Postfix - antispam and relay package
-
Marcelloc, why not to make on the contrary - on pfsense 2.2 normal install, and on pfsense 2.1 with the fix?
It will move more people to update to version 2.2 -
To get postfix working on pfSense 2.2, follow these steps:
Remember, do it at your own risk ;)
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt pbi_delete postfix-2.11.3_2-amd64 rm -f /usr/pbi/bin/libexec/postfix rm -f /usr/local/etc/postfix rm -f /var/spool/postfix rm -f /var/mail/postfix rm -f /var/db/postfix pkg install postfix
I tried the above in 2.2.4 but I had no luck. Can anybody confirm this is working in the latest version of pfSense?
-
Yes, it's working for sure.
Do not forget to install the package via gui before the steps above…
-
Hello,I follow step to remove old postfix.
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
pbi_delete postfix-2.11.3_2-amd64
rm -f /usr/pbi/bin/libexec/postfix
rm -f /usr/local/etc/postfix
rm -f /var/spool/postfix
rm -f /var/mail/postfix
rm -f /var/db/postfix
pkg install postfixAnd reinstall postfix and postfix forwarder.
The same settings but it's will show relay access denied when mail incoming.
How to fix it? -
Sorry,
I have fix it.It's installed postfix forward and download two file and replace it.It's all ok. -
Tried the steps.
installed package by gui.
removed folders and pbi as posted by marcelloc.
installed package from console pkg.Saved every config page to avoid errors.
starting service fails :Aug 19 11:10:35 php-fpm[24346]: /pkg_edit.php: The command '/usr/pbi/postfix-amd64/sbin/postmap /usr/pbi/postfix-amd64/etc/postfix/sender_access' returned exit code '127', the output was '/usr/pbi/postfix-amd64/sbin/postmap: not found'
Aug 19 11:10:35 php-fpm[24346]: /pkg_edit.php: The command '/usr/pbi/postfix-amd64/sbin/postmap /usr/pbi/postfix-amd64/etc/postfix/transport' returned exit code '127', the output was '/usr/pbi/postfix-amd64/sbin/postmap: not found'What am I missing? Tried this on 2 systems, it looks like I really am missing a step here.
-
Reposting update guide for pfsense 2.2.x only:
Install package via gui
execute code below via console/sshfetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt pbi_delete postfix-2.11.3_2-amd64 rm -rf /usr/pbi/bin/libexec/postfix rm -rf /usr/local/etc/postfix rm -rf /var/spool/postfix rm -rf /var/mail/postfix rm -rf /var/db/postfix pkg install postfix libspf2
fix postfix.inc file with this patch via system patcher package
add this patch via package system patcher
**description:**postfix_inc
patch:--- postfix.orig.inc 2015-08-18 08:15:00.000000000 +0000 +++ postfix.inc 2015-08-18 08:18:10.000000000 +0000 @@ -36,11 +36,11 @@ require_once("globals.inc"); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version == "2.1" || $pfs_version == "2.2") { - define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); -} else { +//if ($pfs_version == "2.1" || $pfs_version == "2.2") { +// define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +//} else { define('POSTFIX_LOCALBASE','/usr/local'); -} +//} $uname=posix_uname(); if ($uname['machine']=='amd64')
directory:/usr/local/pkg/
-
Marcel,
Since the changes required to be compatible with 2.2 for non-trivial packages break compatibility with previous releases, kindly consider creating a new entry in the list of available packages for the postifx 2.2 + versions, then add a note to the 2.1- package to switch to the new one when upgrading.
Of course, as always, easier to ask than to do. Thanks for your efforts!
-
it will on Pfsense 2.3 when pbi will not be used to package binaries.
-
For purpose of testing, i have installed the package on a dédicated Pfsense (this mean : not my firewall). This package seems to be a geat job.
Today my "production" smtp relays are manuelly maintened. I decided to test this package.
First surprise is main.cf generated par the GUI.# Allow connections from specified local clients and strong check everybody else. smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, check_client_access pcre:/usr/pbi/postfix-amd64/etc/postfix/cal_pcre, check_client_access cidr:/usr/pbi/postfix-amd64/etc/postfix/cal_cidr, reject_unknown_client_hostname, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_client_access pcre:/usr/pbi/postfix-amd64/etc/postfix/cal_pcre, check_client_access cidr:/usr/pbi/postfix-amd64/etc/postfix/cal_cidr, check_sender_access hash:/usr/pbi/postfix-amd64/etc/postfix/sender_access, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_multi_recipient_bounce, reject_unverified_recipient, reject_spf_invalid_sender, permit
Two times "smtpd_recipient_restrictions".
I also notice in the GUI, there is no way for a flat list for clients restriction.
And sender access list is use with smtpd_sender_restrictions.At this time (others smtp Postfix relay), i manage 3 differents flat lists for :
smtpd_client_restrictions
smtpd_hello_restrictions
smtpd_sender_restrictionsThere is also specifics lists for cidr and PCRE.
Pfsense 2.1.5 and last version of package. Something wrong with my setup.
So i'm a little bit confused the way main.cf is generated from the GUI. Even if I know Postfix can use each list in many restrictions.
-
Two times "smtpd_recipient_restrictions".
Are you sure, the post shows smtpd__clientrestrictions and smtpdrecipient__restrictions
Pfsense 2.1.5 and last version of package. Something wrong with my setup.
Better using on 2.2 with manual fixes above.
