Postfix - antispam and relay package
-
Hi.
In case someone needs to specify a port in domain forwarding, here is a patch for /usr/local/pkg/postfix.inc:
--- postfix.inc.org 2015-10-29 13:59:12.000000000 +0300 +++ postfix.inc 2015-10-29 14:19:36.000000000 +0300 @@ -263,10 +263,17 @@ if (is_array($postfix_domains['row'])) { foreach ($postfix_domains['row'] as $postfix_row) { $relay_domains .= ' ' . $postfix_row['domain']; - if (!empty($postfix_row['mailserverip'])) - $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + if (!empty($postfix_row['mailserverip'])) { + if (strrpos($postfix_row['mailserverip'], ":") === false) { + $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + } + else { + list($t_ip, $t_port) = explode(":", $postfix_row['mailserverip']); + $transport .= $postfix_row['domain'] . " smtp:[" . $t_ip . "]:" . "$t_port\n"; } } + } + } #check cron check_cron(); #check logging @@ -787,8 +794,15 @@ } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { if (empty($post['domain' . substr($key, 12)])) $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; + if (strrpos($value, ":") === false) { + if (!is_ipaddr($value) && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } + else { + list($t_ip, $t_port) = explode(":", $value); + if (!is_ipaddr($t_ip) && !is_hostname($t_ip)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } } } }
-
We are running Postfix with the patches and all seems to be fine… HOWEVER, we seem to be seeing a couple of issues...
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.
Suggestion: I notice you are parsing for the "," when you are saving the list to the reject_rbl_client directive. Can you add something to parse for another character like ":DNS" to put the entry in the reject_rhsbl_client directive?
Or even add a box on the antispam page for DNS Block lists?2: We have some custom ACL headers that we scan for like /^From:.@.download/ REJECT that seem to work great, but once in a while a couple of the messages get through :P Ideas?
3: On the Access list page Helo box, no matter what we put there it does not reject. Like trying to block the .download domain from even getting past the helo.
It would be REAL nice to be able to drop the connection from a .download domain at the Helo step rather that what is happening now: Its ran through the bloc lists, then finally rejected by the sender address in the from field. A lot of wasted time for messages from a server that will be dropped anyway :PThanks in advance!
-
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.Have you tried using zen.spamhaus.org in the RBL server list? That seems to work well with IP addresses:
postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2 postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103 postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103
-
1: I see no way of using DNS block lists like dbl.spamhaus.org (which only accept domain names, not IP addresses).
I have tried adding the option smtpd_client_restrictions=reject_rhsbl_client dbl.spamhaus.org on the general page under custom main.cf options. When I add it, I get a lot of log entries about it replacing existing smtpd_client_restrictions=reject_rhsbl_client lines.
Does not seem to work.Have you tried using zen.spamhaus.org in the RBL server list? That seems to work well with IP addresses:
postfix/postscreen[83574]: CONNECT from [193.189.117.147]:29103 to [127.0.0.1]:25 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.4 postfix/dnsblog[84018]: addr 193.189.117.147 listed by domain zen.spamhaus.org as 127.0.0.2 postfix/postscreen[83574]: DNSBL rank 2 for [193.189.117.147]:29103 postfix/postscreen[83574]: HANGUP after 1.1 from [193.189.117.147]:29103 in tests after SMTP handshake postfix/postscreen[83574]: DISCONNECT [193.189.117.147]:29103
Yes, I am using Zen. It is an IP address based list. It only accepts IP addresses as it should, and works fine. The Evil Nasty spammers and malware sites like to move around a lot to try and beat the ip based block lists.
The lists that I want to use are based on their domains. They only accept domain names not IP addresses. Many of the best lists are switching to domain based for better blocking. -
Sorry, I completely misread that first line in your post. :-[
I think you'll have to modify your [i]main.cf and restart postfix manually to make that work. Unfortunately, the change will be over-written next time you save your config from the GUI.
