Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
postfix [2012/07/30 13:00]
188.143.232.12 RzBMiKulHUNEDu
postfix [2012/07/31 12:45] (current)
greebo old revision restored
Line 1: Line 1:
-yes, its cool, tried nagiosgrapherits even more coolits like cacti+nagios.Also what do you mean by it fixes the perbloms ​by itselfcustom code to fix perbloms ​in hooks? coz nagios ​is just detection ​and alerting ​system ​as far as i used it.+====== Postfix ====== 
 + 
 + 
 +==== Useful links ==== 
 +  * [[http://​www.securitysage.com/​antispam/​]] 
 +  * [[http://​openrbl.org/​|OpenRBL check]] 
 +  * [[http://​www.rfc-ignorant.org/​]] 
 +  * [[http://​www.acme.com/​mail_filtering/​]] 
 +  * [[http://​www.pantz.org/​os/​openbsd/​postfix-spamd-dovecot.shtml|Some useful postfix rules]] 
 +  * [[http://​blog.dkorunic.net/​|Spam Ninjas - Dinko Korunic’s blog]] 
 + 
 + 
 +===== TODO ===== 
 +  * **berljivost clanka** 
 +  * **RAZLICNI SCENARIJI** 
 +  * vrstni red 
 +  * razlicni scenariji 
 +  * cyrus 
 +  * sender_mx_access 
 +  * rshbl check 
 +  * sender/​recipient verification 
 +  * multiple <> bounces 
 +  * permit_backup_mx_network 
 +  * append_at_myorigin = yes 
 +  * append_dot_mydomain = yes 
 +  * pcre 
 +  !* IGNORE deletes lines in headers(?
 +  unverified_recipient_reject_code = 550 
 +  unverified_sender_reject_code = 550 
 + 
 + 
 + 
 +smtpd_discard_ehlo_keywords = silent-discardETRN  VRFY 
 + 
 +===== Different Setups ===== 
 +  * [[postfix:​mx|Postfix as MX server]] 
 +  * [[postfix:​smtp|Postfix as SMTP relay]] 
 +  * [[postfix:​smtp-auth|Postfix with SMTP-auth]] 
 +  * [[postfix:​asrelay|Postfix as relaying server (to Exchaneg/​Domino)]] 
 +  * [[postfix:​advance|Advance postfix hacks]] 
 + 
 + 
 +===== Cool :) postifx hacks ===== 
 +here are some tips .
 + 
 +==== Making postfix only send through 'smart relayhost'​ when direct connection is not available ==== 
 + 
 +I use this construction to have a fallback option when the direct connected ADSL-line is down: replace '​**''​relayhost''​**'​ in '​**main.cf**' ​by '​**''​smtp_fallback_relay''​**'​. 
 + 
 +==== Hide internal/​intranet address ==== 
 + 
 +See [[http://​www.securitysage.com/​antispam/​hedrem.html|this page]] 
 + 
 +  header_checks = regexp:/​etc/​postfix/​header_checks 
 + 
 +in that file you put 
 + 
 +  # Header checks file 
 +  #    /^Subject: Internet Sic Codes/ ​ REJECT 
 +  #    /^Subject: ADV / 
 +  /^received: / IGNORE 
 +  /^X-Sender: / IGNORE 
 +  /^Received: .*\[192\.168\.101\..*\]\)/ ​ IGNORE 
 +  /^Received: .*\[127\.0\.0\.1\]\)/ ​      ​IGNORE 
 + 
 +keeping only the headers that you want: 
 + 
 +    /​^((Resent-)?From|To|Cc|Date|Return-Path|Message-ID):/​ OK 
 +    /./ IGNORE 
 + 
 + 
 + 
 + 
 +==== LMTP and over-quota ==== 
 +''​Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.''​ 
 + 
 +2008-02-06 (b) Not necessarily. If you use reject_unverified_recipient,​ cyrus LMTP rejects mail for over-quota mailbox and Postfix rejects them at SMTP stage. 
