Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postfix - antispam and relay package

    Scheduled Pinned Locked Moved pfSense Packages
    855 Posts 136 Posters 1.4m Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mschiek01
      last edited by

      @BenKenobe:

      I'm quite happy to drop the 'secondary' defenses once I'm satisfied that the primary are working well.

      How do I stop Postfix forwarding or rejecting non existent address's though, and how do I make it substitute the local mail server IP for the 'correct' public one.

      I have explicitly stated which accounts are acceptable on the 'Custom Valid Recipients' tab, by doing so would expect Postfix to deal with all others but it still checks against the mail server for 'account existence' and uses the message returned by the mail server so even though it doesn't pass the mail it still checks for the accounts presence every single time - which I don't think it should do, it should only attempt delivery of specifically identified accounts - all others need to be handled 100% by Postfix with no involvement of the mail server at all.

      Do you have a this line in your config?????

      **You need to have a comand line in the access lists -> "filters while receiving mail"

      It should be something like this "/^from:/ HOLD"**

      You need the above line and I don't see where you ever said you had it?

      With the mail log did you stop and restart postfix.  Don't do it from the gui as I am not sure that works or at least I have had problems with it.  Use the command line.

      /usr/local/etc/rc.d/postfix onestop

      /usr/local/etc/rc.d/postfix onestart

      This will also give you a better idea of any errors that are occurring during startup.

      As soon as you do this if you go to /var/log/maillog  you should see activity.

      1 Reply Last reply Reply Quote 0
      • B Offline
        BenKenobe
        last edited by

        I restarted via the command line and the mail log is now populating … I'll remember that one.

        With regards the filter - I didn't add any - didn't see the need since I explicitly defined my recipients list, I'd have assumed that anything not in that list could be 'delayed' or 'rejected by default.

        I see the filter mentioned has a /HOLD on it so maybe that's the missing link - although I fail to see how that works since the 'from' isn't what I'm trying to control - it is the 'to'. If I look at the examples they show 'sender' email address's not recipient address's - I don't really care who is sending.

        I'll try to dig into the documentation a little deeper.

        1 Reply Last reply Reply Quote 0
        • M Offline
          mschiek01
          last edited by

          Are you using postfix/mailscanner?  I assumed you were maybe you are not?

          If not then you are correct you don't need that.

          1 Reply Last reply Reply Quote 0
          • B Offline
            BenKenobe
            last edited by

            No not using mailscanner - is it something worth using.

            I currently have 'SpamD -> Postfix -> Mail Server' and it seems to be keeping the spammers at bay, has also stopped brute force attacks to port 25. I wish I didn't need SpamD because of the delays it creates with 'unknown' senders but I've not seen a single 'spammer' in any inbox today and only one brute force attempt to a mail port that I've since closed (I've now closed all NONE TLS ports except 25 - and that's routed through the filters)

            I've got the mail server pretty well hardened, just need to resolve the reject message IP address now …

            1 Reply Last reply Reply Quote 0
            • M Offline
              mschiek01
              last edited by

              In the postix gui go to view config -> master cf and check and make sure you have this in the config

              /sender_access,
              reject_non_fqdn_helo_hostname,
              reject_unknown_recipient_domain,
              reject_non_fqdn_recipient,
              reject_multi_recipient_bounce,
              –-----> reject_unverified_recipient,
              permit

              also in client access list / my networks you only have your internal ip range listed correct?

              1 Reply Last reply Reply Quote 0
              • B Offline
                BenKenobe
                last edited by

                Only internal IP's correct, I commented out the 'reject' because I don't want it rejected - although it still gets rejected somehow - I even tried modifying the reject codes to 450 instead but it still returns the 550.1.1 which tells me it is using what the mail server sends back and not what I want it to. I've tried also the various SMTP privacy filters but it is hard to know which file to build them into - doesn't work in the custom commands for sure.

                Remember I'm trying to stop spammers figuring out which address's exist by sending many e-mails each to a different username - the reject message is a dead giveaway - I want the offender tarpit'd and messed about as much as possible.

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mschiek01
                  last edited by

                  This may be your problem although I am not even sure what you are trying to do will work.

                  In the postfix gui ->"Domains to Forward"  did you put information in here ?

                  In the postfix gui -> "Recipients"  did you put information here ?

                  If you did both that is most likely your problem.

                  Postfix is receiving an email connection request and the first thing it is doing is checking the relay domain table and contacting the server which is saying not a good address and that is what postfix is replying.  It doesn't matter what you put in the address verification as this is a second step not first.

