Postfix - antispam and relay package

marcelloc · Apr 24, 2017, 2:13 PM

I had to manually install postfix-postfwd-1.35_1 to make it run and listen on 127.0.0.1:10045, otherwise postfix will give warnings about it.

Fixed the install script to include the pkg add, Thanks again :)

I'll push it to repo soon

n3by · Apr 25, 2017, 3:40 PM

Hi,

Is this re-instalation completed successfully as I also see in /root ?

drwxr-xr-x   5 root  wheel        512 Apr 25 17:07 spf-tools-master

/root: sh ./install_postfix_23.sh
Message from syslogd@fwpl at Apr 25 17:05:19 ...
fwpl php-fpm[61287]: /index.php: Successful loginsh ./install_postfix_23.sh                                                                 fetching  /usr/local/bin/adexport.pl from github
fetching  /usr/local/pkg/postfix.inc from github
fetching  /usr/local/pkg/postfix.xml from github
fetching  /usr/local/pkg/postfix_acl.xml from github
fetching  /usr/local/pkg/postfix_antispam.xml from github
fetching  /usr/local/pkg/postfix_domains.xml from github
fetching  /usr/local/pkg/postfix_recipients.xml from github
fetching  /usr/local/pkg/postfix_sync.xml from github
fetching  /usr/local/share/pfSense-pkg-postfix/info.xml from github
fetching  /usr/local/www/postfix.php from github
fetching  /usr/local/www/postfix_about.php from github
fetching  /usr/local/www/postfix_queue.php from github
fetching  /usr/local/www/postfix_recipients.php from github
fetching  /usr/local/www/postfix_search.php from github
fetching  /usr/local/www/postfix_view_config.php from github
fetching  /usr/local/www/shortcuts/pkg_postfix.inc from github
fetching  /usr/local/www/widgets/widgets/postfix.widget.php from github
fetching  /usr/local/pkg/postfix_dkim.inc from github
fetching  /usr/local/www/vendor/datatable/se-1.2.0.zip from github
fetching  /usr/local/www/vendor/datatable/css/jquery.dataTables.min.css from github
fetching  /usr/local/www/vendor/datatable/js/jquery.dataTables.min.js from github
fetching  /usr/local/www/postfix.sql.php from github
fetching  /usr/local/bin/postwhite from github
fetching  /usr/local/pkg/postfix_postwhite.template from github
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB   3.0MB/s    00:02    
Processing entries: 100%
FreeBSD repository update completed. 26278 packages processed.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01    
Child process pid=77716 terminated abnormally: Segmentation fault
fetch: https://github.com/jsarenik/spf-tools/archive/master.zip: size of remote file is not known
master.zip                                              49 kB  195 kBps 00m01s
Archive:  master.zip
d spf-tools-master
replace spf-tools-master/.gitignore? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 extracting: spf-tools-master/.gitignore  
replace spf-tools-master/.simplecov? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
 extracting: spf-tools-master/.simplecov  
 extracting: spf-tools-master/.travis.yml  
 extracting: spf-tools-master/AUTHORS  
 extracting: spf-tools-master/LICENSE  
 extracting: spf-tools-master/README.md  
 extracting: spf-tools-master/circle.yml  
 extracting: spf-tools-master/cloudflare.sh  
 extracting: spf-tools-master/compare.sh  
 extracting: spf-tools-master/despf.sh  
 extracting: spf-tools-master/genspfzone.sh  
d spf-tools-master/include
 extracting: spf-tools-master/include/despf.inc.sh  
 extracting: spf-tools-master/include/global.inc.sh  
 extracting: spf-tools-master/include/isincidrange.sh  
 extracting: spf-tools-master/iprange.sh  
d spf-tools-master/misc
 extracting: spf-tools-master/misc/ci-runtest.sh  
 extracting: spf-tools-master/misc/ci-setup.sh  
 extracting: spf-tools-master/misc/tmpl  
 extracting: spf-tools-master/mkblocks.sh  
 extracting: spf-tools-master/mkzoneent.sh  
 extracting: spf-tools-master/normalize.sh  
 extracting: spf-tools-master/route53.sh  
 extracting: spf-tools-master/runspftools.sh  
 extracting: spf-tools-master/shippable.yml  
 extracting: spf-tools-master/simplify.sh  
d spf-tools-master/tests
d spf-tools-master/tests/a24
 extracting: spf-tools-master/tests/a24/cmd  
 extracting: spf-tools-master/tests/a24/in  
 extracting: spf-tools-master/tests/a24/out  
d spf-tools-master/tests/brokendns
 extracting: spf-tools-master/tests/brokendns/cmd  
 extracting: spf-tools-master/tests/brokendns/in  
 extracting: spf-tools-master/tests/brokendns/out  
d spf-tools-master/tests/cname
 extracting: spf-tools-master/tests/cname/cmd  
 extracting: spf-tools-master/tests/cname/in  
