• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Postfix - antispam and relay package

pfSense Packages
136
855
1.0m
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    ics
    last edited by Jul 4, 2012, 12:45 PM

    Hi,

    My Postfix rejects emails from a server with the error : "Client host rejected: cannot find your hostname"
    However, the IP address is perfectly resolvable.
    And in maillog :
    "warning: ...: hostname domain.net verification failed: hostname nor servname provided, or not known"

    I tried to add the IP address in MyNetworks, no change.

    Do you know what is misconfigured ?

    Thanks

    1 Reply Last reply Reply Quote 0
    • M
      marcelloc
      last edited by Jul 4, 2012, 1:23 PM

      The ip address is resolvable, but hostname that server sent on smtp header is?

      Sometimes this wrong hostname is sent on servername or helo info.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • I
        ics
        last edited by Jul 4, 2012, 1:45 PM

        postfix says :
        RCPT from unknown[IP_Address]: 450 4.7.1 Client host rejected: cannot find your hostname
        The helo is correct and correspond to the IP address when resolved.

        The hostname in smtp header is the HELO ?
        If not where can I find it in the log ?

        Anyway, why is it still rejected while the IP is in MyNetworks ?

        1 Reply Last reply Reply Quote 0
        • M
          marcelloc
          last edited by Jul 4, 2012, 4:40 PM

          @ics:

          Anyway, why is it still rejected while the IP is in MyNetworks ?

          even on MyNetworks, the email must be correct.
          The mynetworks will allow this ip to relay to any domain.

          Add this ipname on dns forwarder host override list and check if it pass the resolv test.

          att,
          Marcello Coutinho

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • I
            ics
            last edited by Jul 5, 2012, 11:15 AM

            @marcelloc:

            Add this ipname on dns forwarder host override list and check if it pass the resolv test.

            It works.

            Thank you

            1 Reply Last reply Reply Quote 0
            • A
              arosenau
              last edited by Jul 13, 2012, 12:03 AM

              Has anyone been able to get this to work using Gmail as a relay? I get the following errors when I try and relay through gmail using this package

              Jul 12 23:50:51
              postfix/smtp[17005]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

              Jul 12 23:50:51
              postfix/smtp[17005]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

              Jul 12 23:50:51
              postfix/smtp[17005]: cannot load Certificate Authority data: disabling TLS support

              Jul 12 23:50:51
              postfix/smtp[17005]: warning: TLS library problem: 17005:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'):

              Jul 12 23:50:51
              postfix/smtp[17005]: warning: TLS library problem: 17005:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129:

              Jul 12 23:50:51
              postfix/smtp[17005]: warning: TLS library problem: 17005:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274:

              I think the most important error is this one
              postfix/smtp[17005]: cannot load Certificate Authority data: disabling TLS support

              and I would assume that is because it can't find the smtp_tls_CAfile which I also can't find anywhere on the pfsense box, so I can't specify the correct path in my main.cf file.

              Any ideas? I'm sure its something simple i missed.  :P

              1 Reply Last reply Reply Quote 0
              • M
                marcelloc
                last edited by Jul 13, 2012, 3:34 AM

                @arosenau:

                Any ideas? I'm sure its something simple i missed.  :P

                you will need some libs from freebsd to get it working.

                take a look on my repo.
                i386
                http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

                amd64
                http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • A
                  arosenau
                  last edited by Jul 16, 2012, 3:20 PM

                  @marcelloc:

                  @arosenau:

                  Any ideas? I'm sure its something simple i missed.  :P

                  you will need some libs from freebsd to get it working.

                  take a look on my repo.
                  i386
                  http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

                  amd64
                  http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

                  Can you point me in the right direction on how to get these installed? I am familiar with apt and yum in the Linux world, but I don't know how package management works in the freebsd/pfsense world.

                  1 Reply Last reply Reply Quote 0
                  • M
                    marcelloc
                    last edited by Jul 16, 2012, 3:32 PM

                    @arosenau:

                    Can you point me in the right direction on how to get these installed?

                    Just download the missing libs to /usr/local/lib using fetch cmd on console/ssh and try again.

                    att,
                    Marcello Coutinho

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • A
                      arosenau
                      last edited by Jul 16, 2012, 9:49 PM

                      @marcelloc:

                      Just download the missing libs to /usr/local/lib using fetch cmd on console/ssh and try again.

                      att,
                      Marcello Coutinho

                      So I got those packages downloaded and stopped and started post fix but I'm still having the same errors. Also I didn't mention in my first post that I also get an error that says " Must issue a STARTTLS command first. y5sm20759670igb.11 (in reply to MAIL FROM command))" I would assume I"m getting this error because it can't load the Certificate Authority data and it disabled TLS support.

                      1 Reply Last reply Reply Quote 0
                      • M
                        marcelloc
                        last edited by Jul 16, 2012, 10:02 PM

                        @arosenau:

                        Jul 12 23:50:51
                        postfix/smtp[17005]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: Shared object "libgssapi.so.10" not found, required by "libgssapiv2.so.2"

                        The postfix message looks for libs on /usr/local/lib/sasl2/ instead of  /usr/local/lib like I've posted.

