Postfix - antispam and relay package
-
Thank you for working on this, Marcello. Is there any news?
yes, I'll need to change the syslog function that enables /var/log/maillog.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
-
So NO need to delete Postfix and install it via pkgng!
It just started up or it's running and filtering email? on 2.2 I got a lot of missing libs erros on postfix subprocesses.
Yes it's filtering email, spam and viruses with MailScanner, I run it as my productive system since 2 weeks now, no lib errors or crashes.
Thank you for your hard work, much appreciated!
- 14 days later
-
Hi Marcello, I'm trying pfsense 2.3 beta, and one of the essential
packages for me is postfix, but the same does not appear in the list
of available packages, you had said at the forum, which would sit in
this package postfix for version 2.3 . As it would be possible to
install that version of package postfix in pfsense 2.3 beta. Greetings
and thank you very much for the excellent work he has done. Excuse the
bad English. -
postfix 2.11 was released in January and, among other things, it contains the following enhancement:
- A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
Any chance of an updated package based on postfix 2.11?
Hi Biggsy, this is working with the current package Postfix 2.11.3/pfSense 2.2.6.
To enable:
postscreen_dnsbl_whitelist_threshold=-1
edit /usr/local/pkg/postfix.inc around line 629 and add this:
$postfix_main .= "postscreen_dnsbl_whitelist_threshold=-1\n";
and restart the Postfix service.
So no more hardcodeed IPs in Client Access List / CDIR needed, for google outbound mail server etc. ;)
marcelloc, maybe you can make this a option in the Postfix menu?
- A new postscreen_dnsbl_whitelist_threshold feature to allow
-
Hello marcelloc,
I found 2 bug in postfix.php, related to the log to sqlite file.
The result of loglines populated to slqlite file differs by the time period chosen tin the Genaral tab > Logging > Update Sqlite, it always missing around 50% of what has been really logged, eg. if we choose Every Minute. I found a workaround by adding a second cronjob, which executes every 10m as well and no longline is missing anymore.
Second, this is related to spam status is not updated to the sqlite file on month days with just one digit (1 - 9), because postfix logs the date like:
Feb 6 16:25:21 pfsense postfix/dnsblog[27506]: addr 193.189.117.150 listed by domain zen.spamhaus.org as 127.0.0.2
and MailScanner like:
Feb 06 16:24:50 pfsense MailScanner[20367]: Delivery of nonspam: message 604671C2F69.A240D from ``` I guess there is something like a regex pattern mismatch, because on month days with 2 digits (10 - 31) the spam status is updated to sqlite file just fine. Regards
- 20 days later
-
When you use Postfix/TLS, you should fix the DROWN Attack vulnerability:
openssl dhparam -out /usr/pbi/postfix-amd64/etc/postfix/dh2048.pem 2048
and add this, below your TLS config in the custom main.cf options:
# Whenever the built-in defaults are sufficient, let the built-in # defaults stand by deleting any explicit overrides. # Disable deprecated SSL protocol versions. See: # http://www.postfix.org/postconf.5.html#smtp_tls_protocols # http://www.postfix.org/postconf.5.html#smtpd_tls_protocols # # Default in all supported stable Postfix releases since July 2015. # Defaults for the mandatory variants never allowed SSLv2. # smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 tlsproxy_tls_protocols = $smtpd_tls_protocols # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols # Disable export and low-grade ciphers. See: # http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers # http://www.postfix.org/postconf.5.html#smtp_tls_ciphers # # Default in all supported stable Postfix releases since July 2015. # smtpd_tls_ciphers = medium smtp_tls_ciphers = medium # Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See # http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs # http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file # http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade # # The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0. # smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem smtpd_tls_eecdh_grade = strong # Trimmed cipherlist improves interoperability with old Exchange servers # and reduces exposure to obsolete and rarely used crypto. See: # http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers # http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers # smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
Source: https://drownattack.com/postfix.html
DROWN Test: https://test.drownattack.com/
Postfix/TLS: http://www.checktls.com/perl/TestReceiver.pl
SSL Labs Test: https://dev.ssllabs.com/ssltest/Regards
- 20 days later
-
Hi - any news for Postfix on 2.3? I see that it's not currently in the package list for the Beta.
-
Perhaps Marcello is very busy but I'm hoping we will hear some news too.
