====== Postfix ====== ==== Useful links ==== * [[http://www.securitysage.com/antispam/]] * [[http://openrbl.org/|OpenRBL check]] * [[http://www.rfc-ignorant.org/]] * [[http://www.acme.com/mail_filtering/]] * [[http://www.pantz.org/os/openbsd/postfix-spamd-dovecot.shtml|Some useful postfix rules]] * [[http://blog.dkorunic.net/|Spam Ninjas - Dinko Korunic’s blog]] ===== TODO ===== * **berljivost clanka** * **RAZLICNI SCENARIJI** * vrstni red * razlicni scenariji * cyrus * sender_mx_access * rshbl check * sender/recipient verification * multiple <> bounces * permit_backup_mx_network * append_at_myorigin = yes * append_dot_mydomain = yes * pcre !* IGNORE deletes lines in headers(?) unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY ===== Different Setups ===== * [[postfix:mx|Postfix as MX server]] * [[postfix:smtp|Postfix as SMTP relay]] * [[postfix:smtp-auth|Postfix with SMTP-auth]] * [[postfix:asrelay|Postfix as relaying server (to Exchaneg/Domino)]] * [[postfix:advance|Advance postfix hacks]] ===== Cool :) postifx hacks ===== here are some tips .. ==== Making postfix only send through 'smart relayhost' when direct connection is not available ==== I use this construction to have a fallback option when the direct connected ADSL-line is down: replace '**''relayhost''**' in '**main.cf**' by '**''smtp_fallback_relay''**'. ==== Hide internal/intranet address ==== See [[http://www.securitysage.com/antispam/hedrem.html|this page]] header_checks = regexp:/etc/postfix/header_checks in that file you put # Header checks file # /^Subject: Internet Sic Codes/ REJECT # /^Subject: ADV / /^received: / IGNORE /^X-Sender: / IGNORE /^Received: .*\[192\.168\.101\..*\]\)/ IGNORE /^Received: .*\[127\.0\.0\.1\]\)/ IGNORE keeping only the headers that you want: /^((Resent-)?From|To|Cc|Date|Return-Path|Message-ID):/ OK /./ IGNORE ==== LMTP and over-quota ==== ''Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.'' 2008-02-06 (b) Not necessarily. If you use reject_unverified_recipient, cyrus LMTP rejects mail for over-quota mailbox and Postfix rejects them at SMTP stage. ---------------- ===== Unsorted stuff ===== owner_request_special = no show_user_unknown_table_name = no # reject_rhsbl_client reject_rhsbl_sender dsn.rfc-ignorant.org === smtpd_error_sleep_time Time to wait in seconds before sending a 4xx or 5xx server error response. smtpd_soft_error_limit When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request. smtpd_hard_error_limit Disconnect after a client has made this number of errors. smtpd_junk_command_limit Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. === tired of "postfix/smtpd : OTP unavailable because can't read/write key database" add to /etc/postfix/sasl/smtp.conf mechlist: plain login crammd5 digestmd5 or try this: cd /usr/lib/sasl2 mkdir deactivated mv *otp* deactivated # for good measure mv *ntlm* deactivated ============= Also read this: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ Quota with postfix/maildir Postfix+Courier-IMAP+MySQL for multiple domains HOWTO ============ #postfix on ircnet ''for testing purposes i need a complete catch-all setup that reroutes all incoming mails to /dev/null tail .. master.cf: devnull unix - n n - - pipe flags=R user=nobody argv=/usr/local/bin/devnull where bin/devnull is something like #!/bin/sh cat > /dev/null then set local_transport to devnull'' ============== How to change sender/recipient/both: canonical_maps = hash:/etc/postfix/canonical_maps recipient_canonical_maps = sender_canonical_maps = hash:/etc/postfix/sender_maps /etc/postfix/canonical_maps @thisisfakedomain.foo makeitreal.com /etc/postfix/sender_maps # this server is sending, but not receiving e-mail # so we reroute the error msgs to the postmaster :] eVecer@[195.246.18.38] postmaster@slon.net =========== How to get all the e-mail that got from/to this server always_bcc = root ========== smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned out that many clients won't accept a REJECT after the (HELO|MAIL FROM:connect) and would return every second. ===== ABKO ==== check_*_mx_access cidr:/etc/postfix/sender_mx_access.cidr 0.0.0.0/8 REJECT Domain MX in broadcast network 10.0.0.0/8 REJECT Domain MX in RFC 1918 private network 127.0.0.0/8 REJECT Domain MX in loopback network 169.254.0.0/16 REJECT Domain MX in link local network 172.16.0.0/12 REJECT Domain MX in RFC 1918 private network 192.0.2.0/24 REJECT Domain MX in TEST-NET network 192.168.0/16 REJECT Domain MX in RFC 1918 private network 224.0.0.0/4 REJECT Domain MX in class D multicast network 240.0.0.0/5 REJECT Domain MX in class E reserved network 248.0.0.0/5 REJECT Domain MX in reserved network source - IPv4 bogon list - http://www.cymru.com/Documents/bogon-bn-agg.txt ========== /etc/postfix/main.cf: alias_maps = hash:/etc/aliases alias_database = $alias_maps smtpd_banner = $myhostname ESMTP http://www.rfc.net/rfc2821.html mail_name = smtpd # what kind of errors should postmaster receive # notify_classes = resource,software,protocol,policy,delay,2bounce # default is: notify_classes = resource,software # postfix tries to get hostname from the system, but it usually failes, because the hostname # is not FQDN myhostname = host.domain.org # default is: # myorigin = $myhostname # mydomain = domain part of $myhostname # what domains are LOCAL to this server # DO NOT list virtual domains here! # Use virtual_maps for virtual domains mydestination = $myhostname, localhost.