Postfix - antispam and relay package
-
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
- A new postscreen_dnsbl_whitelist_threshold feature to allow
-
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
Oh yes please!
- A new postscreen_dnsbl_whitelist_threshold feature to allow
-
Hello
Is there any way to configure ssl authentication on the relay server? my mail server is configured to listen on port 465 with ssl and I don't know how to relay the messages to that port
Best regards, ChildrenOfSolium
-
Hello
I would like to disable all anti-spam in postfix because I use a custom Milter plugin.
How can I disable reject_unknown_sender_domain or smtpd_helo_required ?Thank you.
Parameters in "custom mail.cf" field are not applied because of precedence as you can see:
mynetworks = /usr/pbi/postfix-i386/etc/postfix/mynetwork_table mynetworks_style = host access_map_reject_code= 554 access_map_defer_code = 451 unverified_recipient_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 smtpd_sender_restrictions = permit # not applied! smtpd_milters = inet:<milter ip="">:7830 milter_default_action = reject show_user_unknown_table_name = no smtpd_helo_required = no # not applied! bounce_queue_lifetime = 0d relay_domains = mydomain.com transport_maps = hash:/usr/pbi/postfix-i386/etc/postfix/transport local_recipient_maps = relay_recipient_maps = hash:/usr/pbi/postfix-i386/etc/postfix/relay_recipients mydestination = mynetworks_style = host message_size_limit = 10240000 default_process_limit = 100 #Just reject after helo,sender,client,recipient tests smtpd_delay_reject = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes smtpd_sender_restrictions = reject_unknown_sender_domain, permit</milter> -
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
Oh yes please!
second that!
- A new postscreen_dnsbl_whitelist_threshold feature to allow
-
Sorry, yaboc, Bismarck is second. You'll have to go third :)
If Google is your main problem and you missed this post, give it a try.
It is a bit of a "broad brush" but it's been working well for me.
-
Hi All
I have the postfix package all set up and working, forwarding all incoming mail to a next hop internal MTA.
I would also like to BCC all mail to an address used by an external mail scanning system.
As far as I understand, this should be as easy as adding the following line to the custom main.cf section in the pfSense WebUI:
always_bcc = archive@ <internal ip="" of="" mta="">However… It's not working.
Does anyone have any suggestions to troubleshoot this or an alternate way to achieve the same end-result.
Many thanks for your time!
Cheers</internal>
-
Hi Guys,
i am just new here although i am using pfsense since a while for different purposes in a vmware environment.
So far i am really happy.But i have one concern & problem i discovered today around the postfix-forwarder package :
Domains added in the "forward" tab shouldn't be added to relay_domains in main.cf per default.
Since transports and relay_domains are two totally different things.I'd suggest to run a regex over the aggregated relay_recipients and filter out the domain parts and include those automatically
or make a checkbox next to each domain to include it in relay_domains.
But still this doesn't make much sense and i cannot see the reason in defining a specific transport - and then delivery to these domains fails since the recipients in that domain are not listed in relay_recipients…And yes it makes sense, to separate, just think about having several vpn connections - so you want to send mail from i.e. branch offices to main offices to the internal mail server via vpn, without knowing who is a valid recipient there.
Otherwise callback verify should be enabled, so on delivery attempts to domains in the transport section postfix runs a test against the defined mail server to check if that one is accepting mail for that recipient.Anyway some might say this should be properly solved with DNS - but i tend to disagree since this is rendering the transports useless.
What do you guys think ?
For now, i fixed it by putting my actual relay_domains into postfix.inc and commented out the part where it adds the transport domains to relay_domains. -
Hi All
I have the postfix package all set up and working, forwarding all incoming mail to a next hop internal MTA.
I would also like to BCC all mail to an address used by an external mail scanning system.
As far as I understand, this should be as easy as adding the following line to the custom main.cf section in the pfSense WebUI:
always_bcc = archive@ <internal ip="" of="" mta="">However… It's not working.
Does anyone have any suggestions to troubleshoot this or an alternate way to achieve the same end-result.
Many thanks for your time!
Cheers</internal>
Hi All,
Maybe I can give a little more information here!
The config I add in the custom area in the WebUI is not seen when I use```
postconfI have restarted postfix so it should be generating new config. Any ideas? Thanks -
Sorry, yaboc, Bismarck is second. You'll have to go third :)
If Google is your main problem and you missed this post, give it a try.
It is a bit of a "broad brush" but it's been working well for me.
ha as long as it gets implemented i can wait ;) thanks for the google list biggsy, but there are other emails that we get from same domain / multiple MTAs and it's annoying. sometimes it can take hours for the mail to finally come through.
also i noticed 'permit' is used per line whereas the HINT says to use OK / REJECT
i put OK and see if it works for google servers.Thanks
-
Sorry, yaboc, Bismarck is second. You'll have to go third :)
If Google is your main problem and you missed this post, give it a try.