- 10 days later
-
I've sent two updates today and one is missing to complete changes requested by renato
https://github.com/pfsense/FreeBSD-ports/pull/23
https://github.com/pfsense/pfsense/pull/2844 -
Many thanks for the update and also your hard work.
-
Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)
Based on my reading of this thread the above combination works without modification… is this correct?
Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?
pkg_add -r p5-perl-ldap Results: pkg_add: Command not Found
pkg add -r p5-perl-ldap Results: No Such File: -r
pkg add p5-perl-ldap Results: No Such File: p5-perl-ldap
What is it that I am missing?
-
Postfix Forwarder 2.4.6 on pfSense 2.2.6 (amd64)
Based on my reading of this thread the above combination works without modification… is this correct?
Enable LDAP fetch: Installing the LDAP pkg don't work based on (hint: /usr/sbin/pkg_add -r p5-perl-ldap) as listed on the GUI?
pkg_add -r p5-perl-ldap Results: pkg_add: Command not Found
pkg add -r p5-perl-ldap Results: No Such File: -r
pkg add p5-perl-ldap Results: No Such File: p5-perl-ldap
What is it that I am missing?
pkg install p5-perl-ldap
pkg help
For more information on the different commands see 'pkg help <command></command>'.
https://wiki.freebsd.org/pkgng
Cheers.
-
Bismarck,
Thanks! I am new to FreeBSD, so its a learning curve from Fedora.
-
Tell me it's a mistake….???
-
Tell me it's a mistake….???
Can't believe Postfix + so many other packages were removed. Time to find another solution people…
-
Marcello.
Em ontem foi oficialmente lançado pfsense estável versão 2.3, no entanto eu tenho atualizado e instalado um novo e o pacote postfix não é saídas disponíveis, listados na parcela de repos. Alguém pode me dizer o que acontece, porque se o oficial pfsense veio não sair com o pacote postfix.
In yesterday was released officially pfsense stable version 2.3, however I have updated and installed a new one and the postfix package is not available exits listed on the parcel of repos. Someone can tell me what happens, because if the officer came pfsense not come out with the postfix package.
Thanks.
En el día de ayer fue lanzado oficialmente estable la versión de pfsense 2.3, sin embargo he actualizado e instalado uno nuevo y el paquete postfix no esta disponible ni sale listado en la paquetería de los repos. Alquien me puede decir que pasa, porque si salio oficial el pfsense no salio junto el paquete postfix.
Muchas gracias.
-
I believe that Postfix will eventually appear in 2.3 as a post release addition. If you scroll back a page, Marcelloc has shown that development is still in progress linking to github. For me, this is the only reason I'm holding back from rolling out 2.3 so the sooner the better 8)
-
I believe that Postfix will eventually appear in 2.3 as a post release addition. If you scroll back a page, Marcelloc has shown that development is still in progress linking to github. For me, this is the only reason I'm holding back from rolling out 2.3 so the sooner the better 8)
Postfix will be the reason most people stay away from 2.3, pfSense is no longer a UTM…
-
It also is, but it has taken a long, long time, Macello, he said that he was preparing postfix to 2.3 for the problems that occurred in 2.2, and could not devote himself to both versions at once, that was done much, he has now gone 2.3, and still postfix still waiting.
He was ancioso by this version 2.3, in itself, I taste from RC, leaving here without postfix, something almost impresindible for me and one of the marvelous things that pfSense employment.
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
Not arguing with that but the GUI does make it easier to get up and running.
Sadly, it seems that the Postfix Forwarder is not one of the mostly widely used packages and doesn't seem to be a priority for the core team.
As dannyboy1121 pointed out, marcelloc has ported the package but he has also suggested some other changes to make life easier for packages to log. The package and the other change haven't been accepted yet. Hoping that will happen before 2.3.1 but I'm not optimistic about that.
-
Thank you for working on this, Marcello. Is there any news?
yes, I'll need to change the syslog function that enables /var/log/maillog.
Dear, Marcello.
I have a problem.
