Postfix

Useful links

TODO

berljivost clanka
RAZLICNI SCENARIJI
vrstni red
razlicni scenariji
cyrus
sender_mx_access
rshbl check
sender/recipient verification
multiple <> bounces
permit_backup_mx_network
append_at_myorigin = yes
append_dot_mydomain = yes
pcre

!* IGNORE deletes lines in headers(?)

unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY

Different Setups

Cool :) postifx hacks

here are some tips ..

Making postfix only send through 'smart relayhost' when direct connection is not available

I use this construction to have a fallback option when the direct connected ADSL-line is down: replace 'relayhost' in 'main.cf' by 'smtp_fallback_relay'.

Hide internal/intranet address

See this page

header_checks = regexp:/etc/postfix/header_checks

in that file you put

# Header checks file
#    /^Subject: Internet Sic Codes/  REJECT
#    /^Subject: ADV /
/^received: / IGNORE
/^X-Sender: / IGNORE
/^Received: .*\[192\.168\.101\..*\]\)/  IGNORE
/^Received: .*\[127\.0\.0\.1\]\)/       IGNORE

keeping only the headers that you want:

  /^((Resent-)?From|To|Cc|Date|Return-Path|Message-ID):/ OK
  /./ IGNORE

LMTP and over-quota

Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.

2008-02-06 (b) Not necessarily. If you use reject_unverified_recipient, cyrus LMTP rejects mail for over-quota mailbox and Postfix rejects them at SMTP stage.

Unsorted stuff

owner_request_special = no
show_user_unknown_table_name = no

#       reject_rhsbl_client
        reject_rhsbl_sender    dsn.rfc-ignorant.org

===

smtpd_error_sleep_time

Time to wait in seconds before sending a 4xx or 5xx server error response.

smtpd_soft_error_limit

When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request.

smtpd_hard_error_limit

Disconnect after a client has made this number of errors.

smtpd_junk_command_limit

Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. === tired of “postfix/smtpd : OTP unavailable because can't read/write key database”

add to /etc/postfix/sasl/smtp.conf

mechlist: plain login crammd5 digestmd5

or try this: cd /usr/lib/sasl2 mkdir deactivated mv *otp* deactivated # for good measure mv *ntlm* deactivated

Also read this: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ Quota with postfix/maildir Postfix+Courier-IMAP+MySQL for multiple domains HOWTO

#postfix on ircnet

for testing purposes i need a complete catch-all setup that reroutes all incoming mails to /dev/null tail .. master.cf: devnull unix - n n - - pipe flags=R user=nobody argv=/usr/local/bin/devnull where bin/devnull is something like #!/bin/sh cat > /dev/null then set local_transport to devnull

How to change sender/recipient/both:

canonical_maps = hash:/etc/postfix/canonical_maps
recipient_canonical_maps =
sender_canonical_maps = hash:/etc/postfix/sender_maps

/etc/postfix/canonical_maps
@thisisfakedomain.foo  makeitreal.com

/etc/postfix/sender_maps
# this server is sending, but not receiving e-mail
# so we reroute the error msgs to the postmaster :]
eVecer@[195.246.18.38]  postmaster@slon.net

How to get all the e-mail that got from/to this server always_bcc = root

smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned out that many clients won't accept a REJECT after the (HELO|MAIL FROM:connect) and would return every second.

ABKO

check_*_mx_access cidr:/etc/postfix/sender_mx_access.cidr

0.0.0.0/8	REJECT Domain MX in broadcast network
10.0.0.0/8	REJECT Domain MX in RFC 1918 private network
127.0.0.0/8	REJECT Domain MX in loopback network
169.254.0.0/16	REJECT Domain MX in link local network
172.16.0.0/12	REJECT Domain MX in RFC 1918 private network
192.0.2.0/24	REJECT Domain MX in TEST-NET network
192.168.0/16	REJECT Domain MX in RFC 1918 private network
224.0.0.0/4	REJECT Domain MX in class D multicast network
240.0.0.0/5	REJECT Domain MX in class E reserved network
248.0.0.0/5	REJECT Domain MX in reserved network

source - IPv4 bogon list - http://www.cymru.com/Documents/bogon-bn-agg.txt

/etc/postfix/main.cf:

alias_maps = hash:/etc/aliases
alias_database = $alias_maps

smtpd_banner = $myhostname ESMTP http://www.rfc.net/rfc2821.html
mail_name = smtpd

# what kind of errors should postmaster receive
# notify_classes = resource,software,protocol,policy,delay,2bounce
# default is:  notify_classes = resource,software

# postfix tries to get hostname from the system, but it usually failes, because the hostname
# is not FQDN
myhostname = host.domain.org

# default is:
# myorigin = $myhostname
# mydomain = domain part of $myhostname

# what domains are LOCAL to this server
# DO NOT list virtual domains here!
# Use virtual_maps for virtual domains
mydestination = $myhostname, localhost.$mydomain