-
1. You need to manually edit /usr/local/pkg/postfix.inc this will keep your changes after a postfix reload but needs to be re edited after a package update. eg.:
…
smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_check,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_rhsbl_helo hostkarma.junkemailfilter.com=127.0.0.2,
** reject_rhsbl_helo dbl.spamhaus.org,**
permit
…
...
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
** reject_rhsbl_sender dbl.spamhaus.org, **
permit
…
...
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
reject_rhsbl_reverse_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rhsbl_reverse_client dbl.spamhaus.org,
permit
…And I guess this is highly ineffective, since Postscreen and RBL server List already reject almost everything and its safer, because you can combine as many rbl lists you like.
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/POSTSCREEN_README.html
2. You missing a dot before the asterisk and add always a comment to the REJECT, easier to identify false/positives:
/^From:.@__.__.download/ REJECT Spam Rule #20191
3. see 1. & 2.
Here a few commands to check your postfix rules if they match:
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/body_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/header_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/mime_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/helo_check < /root/mail.txt
Just copy the full mail with the header etc. into mail.txt file before execute.
Usefull: http://www.regexr.com/
Best practice is a well configurated Postfix + Mailscanner + sa-updater-custom-channels.sh + clamav-unofficial-sigs.sh = Spam > 1%.
Cheers! ;)
-
I tried your format
/^From:.@..eu/ REJECT Spam Rule #20191
and is KINDA works…It does block the .eu TLD, but also hits on addresses like From:bill@mail.eugene.ca.gov
This behavior is expected, since we are starting at the front of the screen. When I do it the right way: /^From:.@..eu$/ (with the $ to match the end for .eu), the PCRE simulators all work fine. It catches only the .eu TLD.
But when I put it in Postfix with the $ in it, it blocks nothing :P
Am I missing something?And thanks for the other guides. I am looking at them now :)
-
So, for anyone here who's not given up yet and is having issues with https://redmine.pfsense.org/issues/4420 - there's v2.4.5 out. If someone's wiling to undo the manual hacks (stuff like cyrus-sasl2/libspf2 installed via pkg, symlinks etc.) and report back, it'd be appreciated.
-
Hi, guys!
I have a problem.
I installed pfsense 2.2.4 x64 with postfix. And of course had issue with sqlite. I reinstall postfix using marcelloc instruction:
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
pbi_delete postfix-2.11.3_2-amd64
rm -f /usr/pbi/bin/libexec/postfix
rm -f /usr/local/etc/postfix
rm -f /var/spool/postfix
rm -f /var/mail/postfix
rm -f /var/db/postfix
pkg install postfix
etc…now it work. BUT it reject all mails.
Here is a part of log:Nov 11 10:35:13 pfSense postfix/postscreen[96424]: CONNECT from [209.85.223.170]:33179 to [127.0.0.1]:25 Nov 11 10:35:19 pfSense postfix/postscreen[96424]: PASS NEW [209.85.223.170]:33179 Nov 11 10:35:19 pfSense postfix/smtpd[48617]: connect from mail-io0-f170.google.com[209.85.223.170] Nov 11 10:35:19 pfSense postfix/smtpd[48617]: warning: unknown smtpd restriction: "reject_spf_invalid_sender" Nov 11 10:35:19 pfSense postfix/verify[51147]: cache btree:/var/db/postfix/verify_cache full cleanup: retained=5 dropped=0 entries Nov 11 10:35:19 pfSense postfix/smtpd[48617]: NOQUEUE: reject: RCPT from mail-io0-f170.google.com[209.85.223.170]: 451 4.3.5 Server configuration error; from= <mymail@gmail.com>to= <mymail@mydomain.ru>proto=ESMTP helo= <mail-io0-f170.google.com>Nov 11 10:35:20 pfSense postfix/cleanup[59443]: 1E0D61138ADC: message-id=<20151111083520.1E0D61138ADC@pfSense.localdomain> Nov 11 10:35:20 pfSense postfix/smtpd[48617]: disconnect from mail-io0-f170.google.com[209.85.223.170] Nov 11 10:35:20 pfSense postfix/qmgr[57167]: 1E0D61138ADC: from=<double-bounce@pfsense.localdomain>, size=981, nrcpt=1 (queue active) Nov 11 10:35:20 pfSense postfix/smtp[60115]: 1E0D61138ADC: to=<postmaster@pfsense.localdomain>, orig_to=<postmaster>, relay=none, delay=0.17, delays=0.01/0.01/0.16/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=pfSense.localdomain type=A: Host not found) Nov 11 10:35:20 pfSense postfix/bounce[68723]: warning: 1E0D61138ADC: undeliverable postmaster notification discarded Nov 11 10:35:20 pfSense postfix/qmgr[57167]: 1E0D61138ADC: removed</postmaster></postmaster@pfsense.localdomain></double-bounce@pfsense.localdomain></mail-io0-f170.google.com></mymail@mydomain.ru></mymail@gmail.com>
