Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
postfix [2006/03/07 06:48]
greebo
postfix [2012/07/31 12:45] (current)
greebo old revision restored
Line 1: Line 1:
 ====== Postfix ====== ====== Postfix ======
 +
 +
 ==== Useful links ==== ==== Useful links ====
   * [[http://www.securitysage.com/antispam/]]   * [[http://www.securitysage.com/antispam/]]
- +  * [[http://openrbl.org/|OpenRBL check]] 
 +  * [[http://www.rfc-ignorant.org/]] 
 +  * [[http://www.acme.com/mail_filtering/]] 
 +  * [[http://www.pantz.org/os/openbsd/postfix-spamd-dovecot.shtml|Some useful postfix rules]] 
 +  * [[http://blog.dkorunic.net/|Spam Ninjas - Dinko Korunic’s blog]]
  
  
 ===== TODO ===== ===== TODO =====
   * **berljivost clanka**   * **berljivost clanka**
 +  * **RAZLICNI SCENARIJI**
   * vrstni red   * vrstni red
   * razlicni scenariji   * razlicni scenariji
Line 19: Line 25:
   * append_dot_mydomain = yes   * append_dot_mydomain = yes
   * pcre   * pcre
-  * IGNORE deletes lines in headers(?)+  !* IGNORE deletes lines in headers(?)
   unverified_recipient_reject_code = 550   unverified_recipient_reject_code = 550
   unverified_sender_reject_code = 550   unverified_sender_reject_code = 550
  
  
 +
 +smtpd_discard_ehlo_keywords = silent-discard, ETRN  VRFY
 +
 +===== Different Setups =====
 +  * [[postfix:mx|Postfix as MX server]]
 +  * [[postfix:smtp|Postfix as SMTP relay]]
 +  * [[postfix:smtp-auth|Postfix with SMTP-auth]]
 +  * [[postfix:asrelay|Postfix as relaying server (to Exchaneg/Domino)]]
 +  * [[postfix:advance|Advance postfix hacks]]
  
  
Line 29: Line 44:
 here are some tips .. here are some tips ..
  
-==== Hide internal address ====+==== Making postfix only send through 'smart relayhost' when direct connection is not available ==== 
 + 
 +I use this construction to have a fallback option when the direct connected ADSL-line is down: replace '**''relayhost''**' in '**main.cf**' by '**''smtp_fallback_relay''**'
 + 
 +==== Hide internal/intranet address ====
  
 See [[http://www.securitysage.com/antispam/hedrem.html|this page]] See [[http://www.securitysage.com/antispam/hedrem.html|this page]]
Line 42: Line 61:
   /^received: / IGNORE   /^received: / IGNORE
   /^X-Sender: / IGNORE   /^X-Sender: / IGNORE
 +  /^Received: .*\[192\.168\.101\..*\]\)/  IGNORE
 +  /^Received: .*\[127\.0\.0\.1\]\)/       IGNORE
 +
 +keeping only the headers that you want:
 +
 +    /^((Resent-)?From|To|Cc|Date|Return-Path|Message-ID):/ OK
 +    /./ IGNORE
 +
 +
  
-**Still looking for a better way?!** 
  
 ==== LMTP and over-quota ==== ==== LMTP and over-quota ====
 ''Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.'' ''Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.''
  
 +2008-02-06 (b) Not necessarily. If you use reject_unverified_recipient, cyrus LMTP rejects mail for over-quota mailbox and Postfix rejects them at SMTP stage.
  
 +----------------
  
  
----------------- 
  
 ===== Unsorted stuff ===== ===== Unsorted stuff =====
Line 78: Line 106:
 Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays.
 === ===
 +tired of  "postfix/smtpd : OTP unavailable because can't read/write key database"
 +
 +add to /etc/postfix/sasl/smtp.conf 
 +
 +mechlist: plain login crammd5 digestmd5
 +
 +or try this:
 +cd /usr/lib/sasl2
 +mkdir deactivated
 +mv *otp* deactivated
 +# for good measure
 +mv *ntlm* deactivated
 +
  
