DevHeads.net

Postings by LuKreme

Specific domain rejects address extensions

I have several domains, all of which have addresses with address delimiters in use. One domain is rejecting all addresses with address extensions in the lmtpd stage (after passing in smtpd).

Recipient address rejected for recipient address in virtual

I have an email address listed in virtual in the form

<a href="mailto: ... at kreme dot com"> ... at kreme dot com</a>. kreme+ ... at kreme dot com

But when an email comes in to that address, I get Recipient address rejected: unverified address: Address lookup failed;

# postmap -q <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> hash:/etc/postfix/virtual
kreme+ ... at kreme dot com

(Not that actual addresses, but the form is <company>@localdomain => localuser+<company>@localdomain)

I assume I can eliminate this by taking out the reject_unverified_recipient from my smtpd_recipient_restrictions but shouldn’t this address be verified?

Pflogsummand nbzcat

Is there a simpler way to do this (since bzcat can’t cat a text file)

IP addresses in helo

Is it safe (or mostly safe) to simply block attempts to deliver mail with a helo that is only an IP address? (I am talking about only on postfix/stmpd and obviously not on postfix/submit or related).

I have about 50,000 NOQUEUE reject from "helo=<[193.32.160.151]>" over the last week, for example. I see very few otherwise, and all are obviously spam with return addresses like <a href="mailto:account-security- ... at 091773 dot com">account-security- ... at 091773 dot com</a> or <a href="mailto: ... at 0904 dot ru"> ... at 0904 dot ru</a>.

Blocking an address from submission mail

How would I go about blocking mail to a valid address if it is sent from a user on my postfix mail server.

For example, let’s say I have <a href="mailto: ... at example dot com"> ... at example dot com</a> and that address is only for people outside to send mail to, so when a local user or a user in virtual.

Adding DKIM and DMARC

When adding DMARC and DKIM do I only need to add it to the domain that is hosting the mail server (MX)?

For example, if mail.example.com is defined as the MX for example.com and example.net, do I need to add the DMARC/DKIM records to example.net’s DNS as well?

Wirthy of a warning?

Are logs like the following really worthy of a warning log level?

postfix/submit/smtpd[84385]: warning: hostname zg-0301e-69.stretchoid.com does not resolve to address 107.170.200.25: hostname nor servname provided, or not known
postfix/smtps/smtpd[96068]: warning: hostname 189-91-4-216.dvl-wr.mastercabo.com.br does not resolve to address 189.91.4.216: hostname nor servname provided, or not known

Looking for actual problems I have to sift through thousands of these (well, I simply grep -v resolve, but still…

Domain cannot be found?

Aug 14 09:25:41 mail postfix/smtpd[44179]: NOQUEUE: reject: RCPT from unknown[198.241.168.120]: 550 5.7.25 Client host rejected: cannot find your hostname, [198.241.168.120]; from=<*munged*@*mybak*> to=< ... at covisp dot net> proto=ESMTP helo=<cportal3.visa.com>

Rejecting mail based on a Milter results

The spamass-milter is not rejecting mail that scores above the number set in the -r flag for the milter (confirmed by other people this is a bug in spamass-milter).

Is there something I can do in postfix to reject mails that the Milter logs like:

spamd: result: Y 18

Where “18” is a something I set like “>=10”?

Seems a long shot, but it is unlikely anyone is working on spamass-milter at this point.

Receiving mail from a host without a valid rDNS

I have a mail host that I want to receive mail from that dies not have a valid rDNS (it recently moved and their ISP is comcast and it seems to be taking a stupidly long time). Anyway, I first tried this:

check_sender_access pcre:$config_directory/sender_access.pcre

/@name.of.host/ OK

This did not work.

Adding perl-cgi in apache 2.4

I need to enable perl-cgi for a specific directory local to a single site.

Header change

Switching to dovecot LMTP appears to have changed the information in the received header:

Here’s what the received header used to look like:

Received: from [10.0.5.3] (c-71-229-144-93.hsd1.co.comcast.net [71.229.144.93])
by mail.covisp.net (Postfix) with ESMTPS id B67B8118AD59
for < ... at kreme dot com>; Sun, 16 Aug 2009 22:19:02 -0600 (MDT)

As opposed to now:

Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from < ... at kreme dot com>)

The first

smtpd_reipient_restrictions

Since I have moved all local users to virtual users and switched dovecot to lmtp from lda, I was able to add reject_unverified_recipient to my restrictions, and it occurred to me maybe some of the other restrictions could be eliminated.

Do reject_non_fqdn_recipient, reject_unauth_destination, do anything that isn’t done with the check for unverified recipient?

smtpd_recipient_restrictions = reject_unauth_destination
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unknown_sender_domain
reject_unlisted_recipient
reject_unliste

Virtual users and local users in the same domain?

Given that I have two users, <a href="mailto: ... at example dot com"> ... at example dot com</a> and <a href="mailto: ... at example dot com"> ... at example dot com</a> who are currently both local users and given that mydomain=example.com, is it possible to configure postfix such that one of them is in the mysql database and one is still local?

SMTPS Submission

Just want a quick sanity check on enabling smts in master.cf:

smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
-o syslog_name=submit/smtps
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restriction

Mail Delivery Status report

I am getting mail delivery status reports for every bcc email (that is, every email, since I use a bcc map to create a backup of all the mail).

I've looked through all the postfix files for any instance of sendmail -v, and have only found it as a comment in bounce.cf.default

/usr/local/etc/postfix
# grep "sendmail -v" *
bounce.cf.default:# address...) or for verbose mail delivery (sendmail -v address...).

main.cf:
recipient_bcc_maps = pcre:$config_directory/rbcc.pcre

rbcc.pcre:
if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+151.${1}.${2}@<a local domain>
endif

the MDSR is not really a pro

Blacklist honeypot senders

I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get).

Anyway, what I would like to do is somehow blacklist any IP that sends mail to that address for some period of time, configurable by me but not necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any match, that is fine).

I suspect that postfix might be able to do this through some sort of helo_access check?

Modify logs for delivery?

I may have asked this in the past, but ion so it's been longe enough I don't remember and can't find it my mail archives.

Is there some way to modify what is logged from postfix/local and postfix/pipe so that the "status=sent" lines include the from address as well as the to address?

May 21 14:52:32 mail postfix/local[63216]: 457nyS31Y4zdrvK: to=< ... at covisp dot net>, orig_to=< ... at kreme dot com>, relay=local, delay=0.39, delays=0.34/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t -a $EXTENSION)

May 21 14:53:16 mail postfix/pipe[67313]: 457nzJ4gd7zdrvL: t

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

Sporadic, repeated connections from aws

I've had the following in my fqrdns.pcre checks for quite awhile:

/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (amazonaws.com)

And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Am I right in blocking these connections?

unable to find user

I am using postfix => spamass-milter => SpamAssassin and I get occasional errors like these.

spamd: handle_user (userdir) unable to find user: 'virtualuser'

For example, if I have a virtual user "john" who redirects to the local user jsmith, I get that error with the username of "john" while mail to jsmith goes through fine.

Is it possible to send the user name to the milter after virtual maps have been applied?

apache service unavailable

Due to a large blizzard, we lost power for some period of time today, and the server's UPS didn't hold out. After the power was back, https responds to all attempts to connect with

"The service is not available. Please try again later."

displayed in the browser.

Nothing shows up in the httpd-error.log, but httpd-access.log looks odd.

ClamAV-milter

Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually getting processed by ClamAV-milter, including the EICAR test mails which sail through without triggering anything.

I’ve tried to provide everything that could be relevant (mostly in an effort to re-examine everything) but at this point I’m stumped.

smtpd_milters =
unix:/var/run/spamass-milter.sock,
unix:/var/run/clamav/clmilter.sock

# sockstat | grep milter
root spamass-mi 24145 4 stream /var/run/spamass-milter.sock
clamav cla

0 length robot.txt

This is probably a coincidence, but I had one of my hosted sites (with no php code anywhere, and certainly no .php files) returning a script error on load instead of showing the non-php webpage:

[proxy_fcgi:error] [pid 88148] [client xx.xx.xx.xx:63137] AH01071: Got error 'Primary script unknown\n’

And it would display a blank page for a few seconds, then “File Not Found” would appear.

Updating to php 7.0 and having apache still work?

Once again I have tried, and failed, to move from php 5.6 to php 7.0 (using postmaster under FreeBSD 11.3-RELEASE). The results are largely the same, php pages don’t load either "Primary script unknown” or complaints about filter(0 (which is built in to both php56 and php70).

I’m sure this is all my doing.

So… is there a decent document or how-to or step-by-step on how to updated the php under apache without everything in apache breaking?

(php itself works fine, it’s the integration with apache 2.24 that I keep managing to FUBAR. Currently on apache 2.4.35)

Reverse proxy

If I have a secondary web service service running on <a href="http://www.example.com:8000" title="www.example.com:8000">www.example.com:8000</a> and I want to create a reverse proxy on port 8001, how do I prevent users from connecting to <IP>:8000 anyway?

DocumentRoot in ProxyPass?

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the configuration)

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt

and

tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Apache 2.4 and DirectoryIndex and htaccess

I have a working webroot, and it has an index.php file.

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning: ma350.mars.fastwebserver.de[193.111.198.88]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning: vps1590646.vs.webtropia-customer.com[62.141.41.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6