Postfix - antispam and relay package
-
Postfix Forwarder - no package maintainer, not converted, removed from the list of packages.
Not true. I've sent the pull request but it's still not verified or something on this direction.
No será cierto, pero es lo que informa la web de pfsense https://doc.pfsense.org/index.php/2.3_Removed_Packages
en estos momentos en que escribo este post dice así Postfix Forwarder - not converted (pending pull request) .
Muchas gracias a la espera de que salga pronto, hay alguna opción para poder instarlo manualmente.It will not be true, but what informs the web of pfsense https://doc.pfsense.org/index.php/2.3_Removed_Packages
right now as I write this post so says Postfix Forwarder - not converted (pending pull request).
Thank you very much waiting to come out soon, there is an option to manually urge. -
45 pages, sorry but i'm not going to wade through that.
Does this do smtp "passthrough" to the internal mail server for when you want to send mail?
I installed postfix on our debian server, and i can get incoming mail from outside mail servers go through postfix/spamassassin, and then to our internal server.
But the problem comes when you want to send mail from a client, when it connects it cannot do authentication (and ldap is insecure, i don't like it), and it says "relay access denied" - which makes sense due to it not being an open relay.
Can this do some kind of passthrough for when doing authentication to go directly to our internal one? -
passthrough is a nat/port forward. postfix is a postfix server. mainly to filter spam and that. =)
"relay access denied" is a wrongly configured postfix. check http://www.postfix.org/documentation.html .
-
passthrough is a nat/port forward. postfix is a postfix server. mainly to filter spam and that. =)
"relay access denied" is a wrongly configured postfix. check http://www.postfix.org/documentation.html .
yes i know, but doing port forward would make both incoming from client and server go to the internal server, that's not what i want
i only want postfix to handle incoming mail from servers outside the networkdocumentation doesn't help either because i don't know what to look for
-
you should have something like:
(internet)<–----->pfsense<------>intranet
---(postfix)so basically you came into the thread without reading the whole 45 pages with a problem. and you dont want to read the documentation because you dont know what to look for.
why dont you start by expaining nicely:
-what you want to do,
-which environment you have,
-which pf config/version, etc.
and what tests you have made. like telneting x port from the 'inside' and telneting the port from the 'outside' with a nice pastebin link so we all can read about it. also quoting logs is a plus to know what to look for.right now, we are having a conversation on when postfix package will be available upstream.
bye, -
mrbrax: To use postfix for incoming filtering+ store and forward, without using it for lan->wan email, simply configure all users to point their email systems send configuration to some random free port number on the WAN interface-l which you nat to your internal systems. Allow postfix on pfsense to operate normally, d-natting (port forwarding) 25 and maybe 465 to postfix on pfsense.
Also, kindly consider those offering their time to help you here are volunteers, many of whom have taken the time to understand the tools in order to be of service. PFsense has this package as a frontend on postfix as you know. You will pay yourself 10 minutes for every one you spend reading the postfix documentation, even though it doesn't seem like it when you're doing the reading. I hope once you also find success you'll return the favor to help others here.
-
you should have something like:
(internet)<–----->pfsense<------>intranet
---(postfix)so basically you came into the thread without reading the whole 45 pages with a problem. and you dont want to read the documentation because you dont know what to look for.
why dont you start by expaining nicely:
-what you want to do,
-which environment you have,
-which pf config/version, etc.
and what tests you have made. like telneting x port from the 'inside' and telneting the port from the 'outside' with a nice pastebin link so we all can read about it. also quoting logs is a plus to know what to look for.right now, we are having a conversation on when postfix package will be available upstream.
bye,forget it, this sounds too complicated anyway. we'll just continue dealing with putting spam manually in the bin
mrbrax: To use postfix for incoming filtering+ store and forward, without using it for lan->wan email, simply configure all users to point their email systems send configuration to some random free port number on the WAN interface-l which you nat to your internal systems. Allow postfix on pfsense to operate normally, d-natting (port forwarding) 25 and maybe 465 to postfix on pfsense.
Also, kindly consider those offering their time to help you here are volunteers, many of whom have taken the time to understand the tools in order to be of service. PFsense has this package as a frontend on postfix as you know. You will pay yourself 10 minutes for every one you spend reading the postfix documentation, even though it doesn't seem like it when you're doing the reading. I hope once you also find success you'll return the favor to help others here.
As said, i don't know what to look for - for the stuff i want to do, so reading the documentation is useless when i barely know what i want to do in the first place.
and changing the configuration for everyone? not happening. if it doesn't work on port 25/587 on one domain it's not worth looking into.What do you mean? consider volunteers?
-
mbrax: You mentioned you only want postfix to handle incoming mail from servers outside the network, yes? That means for all approved clients whether inside the network or not, and servers inside the network you have another answer (maybe inside the network, or outside). You also mentioned you can't control the server configurations on your clients, so setting up a custom smtp port for approved clients is out.
There is only then one good answer I can see.
1: Set up postfix on pfsense so that all traffic on all smtp ports is handled by it. Port forward all smtp ports on lan/wan to localhost, then set up postfix to bind to that interface.2: Configure postfix's capability to know which systems/clients are authorized to be exempt from security and to forward all email from them to the approved servers without change.
3: Use the fuil screening ability of postfix on everything else, sending approved messages to the internal servers.
For details on how to do that, read here: http://www.postfix.org/documentation.html, or, in the alternative, pay someone who has done this before to set it up for you.
-
mbrax: You mentioned you only want postfix to handle incoming mail from servers outside the network, yes? That means for all approved clients whether inside the network or not, and servers inside the network you have another answer (maybe inside the network, or outside). You also mentioned you can't control the server configurations on your clients, so setting up a custom smtp port for approved clients is out.
There is only then one good answer I can see.
1: Set up postfix on pfsense so that all traffic on all smtp ports is handled by it. Port forward all smtp ports on lan/wan to localhost, then set up postfix to bind to that interface.2: Configure postfix's capability to know which systems/clients are authorized to be exempt from security and to forward all email from them to the approved servers without change.
3: Use the fuil screening ability of postfix on everything else, sending approved messages to the internal servers.
For details on how to do that, read here: http://www.postfix.org/documentation.html, or, in the alternative, pay someone who has done this before to set it up for you.
Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still.
-
"Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still."
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else. -
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else.I still don't think we're on the same page here. Let's say that the postfix server is not able to get authentication information.
I'm only interested in parsing incoming mail from outside servers to check them for spam, nothing else (sending mail etc)i mean, thanks for helping but it's not really regarding my issue
-
mbrax, thats what for postfix is there for, scan for spam….
-
mbrax, thats what for postfix is there for, scan for spam….
yes, yes i know
but there's the part of a client using the server to send messages (which i don't want to use at all), and the part of a mail server sending mail to the users inside our mail server
if it's not possible to just literally forward the data to the internal one when it's about clients sending messages and logging in, it won't work with my plan
i don't think my idea comes across with words, so here's a work of art made in mspaint
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
Read it, can't see how it applies. I don't want postfix to handle clients sending mail. Only servers.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
don't i have to do that for every domain that sends mail to us then? that's impossible
i don't like ldap, it's unsecure. and adding ssl to it is way too cumbersome
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
- You whitelist the inhouse recipient domain.
- Really, the effort it takes to auth recipients is a fraction of the bandwidth the spam would take up to bogus@oursuers.com
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
and adding ssl to it is way too cumbersome
please, i'm on the verge of just leaving this place out of frustration, it's like you're missing half my posts.. i appreciate the effort but jeez
if it can't forward the raw data to the internal one just for external mail, i'm not doing it.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