 ============= =============
Line 121: Line 162:
 out that many clients won't accept a REJECT after the (HELO|MAIL out that many clients won't accept a REJECT after the (HELO|MAIL
 FROM:connect) and would return every second. FROM:connect) and would return every second.
 +
 +===== ABKO ====
 +
 +check_*_mx_access cidr:/etc/postfix/sender_mx_access.cidr
 +
 + 0.0.0.0/8 REJECT Domain MX in broadcast network
 + 10.0.0.0/8 REJECT Domain MX in RFC 1918 private network
 + 127.0.0.0/8 REJECT Domain MX in loopback network
 + 169.254.0.0/16 REJECT Domain MX in link local network
 + 172.16.0.0/12 REJECT Domain MX in RFC 1918 private network
 + 192.0.2.0/24 REJECT Domain MX in TEST-NET network
 + 192.168.0/16 REJECT Domain MX in RFC 1918 private network
 + 224.0.0.0/4 REJECT Domain MX in class D multicast network
 + 240.0.0.0/5 REJECT Domain MX in class E reserved network
 + 248.0.0.0/5 REJECT Domain MX in reserved network
 +
 +source - IPv4 bogon list - http://www.cymru.com/Documents/bogon-bn-agg.txt
  
 ========== ==========
Line 215: Line 273:
  
 smtpd_recipient_restrictions = smtpd_recipient_restrictions =
- reject_unauth_pipelining,+# reject_unauth_pipelining, http://www.irbs.net/internet/postfix/0311/1455.html
  reject_non_fqdn_sender,  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,  reject_non_fqdn_recipient,
Line 226: Line 284:
  reject_rbl_client dnsbl.sorbs.net  reject_rbl_client dnsbl.sorbs.net
  reject_unauth_destination  reject_unauth_destination
 +
 +smtpd_data_restrictions = 
 + reject_unauth_pipelining
  
 #mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp #mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
Line 238: Line 299:
 #### ####
 /etc/postfix/client_access /etc/postfix/client_access
-# amis +  # amis 
-212.18.32.4             OK +  212.18.32.4             OK 
-212.18.32.14            OK +  212.18.32.14            OK 
-# triera +  # triera 
-213.161.0.24            OK +  213.161.0.24            OK 
-213.161.0.25            OK +  213.161.0.25            OK 
-# volja +  # volja 
-217.72.64.59            OK +  217.72.64.59            OK 
-217.72.64.60            OK +  217.72.64.60            OK 
-#  softnet +  #  softnet 
-212.103.128.68          OK +  212.103.128.68          OK 
-# mojnet +  # mojnet 
-212.93.226.6            OK +  212.93.226.6            OK 
-# telemach +  # telemach 
-213.143.65.10           OK +  213.143.65.10           OK 
-# netsi +  # netsi 
-212.72.100.100          OK +  212.72.100.100          OK 
-# siol +  # siol 
-193.189.160.25          OK +  193.189.160.25          OK 
-193.189.160.18          OK +  193.189.160.18          OK 
-# perftech +  # perftech 
-195.246.0.20            OK +  195.246.0.20            OK 
-195.246.0.21            OK +  195.246.0.21            OK 
-195.246.0.22            OK +  195.246.0.22            OK 
-# arnes +  # arnes 
-193.2.1.74              OK +  193.2.1.74              OK 
-193.2.1.75              OK +  193.2.1.75              OK 
-+  
-BSN-77-157-5.dsl.siol.net       OK +  BSN-77-157-5.dsl.siol.net       OK 
-193.77.157.5            OK +  193.77.157.5            OK 
-+  
-dsl.siol.net            554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000 +  dsl.siol.net            554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite   'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000 
-dial-up.siol.net        554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 +  dial-up.siol.net        554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 
-dial-up.volja.net       554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 +  dial-up.volja.net       554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 
-dial.netsi.net          554 Uporabite streznik smtp.netsi.net za odhodno posto! +  dial.netsi.net          554 Uporabite streznik smtp.netsi.net za odhodno posto! 
-dial-up.arnes.si        554 Uporabite streznik mail.arnes.si za odhodno posto! +  dial-up.arnes.si        554 Uporabite streznik mail.arnes.si za odhodno posto! 
-dial-up.moj.net         554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! +  dial-up.moj.net         554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! 
-dialup.amis.net         554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 +  dialup.amis.net         554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 
-adsl.amis.net           554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010 +  adsl.amis.net           554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010 
-cable.triera.net        554 Uporabite streznik smtp.triera.net za odhodno e-posto.+  cable.triera.net        554 Uporabite streznik smtp.triera.net za odhodno e-posto. 
 + 
 +  dsl.net                 554 Use smtp.dsl.net as outgoing e-mail server! 
 + 
 + 
 +**B wrote** 
 +To matchne vsak hostname, v katerem se pojavi ".dsl." 
 + 
 +ali ce hoces bit natancen: 
 +/^.*\.dsl\..*$/ (^ in $ sta zacetek in konec stringa, na zacetku in koncu stringa je lahko karkoli (.*), nekje v stringu pa je tudi ".dsl.")
  