                        can you try to copy these libs to /usr/local/lib/sasl2/ and teste again?

                        att,
                        Marcello Coutinho

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • A
                          arosenau
                          last edited by Jul 16, 2012, 10:11 PM

                          @marcelloc:

                          The postfix message looks for libs on /usr/local/lib/sasl2/ instead of  /usr/local/lib like I've posted.

                          can you try to copy these libs to /usr/local/lib/sasl2/ and teste again?

                          att,
                          Marcello Coutinho

                          Still doesn't work, although the error now looks slightly different "unsupported file layout"

                          Jul 16 22:12:40 postfix/smtp[9495]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/libgssapi.so.10: unsupported file layout 
                          Jul 16 22:12:40 postfix/smtp[9495]: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/libgssapi.so.10: unsupported file layout 
                          Jul 16 22:12:40 postfix/smtp[9495]: cannot load Certificate Authority data: disabling TLS support 
                          Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'): 
                          Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129: 
                          Jul 16 22:12:40 postfix/smtp[9495]: warning: TLS library problem: 9495:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274: 
                          Jul 16 22:12:40 postfix/smtp[9495]: 0EE7440B28F: to=<armyreciepent@gmail.com>, relay=smtp.gmail.com[209.85.225.108]:587, delay=0.64, delays=0.37/0.02/0.21/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.108] said: 530 5.7.0 Must issue a STARTTLS command first. ud8sm20864816igb.4 (in reply to MAIL FROM command)) 
                          Jul 16 22:12:40 postfix/cleanup[9348]: A5BBD40B298: message-id=<20120716221240.A5BBD40B298@relay> 
                          Jul 16 22:12:40 postfix/bounce[9782]: 0EE7440B28F: sender non-delivery notification: A5BBD40B298 
                          Jul 16 22:12:40 postfix/qmgr[53688]: A5BBD40B298: from=<>, size=2493, nrcpt=1 (queue active) 
                          Jul 16 22:12:40 postfix/qmgr[53688]: 0EE7440B28F: removed 
                          Jul 16 22:12:40 postfix/smtp[9495]: A5BBD40B298: to=<xxx@mydomain.com>, relay=smtp.gmail.com[209.85.225.109]:587, delay=0.16, delays=0.01/0/0.12/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.109] said: 530 5.7.0 Must issue a STARTTLS command first. k5sm9875094igq.12 (in reply to MAIL FROM command)) 
                          Jul 16 22:12:40 postfix/qmgr[53688]: A5BBD40B298: removed</xxx@mydomain.com></armyreciepent@gmail.com> 
                          
                          1 Reply Last reply Reply Quote 0
                          • M
                            marcelloc
                            last edited by Jul 16, 2012, 10:42 PM

                            @arosenau:

                            Still doesn't work, although the error now looks slightly different "unsupported file layout"

                            It normally means you have copied files from a different arch. (i386 files on amd64 for example)

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • A
                              arosenau
                              last edited by Jul 17, 2012, 12:47 AM

                              @marcelloc:

                              It normally means you have copied files from a different arch. (i386 files on amd64 for example)

                              Yep that was the issue there. I didn't build this box and just assumed it was 64 bit and turns out it is only 32 bit. So that solved those errors although it still doesn't work and I have the below errors, all concerning TLS.

                              Jul 17 00:47:50 postfix/smtp[11692]: cannot load Certificate Authority data: disabling TLS support 
                              Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:126:fopen('/etc/pki/tls/certs/ca-bundle.crt','r'): 
                              Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:129: 
                              Jul 17 00:47:50 postfix/smtp[11692]: warning: TLS library problem: 11692:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274: 
                              Jul 17 00:47:50 postfix/smtp[11692]: DDAE740B293: to=<myrecipient@gmail.com>, relay=smtp.gmail.com[209.85.225.109]:587, delay=0.65, delays=0.37/0.08/0.17/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.109] said: 530 5.7.0 Must issue a STARTTLS command first. g5sm10214882ign.4 (in reply to MAIL FROM command)) 
                              Jul 17 00:47:50 postfix/cleanup[11555]: 841B240B29D: message-id=<20120717004750.841B240B29D@relay> 
                              Jul 17 00:47:50 postfix/bounce[11894]: DDAE740B293: sender non-delivery notification: 841B240B29D 
                              Jul 17 00:47:50 postfix/qmgr[56809]: 841B240B29D: from=<>, size=2491, nrcpt=1 (queue active) 
                              Jul 17 00:47:50 postfix/qmgr[56809]: DDAE740B293: removed 
                              Jul 17 00:47:50 postfix/smtp[11692]: 841B240B29D: to=<myuser@mydomain.com>, relay=smtp.gmail.com[209.85.225.108]:587, delay=0.17, delays=0.01/0/0.12/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.108] said: 530 5.7.0 Must issue a STARTTLS command first. pp4sm21477529igb.5 (in reply to MAIL FROM command)) 
                              Jul 17 00:47:50 postfix/qmgr[56809]: 841B240B29D: removed</myuser@mydomain.com></myrecipient@gmail.com> 
                              
                              1 Reply Last reply Reply Quote 0
                              • A
                                arosenau
                                last edited by Jul 17, 2012, 1:23 AM

                                So I ended up solving the TLS errors by downloading the following cert bundle. Is this the correct bundle? It is working now but is this the long term solution?