I added in Access Lists -> MyNetworks:
127.0.0.1
192.168.0.247 Exchange IP
192.168.0.250 Pfsense LAN IP
192.168.0.0/24I found this advise for Postfix forwarder on 2.1_x64
1. Copied /usr/local/etc/postfix to /usr/pbi/postfix-amd64/etc/postfix
2. Once I put 2,6s into the greet wait time under antispam, it seemed to workbut it doesn't work for me(((
It's seem something wrong with postscreen….
pease help me
-
I've solved my problem. :)
Thanks for awesome package -
Tried this… First time I did only the helo lines, did not work, even after reboot. Nothing changed in main.cf
Did the other lines, rebooted, then it reverted with ownership errors on the database files :P
Ideas?1. You need to manually edit /usr/local/pkg/postfix.inc this will keep your changes after a postfix reload but needs to be re edited after a package update. eg.:
…
smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_check,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_rhsbl_helo hostkarma.junkemailfilter.com=127.0.0.2,
** reject_rhsbl_helo dbl.spamhaus.org,**
permit
…
...
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
** reject_rhsbl_sender dbl.spamhaus.org, **
permit
…
...
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
reject_rhsbl_reverse_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rhsbl_reverse_client dbl.spamhaus.org,
permit
…And I guess this is highly ineffective, since Postscreen and RBL server List already reject almost everything and its safer, because you can combine as many rbl lists you like.
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/POSTSCREEN_README.html
2. You missing a dot before the asterisk and add always a comment to the REJECT, easier to identify false/positives:
/^From:.@__.__.download/ REJECT Spam Rule #20191
3. see 1. & 2.
Here a few commands to check your postfix rules if they match:
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/body_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/header_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/mime_check < /root/mail.txt
postmap -q - regexp:/usr/pbi/postfix-amd64/etc/postfix/helo_check < /root/mail.txt
Just copy the full mail with the header etc. into mail.txt file before execute.
Usefull: http://www.regexr.com/
Best practice is a well configurated Postfix + Mailscanner + sa-updater-custom-channels.sh + clamav-unofficial-sigs.sh = Spam > 1%.
Cheers! ;)
-
I ma wondering if I did not have the right section, since I have the header verification box set to basic? After stepping through the PHP should I be putting it here?
Original:
Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
{$reject_unknown_helo_hostname}smtpd_sender_restrictions = reject_unknown_sender_domain,
RBLRBLRBLAllow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr
RBLRBLRBLWhitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
SPFSPFSPFRBLRBLRBLModified:
Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
{$reject_unknown_helo_hostname}smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_rhsbl_reverse_client dbl.spamhaus.org,
RBLRBLRBLAllow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr <–------- I see a missing , in the INC, put it in?
RBLRBLRBLWhitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org,
SPFSPFSPFRBLRBLRBLI would be using MailScanner, but I am running PFSense 2.2.4 and they say mailscanner does not work, or there is something we need to do to install it right, but my other thread went unanswered to see if it is working :P
-
I tried your format
/^From:.@..eu/ REJECT Spam Rule #20191
and is KINDA works…It does block the .eu TLD, but also hits on addresses like From:bill@mail.eugene.ca.gov
This behavior is expected, since we are starting at the front of the screen. When I do it the right way: /^From:.@..eu$/ (with the $ to match the end for .eu), the PCRE simulators all work fine. It catches only the .eu TLD.