-dsl.net                 554 Use smtp.dsl.net as outgoing e-mail server! 
  
 /etc/postfix/sender_checks /etc/postfix/sender_checks
-/@\[(10|127|0)\.|(192\.168)\./          554 Use real IP numbers or FQDN +  /@\[(10|127|0)\.|(192\.168)\./          554 Use real IP numbers or FQDN 
-/@\[172\.1[6-9]\./                      554 Use real IP numbers or FQDN +  /@\[172\.1[6-9]\./                      554 Use real IP numbers or FQDN 
-/@\[172\.2[0-9]\./                      554 Use real IP numbers or FQDN +  /@\[172\.2[0-9]\./                      554 Use real IP numbers or FQDN 
-/@\[172\.3[01]\./                       554 Use real IP numbers or FQDN+  /@\[172\.3[01]\./                       554 Use real IP numbers or FQDN
  
 /etc/postfix/helo_checks /etc/postfix/helo_checks
-your_fqdn_hostname_here     551    Bogus HELO+  your_fqdn_hostname_here     551    Bogus HELO 
 +  A.B.C.D           551     Bogus HELO 
 +  [A.B.C.D]         551     Bogus HELO
  
-/etc/postfix/virtual 
-virtual_domain.com whatever_that_is_not_used 
-abuse@virtual_domain.com root 
-postmaster@virtual_domain.com root 
-hostmaster@virtual_domain.com root 
-fu@virtual_domain.com other@email.com 
-fuu@virtual_domain.com local_user 
  
-# all e-mails go into one/single mbox +/etc/postfix/virtual 
-v_domain.org whatever_that_is_not_used +  virtual_domain.com whatever_that_is_not_used 
-@v_domain.org hegetsallmailfor@domena.org+  abuse@virtual_domain.com root 
 +  postmaster@virtual_domain.com root 
 +  hostmaster@virtual_domain.com root 
 +  fu@virtual_domain.com other@email.com 
 +  fuu@virtual_domain.com local_user 
 +   
 +  # all e-mails go into one/single mbox 
 +  v_domain.org whatever_that_is_not_used 
 +  @v_domain.org hegetsallmailfor@domena.org
  
 /etc/postfix/header_checks /etc/postfix/header_checks
-# NIMDA +  # NIMDA 
-/^.*boundary=\"====_ABC1234567890DEF_====\"/      REJECT +  /^.*boundary=\"====_ABC1234567890DEF_====\"/      REJECT 
-/^.*boundary=\"====_ABC123456j7890DEF_====\"/      REJECT +  /^.*boundary=\"====_ABC123456j7890DEF_====\"/      REJECT 
-+  
-/Subject:.*new photos from my party/   REJECT +  /Subject:.*new photos from my party/   REJECT 
-+  
-/^Content-Type: multipart\/mixed; boundary="----[a-zA-Z0-9]+_Outlook_Express_message_boundary"/ 554 Infected with SirCam. +  /^Content-Type: multipart\/mixed; boundary="----[a-zA-Z0-9]+_Outlook_Express_message_boundary"/ 554   Infected with SirCam. 
-# SIRCAM +  # SIRCAM 
-#/^.*_Outlook_Express_message_boundary/  REJECT +  #/^.*_Outlook_Express_message_boundary/  REJECT 
-# HYBRIS +  # HYBRIS 
-#/^.*boundary="--VE/     REJECT +  #/^.*boundary="--VE/     REJECT 
-# ALIZ +  # ALIZ 
-#/^.*boundary="bound"/   REJECT +  #/^.*boundary="bound"/   REJECT 
-# SPAM +  # SPAM 
-#/^Subject:.*Try It BEFORE You Buy It.*/         REJECT +  #/^Subject:.*Try It BEFORE You Buy It.*/         REJECT 
-#NextPart +  #NextPart 
-#/^.*boundary="----_=_NextPart_001.*"/   REJECT+  #/^.*boundary="----_=_NextPart_001.*"/   REJECT
  
  
 /etc/postfix/body_checks /etc/postfix/body_checks
  
-/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+="?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)"?$/ REJECT +/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive.   /^Content-(Disposition|Type):.+file.+="?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)"?$/ REJECT 
 /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT  /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT 
 /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you  /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you 
Line 333: Line 405:
  
 #or even more restrictive:  #or even more restrictive: 
-/<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?"?\s*$/x REJECT Attachment name "$2" may not end with ".$3" +  /<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: 
 +/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?"?\s*$/x REJECT Attachment name "$2" may not end with ".$3"
postfix.1141710505.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready