NOQUEUE: reject: RCPT from mail.someonesdomain.com[xxx.xxx.xxx.xxx]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@someonesdomain.comto= user@mydomain.comproto=ESMTP helo=<cnasrv.cna.local></cnasrv.cna.local>/user@mydomain.com/someone@someonesdomain.com</cnasrv.cna.local>
Here is my configuration. I have messed around trying to find out what is causing it and had no luck.
ACL Filter MIME:
/^name=[^>]*.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}})\b/ REJECT ".$2" file attachment types not allowed**ACL Filter CIDR:**My Internal Subnet xxx.xxx.xxx.xxx/24
Antispam:
Header Verification = strongZombie Blocker = Enabled with enforce
After greetins Test= all selected
Softbounce= enabled
RBL with = dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, cbl.abuseat.org, b.barracudacentral.org
RBL threshold = 1
SPF Check = Recomended setting
I have tried litteraly disabling everything and setting head check to basic to see if the messages would pass. I even added rules to the ACL filter list such as /^From:.*@someonesdomain.com OK
Is there something I can do? Do you have any suggestions?
Thanks,
MDP
-
As I told you last post, postfix is very judicious in header checks, so check your DNS server to see if this host announced by remote SMTP does exist or not.
You can also try to white-list this host in your local RBL and CIDR ACL.
I have many of these alerts too, but all of them are really spam or 'misconfigured' hosts.
-
marcelloc,
I am going to assume that they are misconfigured host because I know they are not spam emails.
I did state I added the /^From:.*@someonesdomain.com OK in the ACL's Filter in the header section. Does this not whitelist the e-mail or is it just whitelisting only one of the spam checks?
Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?
Thanks,
MDP
-
Sorry, I meant relay off the pfsense box. My mail server would not act as an open relay.
-
I am going to assume that they are misconfigured host because I know they are not spam emails.
Did you tested name resolution oh the remote host header info?
Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?
When using postscreen, the documentations says(correct me if I'm wrong) that this only prevents blocking.
When postscreen is disabled, any ip on CIDR allows relay on your server.Can you test this with any other external ip?
-
I have been using mxtoolbox.com for testing. One of the domains I am trying to figure out why it is getting blocked is clemansnelson.com
When I do a test on mxtoolbox.com for mail.clemansnelson.com I get the following.
220 CNASRV.CNA.local Microsoft ESMTP MAIL Service ready at Fri, 21 Oct 2011 12:59:31 -0400
OK - 24.123.130.226 resolves to mail.clemansnelson.com
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.335 seconds - Warning on Transaction timeThanks,
MDP
-
How would I go about disabling postscreen just to see if the mails start to come through. I thought I did disable once by simply unselecting the after greeting checks and disabling Zombie Blocker?
-
Can you see that there is a warning for this domain on your test?
I've made some tests here and mail.clemansnelson.com has a valid dns entry and it's related as SPF for clemansnelson.com.
check if your dns has same info and if postfix erros say that worng hostname is mail.clemansnelson.com or something else.
If you disable postscreen, the error will remain as it is done in header check.
-
Here is the message minus user email name and our domain name.
postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local>When you say my DNS, our you referring to my internal DNS or external WAN DNS from the firewall?
Thanks,
MDP</cnasrv.cna.local>/someone@mydomain.com/someone@clemansnelson.com</cnasrv.cna.local>
-
I have spotted about 6 other domains that I know are not spam that is getting the same message above. If I disable the Postfix forwarder and then do a temporary NAT and port forward of SMTP:25 to our internal mail server. The transparent spam filters we have will allow the message through and they do a lot of the same checks. I must have something misconfigured on postfix, or these host are not configured correctly. I am not willing to say something is wrong with the package because we are still getting a lot of good e-mails coming through.
Up above I posted my base config, can you see anything that would be causing the issue in that config?
Thanks,
MDP
-
postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local></cnasrv.cna.local>/someone@mydomain.com/someone@clemansnelson.com</cnasrv.cna.local>
The problem is this : helo=<cnasrv.cna.local></cnasrv.cna.local>
Helo host in smtp negotiaton must exist. If you allow any host in SMTP helo, you are opening your server for a lot of spam.
Many STMP admins 'foget' to configure their servers, it's normal.
In any way I suggest you to disable spam checks.
EDIT:
Note that any client behind a misconfigured server will receive this erros for many domains, so they can forward it to SMTP 'admins'
-
Well, as much as I hated to, I disabled the spam checks and saved, then disabled and saved and then renabled postfix and saved.
I am still getting the same messages?
Thanks,
MDP
-
And about your config, I suggest you to change RBL threshold to 2.
As I told you, this host error is got by header check, not postscreen.
See configuration files options in gui.in main.cf
#Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes smtpd_helo_restrictions = reject_unknown_helo_hostname
This is a feature, not a bug or false positive.
Don't think the problem is with your setup.