                                http://curl.haxx.se/ca/cacert.pem

                                1 Reply Last reply Reply Quote 0
                                • M
                                  marcelloc
                                  last edited by Jul 17, 2012, 3:54 AM

                                  I think this TLS ca missing cert is from remote site certificate.

                                  the ca_root certificate package on freebsd ports is ca_root_nss-3.13.5

                                  Mailscanner package installs it, but the way you did(if you trust http://curl.haxx.se site) also installed the ca bundle certs file.

                                  schedule from time to time an ca_bundle file update.

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • U
                                    Unubtanium
                                    last edited by Jul 26, 2012, 12:02 PM

                                    So if i am not way leftfield, would i go about stopping backscatter coming in with something like this:
                                    OR have i blown a logic fuse  :P

                                    By put this in header check under ACL

                                    /^(From|Return-Path):.*\b(user@domain.tld)\b/
                                           reject forged sender address in $1: header: $2

                                    And putting this in body checks

                                    /^[> ](From|Return-Path):.\b(user@domain.tld)\b/
                                           reject forged sender address in $1: header: $2

                                    I am a bit confused after reading this: http://www.postfix.org/BACKSCATTER_README.html
                                    DO i have to manually have to change the user@domain to my local domain users so it would be user@mydomain.com and or will
                                    it check my Valid recipients and block ALL external emails that comes from the internet with my Valid recipients as from field?
                                    ???

                                    And would this also help stopping me from being a source for backscatter? or again have i blown a fuse??

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      marcelloc
                                      last edited by Jul 26, 2012, 2:29 PM

                                      @Unubtanium:

                                      I am a bit confused after reading this: http://www.postfix.org/BACKSCATTER_README.html
                                      DO i have to manually have to change the user@domain to my local domain users so it would be user@mydomain.com and or will
                                      it check my Valid recipients and block ALL external emails that comes from the internet with my Valid recipients as from field?
                                      ???

                                      All postfix antispam settings(spf checks, helo checks, etc..) and valid recipients can do a really good job on rejecting junk/misconfigured mail servers.
                                      If you want to apply these backscatter rules, you need to change user@domain to your domain.

                                      @Unubtanium:

                                      And would this also help stopping me from being a source for backscatter? or again have i blown a fuse??

                                      Do you have any postfix log with these backscatter on your domain?

                                      att,
                                      Marcello Coutinho

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • U
                                        Unubtanium
                                        last edited by Jul 26, 2012, 2:41 PM

                                        @marcelloc:

                                        Do you have any postfix log with these backscatter on your domain?

                                        att,
                                        Marcello Coutinho

                                        No i do not, it is just me being very worried about it and want to take any steps to stop it.

                                        So i guess it is all smooth sailing for now.
                                        Just need to figure this one out:

                                        07-26-2012 15:40:28 Mail.Info lanip Jul 26 15:42:50 postfix/postscreen[13438]: DISCONNECT [49.236.198.230]:64766
                                        07-26-2012 15:40:28 Mail.Info lanip Jul 26 15:42:50 postfix/postscreen[13438]: HANGUP after 1.1 from [49.236.198.230]:64766 in tests after SMTP handshake
                                        07-26-2012 15:40:27 Mail.Info lanip Jul 26 15:42:49 postfix/postscreen[13438]: CONNECT from [49.236.198.230]:64766
                                        07-26-2012 15:40:27 Local0.Info lanip Jul 26 15:42:49 pf:     49.236.198.230.64766 > wanip.25: Flags [ S ], cksum 0xa6f8 (correct), seq 652894980, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

                                        And then finaly i can enjoy the Olympic :)

                                        1 Reply Last reply Reply Quote 0
                                        • Z
                                          zlyzwy
                                          last edited by Jul 27, 2012, 6:38 AM

                                          Hi Marcelloc,

                                          I got these error message from maillog:

                                          Jul 27 14:40:59 pfsense MailScanner[9782]: You want to use SpamAssassin but have not installed it.
                                          Jul 27 14:40:59 pfsense MailScanner[9782]: Please download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz and unpack it and run ./install.sh to install it, then restart MailScanner.
                                          Jul 27 14:40:59 pfsense MailScanner[9782]: I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin.

                                          All the email has been hold by postfix…
                                          Do you know any reason why this will happen?
                                          Thanks~

                                          Zlyzwy

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.