                  You are basically using both methods.  Which obviously will not work for what you are trying to do.  Remove the information from the domains to forward and see what happens.

                  You will need to add a relayhost = [an.ip.add.ress]  to the config.

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    garthk
                    last edited by

                    I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.

                    What did I do wrong?

                    Thanx,
                    GarthK

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      mschiek01
                      last edited by

                      @garthk:

                      I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.

                      What did I do wrong?

                      Thanx,
                      GarthK

                      Got to services/postfix/general at the bottom of the page
                      Widgets set

                      postfix.jpg
                      postfix.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        garthk
                        last edited by

                        Thanx for the reply. I did what you suggested and even waited three days just to see if that would make a diff but no luck. The Postfix bar is there but no data is displayed. I also reinstalled it but no change.

                        Anything else I need to do?

                        1 Reply Last reply Reply Quote 0
                        • marcellocM Offline
                          marcelloc
                          last edited by

                          Widget works when you set logs to /var/log/maillog

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • G Offline
                            garthk
                            last edited by

                            That took care of it!

                            Thanx Much,
                            Garth

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              sbillmann
                              last edited by

                              Hi guys,

                              I am using this package for a few days now and am very happy with it because the amount of spam was reduced drastically.

                              So first of all thank you for your work here, marcelloc.

                              I just encountered two problems which I couldn't solve for myself.

                              1. The "Search mail" function doesn't work for me. Probably because postfix can't find a sqlite database. Reinstallation of postfix didn't help.

                              2. Some mails take a very long time to get delivered to my actual mail server. I guess this is because some bigger companies with multiple mail servers send mails out through a different server once the message isn't accpeted instantly by postfix. (gmail or hrs for example)
                              Is there a way to accept e-mails faster even if the initial sender ip differs from the current sender ip in postfix?

                              And again thank you (in advance)

                              Many apologies if this has been asked and answered before.

                              1 Reply Last reply Reply Quote 0
                              • G Offline
                                garthk
                                last edited by

                                Works great but I have a question. There is a company sending us email with a single MX record, say mail.company.com, but the email is actually being sent by one of multiple servers, mail1.company.com, mail2.company.com, and so on. None of these servers has a DNS record so can not be found by PF after the RCPT TO: is received. This causes the email to be rejected, correctly IMHO, but I need to figure out how to let this email thru. Can I whitelist these servers and, if so, how?

                                Thanx,
                                Garth

                                1 Reply Last reply Reply Quote 0
                                • G Offline
                                  garthk
                                  last edited by

                                  Sorry to reply to my own post but… the initial HELO is from mail.company.com and is resolvable. Prob is, that's not the server that actually sends the email and those servers are not resolvable.

                                  Thanx,
                                  Garth

                                  1 Reply Last reply Reply Quote 0
                                  • B Offline
                                    biggsy
                                    last edited by

                                    If you can tell whether they're in the same subnet you can whitelist that subnet under Access Lists > CIDR

                                    Like:

                                    10.20.30.0/24 permit
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • BismarckB Offline
                                      Bismarck
                                      last edited by

                                      @garthk:

                                      Sorry to reply to my own post but… the initial HELO is from mail.company.com and is resolvable. Prob is, that's not the server that actually sends the email and those servers are not resolvable.

                                      Thanx,
                                      Garth

                                      https://forum.pfsense.org/index.php?topic=40622.msg428403#msg428403

                                      1 Reply Last reply Reply Quote 0
                                      • BismarckB Offline
                                        Bismarck
                                        last edited by

                                        @sbillmann:

                                        2. Some mails take a very long time to get delivered to my actual mail server. I guess this is because some bigger companies with multiple mail servers send mails out through a different server once the message isn't accpeted instantly by postfix. (gmail or hrs for example)
                                        Is there a way to accept e-mails faster even if the initial sender ip differs from the current sender ip in postfix?

                                        And again thank you (in advance)

                                        Many apologies if this has been asked and answered before.

                                        https://forum.pfsense.org/index.php?topic=40622.msg425790#msg425790

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          azekiel
                                          last edited by

                                          Is the postscreen cache now persistent (normally it would be deleted after a restart of the service)?

                                          If not, why not use postgrey then? This one works the same way as postscreen does and the persistent cache does work!

                                          Greets

                                          1 Reply Last reply Reply Quote 0
                                          • A Offline
                                            azekiel
                                            last edited by

                                            another question: how to disable the recipient check? i remove the part from smtpd_recipient_restrictions but is there a way in the gui?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.