So i'm a little bit confused the way main.cf is generated from the GUI. Even if I know Postfix can use each list in many restrictions.
Can you explain it better? You mean you know a better config setup to implement on this package?
-
Having an issue.
Since I cannot seem to install the LDAP plugin in any way or form (or even find it somewhere..) I can not get a link to Exchange to import a list of valid e-mail accounts.
Is there a way to edit Postfix (used in combination with mailscanner) to allow all e-mail accounts from a domain?This is not used as an internal relay, just external anti-spam checking.
yes, I know this lowers the security quit a bit. But having everything blocked now with the same recipient error is the other side of the coin.
I really would just like to the the LDAP connection working. But installing the pkg like by the manual gives an error it cannot be found. And I cannot seem to source it anywhere else.
Did anyone manage to install it somehow?2.1.5 x64 setup.
-
Having an issue.
Since I cannot seem to install the LDAP plugin in any way or form
Did you tried```
pkg add p5-perl-ldap -
pkg_add pR5-perl-ldap pkg_add: can't stat package file "pR5-perl-ldap"
that or cannot find package.
Tried your private hosted version from 2012. gives more errors then someone dyslexic quoting Nietzsche.
-
Yeah, perhaps you could fix your copy/paste skills. Noone told you to install nonsense like pR5-perl-ldap.
-
Reposting update guide for pfsense 2.2.x only:
Install package via gui
execute code below via console/sshfetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt pbi_delete postfix-2.11.3_2-amd64 rm -f /usr/pbi/bin/libexec/postfix rm -f /usr/local/etc/postfix rm -f /var/spool/postfix rm -f /var/mail/postfix rm -f /var/db/postfix pkg install postfix
fix postfix.inc file with this patch via system patcher package
add this patch via package system patcher
**description:**postfix_inc
patch:--- postfix.orig.inc 2015-08-18 08:15:00.000000000 +0000 +++ postfix.inc 2015-08-18 08:18:10.000000000 +0000 @@ -36,11 +36,11 @@ require_once("globals.inc"); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version == "2.1" || $pfs_version == "2.2") { - define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); -} else { +//if ($pfs_version == "2.1" || $pfs_version == "2.2") { +// define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +//} else { define('POSTFIX_LOCALBASE','/usr/local'); -} +//} $uname=posix_uname(); if ($uname['machine']=='amd64')
directory:/usr/local/pkg/
Hi,
thank you for the manual fix. I have tried several times , believing i screwed up somewhere, but still no white smoke . The error messages stay the same.
Does anyone have more suggestions in this ? The setup is a carp unit, with a 2.1.4 install upgraded to 2.1.5 and now jumped to 2.2.4 .Thank you in advance..
-
Hi.
In case someone needs to specify a port in domain forwarding, here is a patch for /usr/local/pkg/postfix.inc:
--- postfix.inc.org 2015-10-29 13:59:12.000000000 +0300 +++ postfix.inc 2015-10-29 14:19:36.000000000 +0300 @@ -263,10 +263,17 @@ if (is_array($postfix_domains['row'])) { foreach ($postfix_domains['row'] as $postfix_row) { $relay_domains .= ' ' . $postfix_row['domain']; - if (!empty($postfix_row['mailserverip'])) - $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + if (!empty($postfix_row['mailserverip'])) { + if (strrpos($postfix_row['mailserverip'], ":") === false) { + $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + } + else { + list($t_ip, $t_port) = explode(":", $postfix_row['mailserverip']); + $transport .= $postfix_row['domain'] . " smtp:[" . $t_ip . "]:" . "$t_port\n"; } } + } + } #check cron check_cron(); #check logging @@ -787,8 +794,15 @@ } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { if (empty($post['domain' . substr($key, 12)])) $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; + if (strrpos($value, ":") === false) { + if (!is_ipaddr($value) && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } + else { + list($t_ip, $t_port) = explode(":", $value); + if (!is_ipaddr($t_ip) && !is_hostname($t_ip)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } } } }
-
We are running Postfix with the patches and all seems to be fine… HOWEVER, we seem to be seeing a couple of issues...
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.
Suggestion: I notice you are parsing for the "," when you are saving the list to the reject_rbl_client directive. Can you add something to parse for another character like ":DNS" to put the entry in the reject_rhsbl_client directive?
Or even add a box on the antispam page for DNS Block lists?2: We have some custom ACL headers that we scan for like /^From:.@.download/ REJECT that seem to work great, but once in a while a couple of the messages get through :P Ideas?
3: On the Access list page Helo box, no matter what we put there it does not reject. Like trying to block the .download domain from even getting past the helo.
It would be REAL nice to be able to drop the connection from a .download domain at the Helo step rather that what is happening now: Its ran through the bloc lists, then finally rejected by the sender address in the from field. A lot of wasted time for messages from a server that will be dropped anyway :PThanks in advance!
-
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.Have you tried using zen.spamhaus.org in the RBL server list? That seems to work well with IP addresses:
postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2 postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103 postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103
-
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.Have you tried using zen.spamhaus.org in the RBL server list? That seems to work well with IP addresses:
postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2 postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103 postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103
Yes, I am using Zen. It is an IP address based list. It only accepts IP addresses as it should, and works fine. The Evil Nasty spammers and malware sites like to move around a lot to try and beat the ip based block lists.
The lists that I want to use are based on their domains. They only accept domain names not IP addresses. Many of the best lists are switching to domain based for better blocking.