She described https://forum.pfsense.org/index.php?topic=110620.0You are given a solution to the problem. I executed the command
fetch -o /usr/local/www/postfix.php http://e-sac.siteseguro.ws/px22/postfix.txt
fetch -o /usr/local/www/widgets/widgets/postfix.widget.php http://e-sac.siteseguro.ws/px22/postfix.widget.txt
I have not changed. :'( -
postfix is postfix, if you really need it functional, scp /your/config/files/* root@newserver:/your/new/config/files/
works…
you can check logs with cat /var/log/maillog | grep whatyouwanttosearchherethere is no point on complaining and saying that pfsense is a bad product or is no longer a UTM or all that 'sadness' (for not saying another word) trying to make the developers feel bad for you guys. they will fix it at some point. if you cant live without the graphical interface, set a VM, some forwarding rules and run it from there.
if you are unhappy, get a grip and start coding a patch yourself apply it, test it and share it here. any volunteer? ;)
-
if you guys are anxious on getting postfix you should install the package, its a bsd system at the end.
While indeed it's a bsd system at the end as you say, the 'postfix' pfsense package does more than 'pretty up' the postfix interface. Not least, it provides all the integrated config backup/setup xml config capability, the status/queue monitoring screens, etc. etc.
For those pfsense experts who not doing email managing, here are the key things you need to know:
-
this package is an email router, an email firewall. It is NOT an 'email server' or 'email system'. Think 'branch' not 'leaf'.
-
one of the most powerful things that anti-spam systems use to approve 'legit' email is to check whether the reverse DNS (ip->DNS) matches (DNS->ip) of the system claiming to be the sender of the email. If the system at that IP has a certificate with a CN that matches the DNS, the odds of having outbound email be wrongly marked as spam are less. Way less. PF already supports a cert manager which it needs for its own https purpose that matches the need for a forwarder. The edge router is just 'the right place' for the email router to live as well.
-
any 'real' email install has two or more ISPs or 'WAN' providers. Just think of all the avoidable plumbing necessary to avoid asymmetric routing if the emailer 'store and foreward' point is NATTed downstream of pfsense.
-
internet 'email exchangers' have two or more systems with different IP addresses set up in the DNS. It's a perfect fit for two pf boxes using pfsync. A common admin GUI for both.
I hope this helps motivate those who care mostly about packet routing to comprehend the appropriateness of the postfix package hosted on pfsense.
-
-
https://github.com/pfsense/pfsense/pull/2844
Looks like the Postfix package maybe will arrive with pfSense 2.3.1?
-
Hi Bismarck,
That pull request is marked "Post 2.3.1" now. I guess marcelloc has modified the Postfix Forwarder to use that change, so maybe 2.3.2 or whatever comes next.
I'm considering turning my current pfSense VM into one that only does Postfix Forwarder and using 2.3.1 in a separate VM as the firewall. Easier than setting up a new FreeBSD VM and installing Postfix on it.
-
Hi Biggsy, I will stay with 2.2.6 as long as it has no high risk security vulnerabilities which can't be manually fixed/patched, so no reason to dump a well working UTM just for a fancy GUI. ;)
- 10 days later
-
Hi.
In case someone needs to specify a port in domain forwarding, here is a patch for /usr/local/pkg/postfix.inc:
--- postfix.inc.org 2015-10-29 13:59:12.000000000 +0300 +++ postfix.inc 2015-10-29 14:19:36.000000000 +0300 @@ -263,10 +263,17 @@ if (is_array($postfix_domains['row'])) { foreach ($postfix_domains['row'] as $postfix_row) { $relay_domains .= ' ' . $postfix_row['domain']; - if (!empty($postfix_row['mailserverip'])) - $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + if (!empty($postfix_row['mailserverip'])) { + if (strrpos($postfix_row['mailserverip'], ":") === false) { + $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + } + else { + list($t_ip, $t_port) = explode(":", $postfix_row['mailserverip']); + $transport .= $postfix_row['domain'] . " smtp:[" . $t_ip . "]:" . "$t_port\n"; } } + } + } #check cron check_cron(); #check logging @@ -787,8 +794,15 @@ } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { if (empty($post['domain' . substr($key, 12)])) $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; + if (strrpos($value, ":") === false) { + if (!is_ipaddr($value) && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } + else { + list($t_ip, $t_port) = explode(":", $value); + if (!is_ipaddr($t_ip) && !is_hostname($t_ip)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } } } }
Thanks jazzl0ver, patch works perfect! :)
-
En el día de hoy salio pfsense 2.3.1 y aún nada de postfix forwarder, según la propia web de documentación de pfsense, https://doc.pfsense.org/index.php/2.3_Removed_Packages dice lo siguiente Postfix Forwarder - no package maintainer, not converted, en la lista de paquetes removidos. Por fin para cuando volvemos a tener estos paquetes que tanto nos ayudan y resuelven problemas. Muchas gracias.