$mydomain #address_verify_map #owner_request_special = no # for Mailman Mailing-list # virtual domains virtual_maps = hash:/etc/postfix/virtual # Reject unknown local/virtual recipients at the SMTP port. # proxy (v2.x) local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_maps local_recipient_maps = unix:passwd.byname $alias_maps $virtual_maps mynetworks = 127.0.0.0/8 192.168.0.0/24 10.3.74.0/24 mynetworks_style = host mailbox_size_limit = 0 recipient_delimiter = + # Maildir format # if you use Courier IMAP/POP home_mailbox = Maildir/ #if you use maildrop #mailbox_command = /usr/bin/maildrop #local_destination_concurrency_limit = 1 delay_warning_time = 3h smtpd_helo_required = yes biff = no disable_vrfy_command = yes strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport message_size_limit = 40960000 maps_rbl_domains = list.dsbl.org, relays.ordb.org body_checks = regexp:/etc/postfix/body_checks header_checks = regexp:/etc/postfix/header_checks # smart-relay server # probably smtp server of your ISP #relayhost = [smtp.isp.com] # smtp server to use if we get errors sending directly #fallback_relay = [smtp.isp.com] # use it to TEST(!) your new config # smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing # transmission later #soft_bounce = yes #broken PIX/cisco firewall #smtp_always_send_ehlo = no smtpd_client_restrictions = hash:/etc/postfix/client_access smtpd_helo_restrictions = hash:/etc/postfix/helo_checks smtpd_sender_restrictions = regexp:/etc/postfix/sender_checks smtpd_recipient_restrictions = # reject_unauth_pipelining, http://www.irbs.net/internet/postfix/0311/1455.html reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, #v1.x reject_maps_rbl reject_rbl_client relays.ordb.org reject_rbl_client list.dsbl.org reject_rbl_client dnsbl.sorbs.net reject_unauth_destination smtpd_data_restrictions = reject_unauth_pipelining #mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp # Make domain resolving errors permanent....fatal X-) #unknown_address_reject_code = 554 #unknown_client_reject_code = 554 #unknown_hostname_reject_code = 554 #### /etc/postfix/client_access # amis 212.18.32.4 OK 212.18.32.14 OK # triera 213.161.0.24 OK 213.161.0.25 OK # volja 217.72.64.59 OK 217.72.64.60 OK # softnet 212.103.128.68 OK # mojnet 212.93.226.6 OK # telemach 213.143.65.10 OK # netsi 212.72.100.100 OK # siol 193.189.160.25 OK 193.189.160.18 OK # perftech 195.246.0.20 OK 195.246.0.21 OK 195.246.0.22 OK # arnes 193.2.1.74 OK 193.2.1.75 OK # BSN-77-157-5.dsl.siol.net OK 193.77.157.5 OK # dsl.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000 dial-up.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 dial-up.volja.net 554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 dial.netsi.net 554 Uporabite streznik smtp.netsi.net za odhodno posto! dial-up.arnes.si 554 Uporabite streznik mail.arnes.si za odhodno posto! dial-up.moj.net 554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! dialup.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 adsl.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010 cable.triera.net 554 Uporabite streznik smtp.triera.net za odhodno e-posto. dsl.net 554 Use smtp.dsl.net as outgoing e-mail server! **B wrote** To matchne vsak hostname, v katerem se pojavi ".dsl." ali ce hoces bit natancen: /^.*\.dsl\..*$/ (^ in $ sta zacetek in konec stringa, na zacetku in koncu stringa je lahko karkoli (.*), nekje v stringu pa je tudi ".dsl.") /etc/postfix/sender_checks /@\[(10|127|0)\.|(192\.168)\./ 554 Use real IP numbers or FQDN /@\[172\.1[6-9]\./ 554 Use real IP numbers or FQDN /@\[172\.2[0-9]\./ 554 Use real IP numbers or FQDN /@\[172\.3[01]\./ 554 Use real IP numbers or FQDN /etc/postfix/helo_checks your_fqdn_hostname_here 551 Bogus HELO A.B.C.D 551 Bogus HELO [A.B.C.D] 551 Bogus HELO /etc/postfix/virtual virtual_domain.com whatever_that_is_not_used abuse@virtual_domain.com root postmaster@virtual_domain.com root hostmaster@virtual_domain.com root fu@virtual_domain.com other@email.com fuu@virtual_domain.com local_user # all e-mails go into one/single mbox v_domain.org whatever_that_is_not_used @v_domain.org hegetsallmailfor@domena.org /etc/postfix/header_checks # NIMDA /^.*boundary=\"====_ABC1234567890DEF_====\"/ REJECT /^.*boundary=\"====_ABC123456j7890DEF_====\"/ REJECT # /Subject:.*new photos from my party/ REJECT # /^Content-Type: multipart\/mixed; boundary="----[a-zA-Z0-9]+_Outlook_Express_message_boundary"/ 554 Infected with SirCam. # SIRCAM #/^.*_Outlook_Express_message_boundary/ REJECT # HYBRIS #/^.*boundary="--VE/ REJECT # ALIZ #/^.*boundary="bound"/ REJECT # SPAM #/^Subject:.*Try It BEFORE You Buy It.*/ REJECT #NextPart #/^.*boundary="----_=_NextPart_001.*"/ REJECT /etc/postfix/body_checks /^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+="?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)"?$/ REJECT /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT /^