Postfix - antispam and relay package

biggsy

@marcelloc:

The pull request still needs to be aproved first.

Thank you for working on this, Marcello.  Is there any news?

Bismarck

FYI

I did a fresh install of pfSense 2.2.6 last week and the Postfix package did work out of the box, expect the search mail & widget sqlite bug, wich can be fixed by fetching the postfix.php/postfix.widget.php from:

fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt

So NO need to delete Postfix and install it via pkgng!

Regards  ;)

marcelloc

@biggsy:

Thank you for working on this, Marcello.  Is there any news?

yes, I'll need to change the syslog function that enables /var/log/maillog.

marcelloc

@Bismarck:

So NO need to delete Postfix and install it via pkgng!

It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.

Bismarck

@marcelloc:

@Bismarck:

So NO need to delete Postfix and install it via pkgng!

It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.

Yes it's filtering email, spam and viruses with MailScanner, I run it as my productive system since 2 weeks now, no lib errors or crashes.

Thank you for your hard work, much appreciated!

LinuxCuba

Hi Marcello, I'm trying pfsense 2.3 beta, and one of the essential
packages for me is postfix, but the same does not appear in the list
of available packages, you had said at the forum, which would sit in
this package postfix for version 2.3 . As it would be possible to
install that version of package postfix in pfsense 2.3 beta. Greetings
and thank you very much for the excellent work he has done. Excuse the
bad English.

Bismarck

@biggsy:

postfix 2.11 was released in January and, among other things, it contains the following enhancement:

• A new postscreen_dnsbl_whitelist_threshold feature to allow
      clients to skip postscreen tests based on their DNSBL score.
      This can eliminate email delays due to "after 220 greeting"
      protocol tests, which otherwise require that a client reconnects
      before it can deliver mail. Some providers such as Google don't
      retry from the same IP address, and that can result in large
      email delivery delays.

Any chance of an updated package based on postfix 2.11?

Hi Biggsy, this is working with the current package Postfix 2.11.3/pfSense 2.2.6.

To enable:

postscreen_dnsbl_whitelist_threshold=-1

edit /usr/local/pkg/postfix.inc around line 629 and add this:

$postfix_main .= "postscreen_dnsbl_whitelist_threshold=-1\n";

and restart the Postfix service.

So no more hardcodeed IPs in Client Access List / CDIR needed, for google outbound mail server etc.  ;)

marcelloc, maybe you can make this a option in the Postfix menu?

Bismarck

Hello marcelloc,

I found 2 bug in postfix.php, related to the log to sqlite file.

The result of loglines populated to slqlite file differs by the time period chosen tin the Genaral tab > Logging > Update Sqlite, it always missing around 50% of what has been really logged, eg. if we choose Every Minute. I found a workaround by adding a second cronjob, which executes every 10m as well and no longline is missing anymore.

Second, this is related to spam status is not updated to the sqlite file on month days with just one digit (1 - 9), because postfix logs the date like:

Feb  6 16:25:21 pfsense postfix/dnsblog[27506]: addr 193.189.117.150 listed by domain zen.spamhaus.org as 127.0.0.2

and MailScanner like:

Feb 06 16:24:50 pfsense MailScanner[20367]: Delivery of nonspam: message 604671C2F69.A240D from
``` 
I guess there is something like a regex pattern mismatch, because on month days with 2 digits (10 - 31) the spam status is updated to sqlite file just fine.

Regards

Bismarck

When you use Postfix/TLS, you should fix the DROWN Attack vulnerability:

openssl dhparam -out /usr/pbi/postfix-amd64/etc/postfix/dh2048.pem 2048

and add this, below your TLS config in the custom main.cf options:

# Whenever the built-in defaults are sufficient, let the built-in
# defaults stand by deleting any explicit overrides.

# Disable deprecated SSL protocol versions.  See:
# http://www.postfix.org/postconf.5.html#smtp_tls_protocols
# http://www.postfix.org/postconf.5.html#smtpd_tls_protocols
#
# Default in all supported stable Postfix releases since July 2015.
# Defaults for the mandatory variants never allowed SSLv2.
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
tlsproxy_tls_protocols = $smtpd_tls_protocols
#
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols

# Disable export and low-grade ciphers.  See:
# http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
# http://www.postfix.org/postconf.5.html#smtp_tls_ciphers
#
# Default in all supported stable Postfix releases since July 2015.
#
smtpd_tls_ciphers = medium
smtp_tls_ciphers = medium

# Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See
# http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
# http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
# http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
#
# The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0.
#
smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
smtpd_tls_eecdh_grade = strong

# Trimmed cipherlist improves interoperability with old Exchange servers
# and reduces exposure to obsolete and rarely used crypto.  See:
# http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers
# http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers
#
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2

Source: https://drownattack.com/postfix.html
DROWN Test: https://test.drownattack.com/
Postfix/TLS: http://www.checktls.com/perl/TestReceiver.pl
SSL Labs Test: https://dev.ssllabs.com/ssltest/

Regards

dannyboy1121

Hi - any news for Postfix on 2.3? I see that it's not currently in the package list for the Beta.

biggsy

Perhaps Marcello is very busy but I'm hoping we will hear some news too.

marcelloc

I've sent two updates today and one is missing to complete changes requested by renato

https://github.com/pfsense/FreeBSD-ports/pull/23
https://github.com/pfsense/pfsense/pull/2844

dannyboy1121

Many thanks for the update and also your hard work.

elundquist

Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)

Based on my reading of this thread the above combination works without modification…  is this correct?

Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?

pkg_add -r p5-perl-ldap  Results: pkg_add: Command not Found

pkg add -r p5-perl-ldap    Results: No Such File: -r

pkg add p5-perl-ldap      Results: No Such File: p5-perl-ldap

What is it that I am missing?

Bismarck

@elundquist:

Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)

Based on my reading of this thread the above combination works without modification…  is this correct?

Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?

pkg_add -r p5-perl-ldap  Results: pkg_add: Command not Found

pkg add -r p5-perl-ldap    Results: No Such File: -r

pkg add p5-perl-ldap      Results: No Such File: p5-perl-ldap

What is it that I am missing?

pkg install p5-perl-ldap

pkg help

For more information on the different commands see 'pkg help <command></command>'.

https://wiki.freebsd.org/pkgng

Cheers.

elundquist

Bismarck,

Thanks!  I am new to FreeBSD, so its a learning curve from Fedora.

hcoin

Tell me it's a mistake….???

MadCatZA

@hcoin:

Tell me it's a mistake….???

Can't believe Postfix + so many other packages were removed. Time to find another solution people…

LinuxCuba

Marcello.

Em ontem foi oficialmente lançado pfsense estável versão 2.3, no entanto eu tenho atualizado e instalado um novo e o pacote postfix não é saídas disponíveis, listados na parcela de repos. Alguém pode me dizer o que acontece, porque se o oficial pfsense veio não sair com o pacote postfix.

In yesterday was released officially pfsense stable version 2.3, however I have updated and installed a new one and the postfix package is not available exits listed on the parcel of repos. Someone can tell me what happens, because if the officer came pfsense not come out with the postfix package.

Thanks.

En el día de ayer fue lanzado oficialmente estable la versión de pfsense 2.3, sin embargo he actualizado e instalado uno nuevo y el paquete postfix no esta disponible ni sale listado en la paquetería de los repos. Alquien me puede decir que pasa, porque si salio oficial el pfsense no salio junto el paquete postfix.

Muchas gracias.

dannyboy1121

@linuxcuba

I believe that Postfix will eventually appear in 2.3 as a post release addition. If you scroll back a page, Marcelloc has shown that development is still in progress linking to github. For me, this is the only reason I'm holding back from rolling out 2.3 so the sooner the better  8)