Today came out pfsense 2.3.1 and still nothing forwarder postfix, according to the website of documentation pfsense, https://doc.pfsense.org/index.php/2.3_Removed_Packages reads Postfix Forwarder - no package maintainer, not converted, removed from the list of packages. Finally when we again have these packages that both help us and solve problems. Thank you very much.
-
Postfix Forwarder - no package maintainer, not converted, removed from the list of packages.
Not true. I've sent the pull request but it's still not verified or something on this direction.
-
So, what's the reason a 'ready to go' pull request for postfix isn't moving ahead? Did someone in high places just forget? Perhaps a friendly ping email to correct the impression of no maintainer??
-
Well, maybe the team was just trying to get 2.3.1 out the door and didn't have the time to look at packages?
-
Hey Marcello - I'm still steamed that pfSense didn't make it more obvious that the upgrade to 2.3 was going to destroy my Postfix installation. >:( I would NEVER have upgraded to 2.3 if I had known that all the work I did to get mail under control was about to be wiped out! I was so grateful to you for providing the port for pfSense; it worked flawlessly once I figured out how to configure it (that took a long time). Now my mail system is flooded with crap again every day. I cannot wait for Postfix to make it back into the 2.3.1 package installer.
Is there any way to download it directly from you/Github and install it manually into pfSense 2.3.1? I'm desperate to get my mail back under control.
Thanks for all your hard work!!
Rob…
-
…pfSense didn't make it more obvious that the upgrade to 2.3 was going to destroy my Postfix installation
You mean more than this?
Packages
The list of available packages in pfSense 2.3.x has been significantly trimmed. We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details.
But I understand your frustration.
-
Postfix Forwarder - no package maintainer, not converted, removed from the list of packages.
Not true. I've sent the pull request but it's still not verified or something on this direction.
No será cierto, pero es lo que informa la web de pfsense https://doc.pfsense.org/index.php/2.3_Removed_Packages
en estos momentos en que escribo este post dice así Postfix Forwarder - not converted (pending pull request) .
Muchas gracias a la espera de que salga pronto, hay alguna opción para poder instarlo manualmente.It will not be true, but what informs the web of pfsense https://doc.pfsense.org/index.php/2.3_Removed_Packages
right now as I write this post so says Postfix Forwarder - not converted (pending pull request).
Thank you very much waiting to come out soon, there is an option to manually urge. -
45 pages, sorry but i'm not going to wade through that.
Does this do smtp "passthrough" to the internal mail server for when you want to send mail?
I installed postfix on our debian server, and i can get incoming mail from outside mail servers go through postfix/spamassassin, and then to our internal server.
But the problem comes when you want to send mail from a client, when it connects it cannot do authentication (and ldap is insecure, i don't like it), and it says "relay access denied" - which makes sense due to it not being an open relay.
Can this do some kind of passthrough for when doing authentication to go directly to our internal one? -
passthrough is a nat/port forward. postfix is a postfix server. mainly to filter spam and that. =)
"relay access denied" is a wrongly configured postfix. check http://www.postfix.org/documentation.html .
-
passthrough is a nat/port forward. postfix is a postfix server. mainly to filter spam and that. =)
"relay access denied" is a wrongly configured postfix. check http://www.postfix.org/documentation.html .
yes i know, but doing port forward would make both incoming from client and server go to the internal server, that's not what i want
i only want postfix to handle incoming mail from servers outside the networkdocumentation doesn't help either because i don't know what to look for
-
you should have something like:
(internet)<–----->pfsense<------>intranet
---(postfix)so basically you came into the thread without reading the whole 45 pages with a problem. and you dont want to read the documentation because you dont know what to look for.
why dont you start by expaining nicely:
-what you want to do,
-which environment you have,
-which pf config/version, etc.
and what tests you have made. like telneting x port from the 'inside' and telneting the port from the 'outside' with a nice pastebin link so we all can read about it. also quoting logs is a plus to know what to look for.right now, we are having a conversation on when postfix package will be available upstream.
bye,