But when I put it in Postfix with the $ in it, it blocks nothing :P
Am I missing something?And thanks for the other guides. I am looking at them now :)
In case someone else was having the same issue, I found a work around for PostFix not recognizing both the ^ (begin) and the $ (end) for an entry in the access list.
Instead of
/^From:.@..eu/ which would hit on things like bill@ci.eureka.ca.gov as well as bill@sample.eu, which is NOT what we want.
New way using word boundary
/^From:.@..eu\b/ only hits on bill.sample.eu
Now we can reject senders from certain TLDs properly :D
(The reason I did not use HELO is A: It never worked for me, and B: (BIG one) spammers are using US servers to spoof .eu in the from address so the HELO does not match).
:) -
Marceloc are you the one I talk to about patches for PF sense postfix?
I am working on a patch to implement the DNS blacklist to the package through a patch with its own list section, but it would be nice if we can add it right to the next version.
Once tested, can I send the patch to you to see what you think?Also is there a official place to get full documentation on how the patchfile syntax?
-
So, for anyone here who's not given up yet and is having issues with https://redmine.pfsense.org/issues/4420 - there's v2.4.5 out. If someone's wiling to undo the manual hacks (stuff like cyrus-sasl2/libspf2 installed via pkg, symlinks etc.) and report back, it'd be appreciated.
Hi,
I did uninstall the postfix package and undo any manual fixes and patches.
Then I did firmware upgrade from 2.2.4 to 2.2.5 and postfix package reinstall.
This time, things look better but I still had to do some tweak to the postfix.inc file to make it work.- had to do the following procedure, except for the 2 first line "fetch…" because I believe those file are now obsolete and will break things, since the package has been updated.
Reposting update guide for pfsense 2.2.x only:
Install package via gui
execute code below via console/sshfetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt pbi_delete postfix-2.11.3_2-amd64 rm -f /usr/pbi/bin/libexec/postfix rm -f /usr/local/etc/postfix rm -f /var/spool/postfix rm -f /var/mail/postfix rm -f /var/db/postfix pkg install postfix
fix postfix.inc file with this patch via system patcher package
add this patch via package system patcher
**description:**postfix_inc
patch:--- postfix.orig.inc 2015-08-18 08:15:00.000000000 +0000 +++ postfix.inc 2015-08-18 08:18:10.000000000 +0000 @@ -36,11 +36,11 @@ require_once("globals.inc"); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version == "2.1" || $pfs_version == "2.2") { - define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); -} else { +//if ($pfs_version == "2.1" || $pfs_version == "2.2") { +// define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +//} else { define('POSTFIX_LOCALBASE','/usr/local'); -} +//} $uname=posix_uname(); if ($uname['machine']=='amd64')
directory:/usr/local/pkg/
- had to manually patch the file /usr/local/www/postfix_view_config.php, to fix the path for config files to allow displaying the config file correctly under the "view config" tab.
Guys, you did a great job to make that package work on pfsense 2.2.x !
- 9 days later
-
Any ETA on a "Install and Go" fix without needing to manually edit things?
-
Any ETA on a "Install and Go" fix without needing to manually edit things?
ETA = never. The package is gone from pfSense 2.3.
-
Any ETA on a "Install and Go" fix without needing to manually edit things?
ETA = never. The package is gone from pfSense 2.3.
Mmm… Then I must ask what mail forwarder is pfsense going to replace it with? Surely many people make use of pfsense for dual web and mail filtering and other general firewall purpouses. Scrapping postfix without a replacement would force people to look at other next generation firewalls.
-
Mmm… Then I must ask what mail forwarder is pfsense going to replace it with?
I don't believe any replacement is planned for this. https://redmine.pfsense.org/issues/5374
-
Mmm… Then I must ask what mail forwarder is pfsense going to replace it with?