 extracting: spf-tools-master/tests/cname/out  
d spf-tools-master/tests/despf
 extracting: spf-tools-master/tests/despf/cmd  
 extracting: spf-tools-master/tests/despf/in  
 extracting: spf-tools-master/tests/despf/out  
d spf-tools-master/tests/despf_chain
 extracting: spf-tools-master/tests/despf_chain/cmd  
 extracting: spf-tools-master/tests/despf_chain/in  
 extracting: spf-tools-master/tests/despf_chain/out  
d spf-tools-master/tests/despf_help
 extracting: spf-tools-master/tests/despf_help/cmd  
 extracting: spf-tools-master/tests/despf_help/in  
 extracting: spf-tools-master/tests/despf_help/out  
d spf-tools-master/tests/despf_qualifier
 extracting: spf-tools-master/tests/despf_qualifier/cmd  
 extracting: spf-tools-master/tests/despf_qualifier/in  
 extracting: spf-tools-master/tests/despf_qualifier/out  
d spf-tools-master/tests/despf_qualifier2
 extracting: spf-tools-master/tests/despf_qualifier2/cmd  
 extracting: spf-tools-master/tests/despf_qualifier2/in  
 extracting: spf-tools-master/tests/despf_qualifier2/out  
d spf-tools-master/tests/despf_skip
 extracting: spf-tools-master/tests/despf_skip/cmd  
 extracting: spf-tools-master/tests/despf_skip/in  
 extracting: spf-tools-master/tests/despf_skip/out  
d spf-tools-master/tests/despf_skip_t
 extracting: spf-tools-master/tests/despf_skip_t/cmd  
 extracting: spf-tools-master/tests/despf_skip_t/in  
 extracting: spf-tools-master/tests/despf_skip_t/out  
d spf-tools-master/tests/despf_torn
 extracting: spf-tools-master/tests/despf_torn/cmd  
 extracting: spf-tools-master/tests/despf_torn/in  
 extracting: spf-tools-master/tests/despf_torn/out  
d spf-tools-master/tests/despf_upper_case
 extracting: spf-tools-master/tests/despf_upper_case/cmd  
 extracting: spf-tools-master/tests/despf_upper_case/in  
 extracting: spf-tools-master/tests/despf_upper_case/out  
d spf-tools-master/tests/fix_32
 extracting: spf-tools-master/tests/fix_32/cmd  
 extracting: spf-tools-master/tests/fix_32/in  
 extracting: spf-tools-master/tests/fix_32/out  
d spf-tools-master/tests/mkblocks-help
 extracting: spf-tools-master/tests/mkblocks-help/cmd  
 extracting: spf-tools-master/tests/mkblocks-help/in  
 extracting: spf-tools-master/tests/mkblocks-help/out  
d spf-tools-master/tests/mkblocks-start
 extracting: spf-tools-master/tests/mkblocks-start/cmd  
 extracting: spf-tools-master/tests/mkblocks-start/in  
 extracting: spf-tools-master/tests/mkblocks-start/out  
d spf-tools-master/tests/mkblocks
 extracting: spf-tools-master/tests/mkblocks/cmd  
 extracting: spf-tools-master/tests/mkblocks/in  
 extracting: spf-tools-master/tests/mkblocks/out  
d spf-tools-master/tests/mx20
 extracting: spf-tools-master/tests/mx20/cmd  
 extracting: spf-tools-master/tests/mx20/in  
 extracting: spf-tools-master/tests/mx20/out  
d spf-tools-master/tests/mx20_upper_case
 extracting: spf-tools-master/tests/mx20_upper_case/cmd  
 extracting: spf-tools-master/tests/mx20_upper_case/in  
 extracting: spf-tools-master/tests/mx20_upper_case/out  
d spf-tools-master/tests/norm_ignore
 extracting: spf-tools-master/tests/norm_ignore/cmd  
 extracting: spf-tools-master/tests/norm_ignore/in  
 extracting: spf-tools-master/tests/norm_ignore/out  
d spf-tools-master/tests/normalize
 extracting: spf-tools-master/tests/normalize/cmd  
 extracting: spf-tools-master/tests/normalize/in  
 extracting: spf-tools-master/tests/normalize/out  
d spf-tools-master/tests/normalize_empty
 extracting: spf-tools-master/tests/normalize_empty/cmd  
 extracting: spf-tools-master/tests/normalize_empty/in  
 extracting: spf-tools-master/tests/normalize_empty/out  
d spf-tools-master/tests/nospf
 extracting: spf-tools-master/tests/nospf/cmd  
 extracting: spf-tools-master/tests/nospf/in  
 extracting: spf-tools-master/tests/nospf/out  
d spf-tools-master/tests/redirect
 extracting: spf-tools-master/tests/redirect/cmd  
 extracting: spf-tools-master/tests/redirect/in  
unzip: skipping non-regular entry 'spf-tools-master/tests/redirect/out'
d spf-tools-master/tests/simplify
 extracting: spf-tools-master/tests/simplify/cmd  
 extracting: spf-tools-master/tests/simplify/in  
 extracting: spf-tools-master/tests/simplify/out  
 extracting: spf-tools-master/tests/test-shell.sh  
 extracting: spf-tools-master/tests/test-subdirs.sh  
 extracting: spf-tools-master/tests/test-unit.sh  
 extracting: spf-tools-master/xsel.sh  
mv: rename spf-tools-master to /usr/local/bin/spf-tools/spf-tools-master: Directory not empty