#address_verify_map

#owner_request_special = no
# for Mailman Mailing-list

# virtual domains
virtual_maps = hash:/etc/postfix/virtual

# Reject unknown local/virtual recipients at the SMTP port.
# proxy (v2.x) local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_maps
local_recipient_maps = unix:passwd.byname $alias_maps $virtual_maps

mynetworks = 127.0.0.0/8 192.168.0.0/24 10.3.74.0/24
mynetworks_style = host

mailbox_size_limit = 0
recipient_delimiter = +

# Maildir format
# if you use Courier IMAP/POP
home_mailbox = Maildir/

#if you use maildrop
#mailbox_command = /usr/bin/maildrop
#local_destination_concurrency_limit = 1

delay_warning_time = 3h

smtpd_helo_required = yes
biff = no
disable_vrfy_command = yes
strict_rfc821_envelopes = no

transport_maps = hash:/etc/postfix/transport
message_size_limit = 40960000

maps_rbl_domains =
	list.dsbl.org,
	relays.ordb.org

body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks

# smart-relay server
# probably smtp server of your ISP
#relayhost = [smtp.isp.com]

# smtp server to use if we get errors sending directly
#fallback_relay = [smtp.isp.com]

# use it to TEST(!) your new config
# smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing
# transmission later
#soft_bounce = yes

#broken PIX/cisco firewall
#smtp_always_send_ehlo = no

smtpd_client_restrictions = hash:/etc/postfix/client_access

smtpd_helo_restrictions = hash:/etc/postfix/helo_checks

smtpd_sender_restrictions =
regexp:/etc/postfix/sender_checks

smtpd_recipient_restrictions = # reject_unauth_pipelining, http://www.irbs.net/internet/postfix/0311/1455.html

reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,

#v1.x reject_maps_rbl

reject_rbl_client relays.ordb.org
reject_rbl_client list.dsbl.org
reject_rbl_client dnsbl.sorbs.net
reject_unauth_destination

smtpd_data_restrictions =

reject_unauth_pipelining

#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

# Make domain resolving errors permanent….fatal X-) #unknown_address_reject_code = 554 #unknown_client_reject_code = 554 #unknown_hostname_reject_code = 554

#### /etc/postfix/client_access

# amis
212.18.32.4             OK
212.18.32.14            OK
# triera
213.161.0.24            OK
213.161.0.25            OK
# volja
217.72.64.59            OK
217.72.64.60            OK
#  softnet
212.103.128.68          OK
# mojnet
212.93.226.6            OK
# telemach
213.143.65.10           OK
# netsi
212.72.100.100          OK
# siol
193.189.160.25          OK
193.189.160.18          OK
# perftech
195.246.0.20            OK
195.246.0.21            OK
195.246.0.22            OK
# arnes
193.2.1.74              OK
193.2.1.75              OK
#
BSN-77-157-5.dsl.siol.net       OK
193.77.157.5            OK
#
dsl.siol.net            554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite   'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000
dial-up.siol.net        554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000
dial-up.volja.net       554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888
dial.netsi.net          554 Uporabite streznik smtp.netsi.net za odhodno posto!
dial-up.arnes.si        554 Uporabite streznik mail.arnes.si za odhodno posto!
dial-up.moj.net         554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860!
dialup.amis.net         554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010
adsl.amis.net           554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010
cable.triera.net        554 Uporabite streznik smtp.triera.net za odhodno e-posto.

dsl.net                 554 Use smtp.dsl.net as outgoing e-mail server!

B wrote To matchne vsak hostname, v katerem se pojavi “.dsl.”

ali ce hoces bit natancen: /^.*\.dsl\..*$/ (^ in $ sta zacetek in konec stringa, na zacetku in koncu stringa je lahko karkoli (.*), nekje v stringu pa je tudi “.dsl.”)

/etc/postfix/sender_checks

/@\[(10|127|0)\.|(192\.168)\./          554 Use real IP numbers or FQDN
/@\[172\.1[6-9]\./                      554 Use real IP numbers or FQDN
/@\[172\.2[0-9]\./                      554 Use real IP numbers or FQDN
/@\[172\.3[01]\./                       554 Use real IP numbers or FQDN

/etc/postfix/helo_checks

your_fqdn_hostname_here     551    Bogus HELO
A.B.C.D           551     Bogus HELO
[A.B.C.D]         551     Bogus HELO

/etc/postfix/virtual

virtual_domain.com			whatever_that_is_not_used
abuse@virtual_domain.com		root
postmaster@virtual_domain.com		root
hostmaster@virtual_domain.com		root
fu@virtual_domain.com			other@email.com
fuu@virtual_domain.com			local_user

# all e-mails go into one/single mbox
v_domain.org				whatever_that_is_not_used
@v_domain.org				hegetsallmailfor@domena.org

/etc/postfix/header_checks

# NIMDA
/^.*boundary=\"====_ABC1234567890DEF_====\"/      REJECT
/^.*boundary=\"====_ABC123456j7890DEF_====\"/      REJECT
#
/Subject:.*new photos from my party/   REJECT
#
/^Content-Type: multipart\/mixed; boundary="----[a-zA-Z0-9]+_Outlook_Express_message_boundary"/ 554   Infected with SirCam.
# SIRCAM
#/^.*_Outlook_Express_message_boundary/  REJECT
# HYBRIS
#/^.*boundary="--VE/     REJECT
# ALIZ
#/^.*boundary="bound"/   REJECT
# SPAM
#/^Subject:.*Try It BEFORE You Buy It.*/         REJECT
#NextPart
#/^.*boundary="----_=_NextPart_001.*"/   REJECT

/etc/postfix/body_checks

/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+=“?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)”?$/ REJECT /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you /AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/ REJECT # Win32.Klez.Worm.H /^Content-Type:.*audio\/x-midi/ REJECT /<(iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0)>/ REJECT content rejected: ${1}: virus code detected in this email

#or even more restrictive:

/<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above:

/^\s*Content-(Disposition|Type).*name\s*=\s*“?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\??”?\s*$/x REJECT Attachment name “$2” may not end with “.$3”