It is a bit of a "broad brush" but it's been working well for me.
Thanks biggsy, but unfortunately google is not the only problem, I'm tweaking my whitelist (yahoo, hotmail etc…) since few days but its a demanding job over time, so postscreen_dnsbl_whitelist_threshold would be a great help here.
-
Hi, I'm looking for some clarification on settings. Currently I have a good amount of legit email bouncing off the Helo tests
Jun 24 09:16:51 pfsense postfix/smtpd[47197]: NOQUEUE: reject: RCPT from outbound1.notrealdomain.com[12.xx.xxx.82]: 550 5.7.1 <ironport1.notrealdomain.com>: Helo command rejected: Host not found</ironport1.notrealdomain.com>I think our problem is the mismatch in hostnames. I dont want to turn off the helo tests completely as they serve a good function for when no helo at all is recieved back, but I'd like to be able to ignore these mismatches.
-
Hi, I'm looking for some clarification on settings. Currently I have a good amount of legit email bouncing off the Helo tests
Jun 24 09:16:51 pfsense postfix/smtpd[47197]: NOQUEUE: reject: RCPT from outbound1.notrealdomain.com[12.xx.xxx.82]: 550 5.7.1 <ironport1.notrealdomain.com>: Helo command rejected: Host not found</ironport1.notrealdomain.com>I think our problem is the mismatch in hostnames. I dont want to turn off the helo tests completely as they serve a good function for when no helo at all is recieved back, but I'd like to be able to ignore these mismatches.
https://forum.pfsense.org/index.php?topic=63343.0
Try in helo acl field:
/ironport1.notrealdomain.com/ OK (this is for HELO)
and in CIDR field:
12.xx.xxx.82 OK (this is for legitimate clients without or wrong rDNS)
-
I am using the postfix forwarder on pfsense.
Outbound email sent to google is getting tagged as spam and ending up in people's spam folder.
I have done some testing using http://www.allaboutspam.com/email-server-test/ and it passes everything except for BATV and DKIM.
From what I have read the lack of DKIM can cause google to mark it as spam.
Any ideas on setting DKIM up on pfsense?
thanks,
Geoff
-
Hello,
I am new to pfSense and am looking at using it to replace some postfix - spamassassin - clam gateways. We have a mail server behind and we want to forward several domains.
For the Recipients we are exporting the user list to Postfix via clean text url and that is working perfectly.
Does anyone have a way to automate/read the Forwarding Domains rather than enter them manually?
In our current system we export the transport file to the gateways. The transport file is used for both the transport_map and the relay_domains. I started working on this then realizes someone else probably has come across the same issue.
Thanks!
Todd
-
Hi,
I've been using postfix forwarder for about a year now which listens on loopback and delivers mail to internal exchange. However i can't telnet either the main WAN on 25 that postfix forwarder listens on on exchange (on it's own separate IP).
We must allow one host to be able to relay the mail. How would i set this up ?
Also not sure if this will make things easier or more complicated but we have the ability to connect with the host with IPSEC and relay directly to exchange however I can't telnet to exchange even via the IPSEC via the local exchange IP.
Would postfix forwarder have any say in it as well ? Catching mail on 25 that goes through VPN? Anything i have to set up to get this working?
Thanks
yaboc
-
Toddh,
The list of relay domains and their corresponding destination IPs is held in /usr/pbi/postfix-amd64/etc/postfix/transport
I think this is just used to build /usr/pbi/postfix-amd64/etc/postfix/transport**.db** using the command
postmap /usr/pbi/postfix-amd64/etc/postfix/transportThe transport.db file is then used by postfix, rather the plaintext transport file.
You could try creating a new transport file in the right format and run the above command but I suspect both would be overwritten if postfix is restarted.
-
Yaboc,
Are you saying that you want an external host to go directly to your Exchange server, bypassing postfix?
If so, would it not be easier to create a rule on your WAN, above the postfix one, to pass port 25 from that source host to the Exchange server?
-
biggsy,
that is correct, i have one host that i'd like to relay email through our exchange bypassing postfix, because it doesn't seem to work (relaying) with the default postfix forwarder setup.
i'd prefer to make it as secure as possible and have ipsec in place between the host and our exchange but i can't even telnet to exchange using local ip, which is strange because i can do it from through other tunnels i have set up and the rules are any/any among tunnels.
i'll try your suggestion and report back but preferably i'd like to get it to work over ipsec if possible.
thank you!
-
Is it possible to have StartTLS with PFS on pfSense 2.1.5-RELEASE (i386) / FreeBSD 8.3-RELEASE-p16 with Postfix 2.10.2 pkg v.2.3.7?
If it's possible: What do I have to add to custom main.cf options and with which options I have to create a working self signed certificate/key?