I don't believe any replacement is planned for this. https://redmine.pfsense.org/issues/5374
Does that also mean all the other mail apps like mailscanner, spamassasin, clamav ect will be falling away? Last I checked the Postfix was a MTA that sent all emails to 127.0.0.1 on the pfsense box were they were then scanned and filtered accordingly, PostFix would then send them on there way when they were done. Unless I am understanding wrong, how would I filter my mail now without PostFix?
-
Unless I am understanding wrong, how would I filter my mail now without PostFix?
On your mailserver perhaps? I don't get the idea of running postfix, spam filters and co. on a firewall… Regardless, take this with pfSense developers, I'm not one.
-
Unless I am understanding wrong, how would I filter my mail now without PostFix?
On your mailserver perhaps? I don't get the idea of running postfix, spam filters and co. on a firewall… Regardless, take this with pfSense developers, I'm not one.
Meant how would I filter my mail without PostFix "On pfSense", but I appreciate your honest replies. What a pity I liked pfSense. Cheers.
-
I'm migrating the package for 2.3.
If you use pfsense as an UTM, packages postfix, varnish, squid, mailscanner give it layer 7 ability on these protocols.
For me it's really usefull.
-
I'm migrating the package for 2.3.
If you use pfsense as an UTM, packages postfix, varnish, squid, mailscanner give it layer 7 ability on these protocols.
For me it's really usefull.
Now that is some good news for a change. PostFix "IS" one of the best used packages on pfSense. To scrap it would be going backwards. Happy days :)
-
-
Sadly SPF is broken now:
unused parameter: spf_mark_only=yes
This was a very useful option to fight sender address forgery.
Any idea how to fix?
//Edit
This could be a option?py27-postfix-policyd-spf-python works great and easy to setup! :)$ pkg install py27-postfix-policyd-spf-python Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 6 package(s) will be affected (of 0 checked): New packages to be INSTALLED: py27-postfix-policyd-spf-python: 1.3.2 py27-authres: 0.800 py27-spf: 2.0.12_1 py27-dns: 2.3.6_1 python2: 2_3 py27-ipaddr: 2.1.10_1 The process will require 856 KiB more space. 152 KiB to be downloaded. Proceed with this action? [y/N]: y Fetching py27-postfix-policyd-spf-python-1.3.2.txz: 100% 38 KiB 38.5kB/s 00:01 Fetching py27-authres-0.800.txz: 100% 26 KiB 26.7kB/s 00:01 Fetching py27-spf-2.0.12_1.txz: 100% 34 KiB 35.0kB/s 00:01 Fetching py27-dns-2.3.6_1.txz: 100% 31 KiB 32.0kB/s 00:01 Fetching python2-2_3.txz: 100% 1 KiB 1.1kB/s 00:01 Fetching py27-ipaddr-2.1.10_1.txz: 100% 22 KiB 22.1kB/s 00:01 Checking integrity... done (0 conflicting) [1/6] Installing python2-2_3... [1/6] Extracting python2-2_3: 100% [2/6] Installing py27-dns-2.3.6_1... [2/6] Extracting py27-dns-2.3.6_1: 100% [3/6] Installing py27-authres-0.800... [3/6] Extracting py27-authres-0.800: 100% [4/6] Installing py27-spf-2.0.12_1... [4/6] Extracting py27-spf-2.0.12_1: 100% [5/6] Installing py27-ipaddr-2.1.10_1... [5/6] Extracting py27-ipaddr-2.1.10_1: 100% [6/6] Installing py27-postfix-policyd-spf-python-1.3.2... [6/6] Extracting py27-postfix-policyd-spf-python-1.3.2: 100% Message from py27-postfix-policyd-spf-python-1.3.2: # # To configure Postfix # This package must be integrated with Postfix to be effective: 1\. Add to your postfix master.cf: policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/local/bin/policyd-spf 2\. Configure the Postfix policy service in your main.cf so that the "smtpd_recipient_restrictions" includes a call to the policyd-spf policy filter. If you already have a "smtpd_recipient_restrictions" line, you can add the "check_policy_service" command anywhere *after* the line which reads "reject_unauth_destination" (otherwise you're system can become an open relay). smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policyd-spf ... policyd-spf_time_limit = 3600 3\. Please consult the postfix documentation for more information on these and other settings you may wish to have in the "smtpd_recipient_restrictions" configuration. 4\. Reload postfix.
-
For me, postfix+friends on pfsense a major administrative convenience. And, it is in keeping with the spirit of what is is a 'firewall' does (if only in an expanded sense). Most of the spam traffic won't even succeed in connecting, the ones that do cause internet 'internet spam service check' requests to leave from the firewall without having to take up bandwidth on the lan, and most of the evil attachments never make it past the firewall either. It also (I hope still will) allow one 'clamav' install to manage scanning web traffic for the squid suite and also the mailscanner/email.
Also, having the 'postfix and associated packages" stack in PF allows me to leverage pf's certificate management, destination email domain routing, failover, load balancing for email. That internal domain routing bit is a security plus as traffic for domain X never travels lan segments used by those on domains A, B and C, an obvious security plus. Also it allows the internal smtp world to be very fast and lean as it needs minimal security and no need for the add-on 'nasty-checking' packages.
Remember one of the main spam defences is having the mail exchanger's reverse dns match the common name in the ssl certificate. Anytime information can be kept in one place and closer to where it's used is an admin win.
Last, the postfix config for the lan side can use the lmtp protocol which is a major overhead saver (no per message setups/teardowns).
It calls for a multiprocessor setup, lots of ram and lots of disk. I know that is not exactly what comes to mind using the word 'embedded', but the above is my $0.02 on why it's worth it.
If it were to be removed, I'd have to create not just port forward to a new subnet but a vlan just to isolate incoming email traffic, then – well, it would result in an economic bonanza for the people who sell those coffee thingys.
-
Sadly SPF is broken now:
Bismarck, have you been able to install from Available Packages? I missed a few days of 2.3 updates but haven't seen the postfix package listed.
-
Hi biggsy,
the packages should still be there:
http://files.pfsense.org/packages/10/All/postfix-2.11.3_2-amd64.pbi
regards
-
The pull request still needs to be aproved first.
- 24 days later
-
Hello marcelloc,
since 2.2.x Postfix doesn't write spam logs to the sqlite database, thus you can't search for spam and the widget doesn't display any spam records.
This makes it really hard to track false positives. :'(
Please help!
//edit
when I execute it via putty after I send a spam test, it does write the spam record to the database file!?
[root@pfsense~]$ /usr/local/bin/php -q /usr/local/www/postfix.php 01min /usr/bin/grep '^Jan 15 09:25.*\(MailScanner\|postfix.cleanup\|postfix.smtp\|postfix.error\|postfix.qmgr\)' /var/log/maillog Found logs to 2016-01-15.db ####################################### SPAM:SpamAssassin (nicht zwischen gespeichert, Wertung=1004.701, benoetigt 3, FSL_HELO_NON_FQDN_1 0.00, GTUBE 1000.00, HTML_MESSAGE 0.00, PYZOR_CHECK 1.98, RDNS_NONE 0.00, TVD_RCVD_SINGLE 1.21, ZONK_PHISH_BODY 1.50)5E1EA1C2B99zonk ####################################### ####################################### SPAM:SpamAssassin (nicht zwischen gespeichert, Wertung=1004.701, benoetigt 3, FSL_HELO_NON_FQDN_1 0.00, GTUBE 1000.00, HTML_MESSAGE 0.00, PYZOR_CHECK 1.98, RDNS_NONE 0.00, TVD_RCVD_SINGLE 1.21, ZONK_PHISH_BODY 1.50)4E48D1C2BFBzonk ####################################### writing to database...writing to database... writing to local db 2016-01-15...ok
maybe a timeing problem?
- 14 days later
-
The pull request still needs to be aproved first.
Thank you for working on this, Marcello. Is there any news?
-
FYI
I did a fresh install of pfSense 2.2.6 last week and the Postfix package did work out of the box, expect the search mail & widget sqlite bug, wich can be fixed by fetching the postfix.php/postfix.widget.php from:
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
So NO need to delete Postfix and install it via pkgng!
Regards ;)
-
Thank you for working on this, Marcello. Is there any news?
yes, I'll need to change the syslog function that enables /var/log/maillog.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
Yes it's filtering email, spam and viruses with MailScanner, I run it as my productive system since 2 weeks now, no lib errors or crashes.
Thank you for your hard work, much appreciated!
- 14 days later
-
Hi Marcello, I'm trying pfsense 2.3 beta, and one of the essential
packages for me is postfix, but the same does not appear in the list
of available packages, you had said at the forum, which would sit in
this package postfix for version 2.3 . As it would be possible to
install that version of package postfix in pfsense 2.3 beta. Greetings
and thank you very much for the excellent work he has done. Excuse the
bad English. -
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
Hi Biggsy, this is working with the current package Postfix 2.11.3/pfSense 2.2.6.
To enable:
postscreen_dnsbl_whitelist_threshold=-1
edit /usr/local/pkg/postfix.inc around line 629 and add this:
$postfix_main .= "postscreen_dnsbl_whitelist_threshold=-1\n";
and restart the Postfix service.
So no more hardcodeed IPs in Client Access List / CDIR needed, for google outbound mail server etc. ;)
marcelloc, maybe you can make this a option in the Postfix menu?
- A new postscreen_dnsbl_whitelist_threshold feature to allow
-
Hello marcelloc,
I found 2 bug in postfix.php, related to the log to sqlite file.
The result of loglines populated to slqlite file differs by the time period chosen tin the Genaral tab > Logging > Update Sqlite, it always missing around 50% of what has been really logged, eg. if we choose Every Minute. I found a workaround by adding a second cronjob, which executes every 10m as well and no longline is missing anymore.
Second, this is related to spam status is not updated to the sqlite file on month days with just one digit (1 - 9), because postfix logs the date like:
Feb 6 16:25:21 pfsense postfix/dnsblog[27506]: addr 193.189.117.150 listed by domain zen.spamhaus.org as 127.0.0.2
and MailScanner like:
Feb 06 16:24:50 pfsense MailScanner[20367]: Delivery of nonspam: message 604671C2F69.A240D from ``` I guess there is something like a regex pattern mismatch, because on month days with 2 digits (10 - 31) the spam status is updated to sqlite file just fine. Regards
- 20 days later
-
When you use Postfix/TLS, you should fix the DROWN Attack vulnerability:
openssl dhparam -out /usr/pbi/postfix-amd64/etc/postfix/dh2048.pem 2048
and add this, below your TLS config in the custom main.cf options:
# Whenever the built-in defaults are sufficient, let the built-in # defaults stand by deleting any explicit overrides. # Disable deprecated SSL protocol versions. See: # http://www.postfix.org/postconf.5.html#smtp_tls_protocols # http://www.postfix.org/postconf.5.html#smtpd_tls_protocols # # Default in all supported stable Postfix releases since July 2015. # Defaults for the mandatory variants never allowed SSLv2. # smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 tlsproxy_tls_protocols = $smtpd_tls_protocols # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols # Disable export and low-grade ciphers. See: # http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers # http://www.postfix.org/postconf.5.html#smtp_tls_ciphers # # Default in all supported stable Postfix releases since July 2015. # smtpd_tls_ciphers = medium smtp_tls_ciphers = medium # Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See # http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs # http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file # http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade # # The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0. # smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem smtpd_tls_eecdh_grade = strong # Trimmed cipherlist improves interoperability with old Exchange servers # and reduces exposure to obsolete and rarely used crypto. See: # http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers # http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers # smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
Source: https://drownattack.com/postfix.html
DROWN Test: https://test.drownattack.com/
Postfix/TLS: http://www.checktls.com/perl/TestReceiver.pl
SSL Labs Test: https://dev.ssllabs.com/ssltest/Regards