edit:
deleted /usr/local/bin/spf-tools/spf-tools-master
and retry the install and now it looks ok

ccnet · Apr 26, 2017, 9:13 AM

Yesterday, a fresh Pfsense 2.3.3 install. 64bits version, on a vm (esx) with 2Go ram. This Pfsense is not used as firewall, the purpose is testing Pfsense + Postfix package as mail gateway. Runing install from scrip as provide on github. No error except if i miss something.
Setting a few parameters in Postfix and i can start it.
Now the problems.
In SystemPackage ManagerInstalled Packages : There are no packages currently installed.

The only way i find to acces Posrfix setup is via Status / Services and clicj icon Related settings.
Postfix don(t appear in menu Services. Is this normal ?

In my actual Postfix gateway (5/6 clients with it) i use access lists for denied domain : one list for domain and another one with regular expresion. In main.cf I have :

smtpd_client_restrictions = permit_mynetworks
                            permit_sasl_authenticated                   
		            check_client_access cidr:/etc/postfix/access_cidr
                            check_client_access hash:/etc/postfix/access_client
		            check_client_access regexp:/etc/postfix/access_client_regexp
			    reject_rbl_client zen.spamhaus.org

I'm not sure to understand howto implement cidr:/etc/postfix/access_cidr and hash:/etc/postfix/access_client.
etc/postfix/access_cidr is something like

offrecadeau.ovh         REJECT spammeur

hash:/etc/postfix/access_client is like

243.200.171.0/24		REJECT Spammeur

This package is a great job. Thanks.

marcelloc · Apr 26, 2017, 10:04 AM

@ccnet:

In SystemPackage ManagerInstalled Packages : There are no packages currently installed.

That's right. As an Unofficial package, It will not be there.

@ccnet:

The only way i find to acces Posrfix setup is via Status / Services and clicj icon Related settings.
Postfix don(t appear in menu Services. Is this normal ?

try to install cron package for example. Install process includes postfix on service menu but for some reason, on some boxes, you may need to install a package. I suggest system patches or cron.

@ccnet:

This package is a great job. Thanks.

Thanks :)

ccnet · Apr 26, 2017, 11:34 AM

Thanks Marcelloc,

installing the cron package solve the problem about smtp in menu Services. Postfix Forwarder is now visible.

ccnet · Apr 26, 2017, 1:51 PM

I thing an access client list is missing for denying a domains list such as

diglobaltoday.com REJECT

When looking at configuration i have :

smtpd_client_restrictions = permit_mynetworks,
				reject_unauth_destination,
				check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
				check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
				reject_unknown_client_hostname,
				reject_unauth_pipelining,
				reject_multi_recipient_bounce,
				permit

I thing it will be nice to have one more line with :

check_client_access hash:/usr/local/etc/postfix/cal_hash,

I have 3900 domains rejected at command connect (smtpd_client_restrictions) in my ClearOS Gateway.

marcelloc · Apr 26, 2017, 2:24 PM

Just add a // between domains you have on pcre field.


/\.dsl\./ REJECT DSLs not allowed [HS001]
/\.dynamic\./ REJECT DSLs not allowed[HS003]
/mkt/ REJECT Spam is not marketing [HS007]

TABLE FORMAT
The general form of a PCRE table is:

/pattern/flags result
When pattern matches the input string, use the corresponding
result value.

!/pattern/flags result
When pattern does not match the input string, use the corre-
sponding result value.

ccnet · Apr 26, 2017, 5:22 PM

Ok I will try. But I'm not sure howto reject the domain who appear in the commande connect.

I add the Postfix widget, but it remain empty. Mails are correctly routed to internet but nothing in the widget.

marcelloc · Apr 26, 2017, 5:38 PM

@ccnet:

I add the Postfix widget, but it remain empty. Mails are correctly routed to internet but nothing in the widget.

Two steps to get it on databases. See the general tab under logging.

Enable log destination to maillog
Inlcude /^Subject:/ INFO line in Acl Headers after all your Subject rules.

n3by · Apr 29, 2017, 7:17 PM

I think I found why widget display strange data;
Update Sqlite I had it set to every hour then I try to 10 min, no luck.
I set it to 1 min and since then my data looks ok.

marcelloc · May 3, 2017, 7:51 PM

Hi, I've pushed to pkg-postfix an auto cloudbased domains whitelist option.

This update prevents cloud based domains endless Service currently unavailable problems against Postscreen that we see on almost all postscreen base configuration worldwide.

This can be used together with RBL whitelist/negative rbl score and postwhite

When a network/CIDR is whitelisted by this function it does not bypass any other postfix, acl, mailscanner, clamav or spamassassin test. :)

Bismarck · May 8, 2017, 12:41 PM

@marcelloc - Excellent work! :)

Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:

https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776

marcelloc · May 8, 2017, 1:41 PM

@Bismarck:

@marcelloc - Excellent work! :)

thanks Bismarck

@Bismarck:

Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:

https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776

thanks for the info.

Bismarck · May 8, 2017, 5:59 PM

Marcello, how does Auto whitelist work, I just see a reference to auto_whitelisted_cidr but no function anywhere?

https://github.com/marcelloc/Unofficial-pfSense-packages/commit/a5d8b57f932b9ffa0f1b275842777723475f1647

marcelloc · May 8, 2017, 7:48 PM

The script was uploaded few commits before but I messed up with older files.

https://github.com/marcelloc/Unofficial-pfSense-packages/commit/a9770ddfaf827e025f79fc8d94f4c7e0cec086eb#diff-e50e08425a53cf0a262fae58e6f8de0c

It works together with every minute update database.
It checks for domains that received the 'back later' and if it reaches the count you defined on gui, it looks for all spf records for that domain and whitelist it on postscreen.

The view configuration tab shows whitelisted domains and it's cidrs.

Bismarck · May 9, 2017, 4:51 AM

Okay now I got it. ;)

postfix_cloud_domains.php is missing in the install_postfix_23.sh, you maybe want to fix this? :P

marcelloc · May 9, 2017, 4:24 PM

@Bismarck:

Okay now I got it. ;)

postfix_cloud_domains.php is missing in the install_postfix_23.sh, you maybe want to fix this? :P

I will. :)

EDIT

done

https://github.com/marcelloc/Unofficial-pfSense-packages/commit/28e7676ee2b665de62cdccd28196975bc407288a

marcelloc · May 13, 2017, 7:18 AM

With Bismarck suggestion and help, I did a version of postfix package with DMARC.

I had to change the domain tab from rowhelper to domain list. It changes some internal logic on the package. So I ask you to test it and feedback to see if you get the same result as I did.

The install script is under postfix-DMARC branch, so to install this version, run


fetch https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/postfix-DMARC/pkg-postfix/files/install_postfix_23.sh
sh install_postfix_23.sh

Warning, this will move and merge your domain config/dkim data on config.xml. So once upgraded to DMARC version, you will need to add all domain config again if you want to back to current stable version.

Once I do more tests and be sure nothing is broken, DMARC version will be the new stable version.

marcelloc · May 14, 2017, 6:46 AM

Did some minor fixes based on Bismarck feedback and also implemented the apply button to package gui

https://github.com/marcelloc/Unofficial-pfSense-packages/commit/1459643eb929263a6811fd75ed30e40f81522844

Bismarck · May 17, 2017, 10:19 AM

@marcelloc:

I had to change the domain tab from rowhelper to domain list. It changes some internal logic on the package.

I really like the new domain tab, you can even sort the domains via drag&drop. ;)