 + 
 +---------------- 
 + 
 + 
 + 
 +===== Unsorted stuff ===== 
 + 
 +  owner_request_special = no 
 +  show_user_unknown_table_name = no 
 + 
 +  #       ​reject_rhsbl_client 
 +          reject_rhsbl_sender ​   dsn.rfc-ignorant.org 
 + 
 +=== 
 +  smtpd_error_sleep_time 
 + 
 +Time to wait in seconds before sending a 4xx or 5xx server error response. 
 + 
 +  smtpd_soft_error_limit 
 + 
 +When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request. 
 + 
 +  smtpd_hard_error_limit 
 + 
 +Disconnect after a client has made this number of errors. 
 + 
 +  smtpd_junk_command_limit 
 + 
 +Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. 
 +=== 
 +tired of  "​postfix/​smtpd : OTP unavailable because can't read/write key database"​ 
 + 
 +add to /​etc/​postfix/​sasl/​smtp.conf  
 + 
 +mechlist: plain login crammd5 digestmd5 
 + 
 +or try this: 
 +cd /​usr/​lib/​sasl2 
 +mkdir deactivated 
 +mv *otp* deactivated 
 +# for good measure 
 +mv *ntlm* deactivated 
 + 
 + 
 +============= 
 +Also read this: 
 +http://​www.stahl.bau.tu-bs.de/​~hildeb/​postfix/​ 
 +Quota with postfix/​maildir 
 +Postfix+Courier-IMAP+MySQL for multiple domains HOWTO 
 +  
 +============ 
 +#postfix on ircnet 
 + 
 +''​for testing purposes i need complete catch-all setup that reroutes all incoming mails to /dev/null 
 + 
 + 
 +tail .. master.cf:​ 
 +devnull unix    -       ​n ​      ​n ​      ​- ​      ​- ​      ​pipe 
 +flags=R user=nobody argv=/​usr/​local/​bin/​devnull 
 +where bin/devnull is something like 
 +#!/bin/sh 
 +cat > /dev/null 
 +then set local_transport to devnull''​ 
 + 
 +============== 
 +How to change sender/​recipient/​both:​ 
 + 
 +  canonical_maps = hash:/​etc/​postfix/​canonical_maps 
 +  recipient_canonical_maps = 
 +  sender_canonical_maps = hash:/​etc/​postfix/​sender_maps 
 + 
 +  /​etc/​postfix/​canonical_maps 
 +  @thisisfakedomain.foo ​ makeitreal.com 
 + 
 +  /​etc/​postfix/​sender_maps 
 +  # this server is sending, but not receiving e-mail 
 +  # so we reroute the error msgs to the postmaster :] 
 +  eVecer@[195.246.18.38] ​ postmaster@slon.net 
 + 
 +=========== 
 +How to get all the e-mail that got from/to this server 
 +always_bcc = root 
 +========== 
 +smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned 
 +out that many clients won't accept a REJECT after the (HELO|MAIL 
 +FROM:​connect) ​and would return every second. 
 + 
 +===== ABKO ==== 
 + 
 +check_*_mx_access cidr:/​etc/​postfix/​sender_mx_access.cidr 
 + 
 + 0.0.0.0/​8 REJECT Domain MX in broadcast network 
 + 10.0.0.0/​8 REJECT Domain MX in RFC 1918 private network 
 + 127.0.0.0/​8 REJECT Domain MX in loopback network 
 + 169.254.0.0/​16 REJECT Domain MX in link local network 
 + 172.16.0.0/​12 REJECT Domain MX in RFC 1918 private network 
 + 192.0.2.0/​24 REJECT Domain MX in TEST-NET network 
 + 192.168.0/​16 REJECT Domain MX in RFC 1918 private network 
 + 224.0.0.0/​4 REJECT Domain MX in class D multicast network 
 + 240.0.0.0/​5 REJECT Domain MX in class E reserved network 
 + 248.0.0.0/​5 REJECT Domain MX in reserved network 
 + 
 +source - IPv4 bogon list - http://​www.cymru.com/​Documents/​bogon-bn-agg.txt 
 + 
 +========== 
 +/​etc/​postfix/​main.cf:​ 
 + 
 +  alias_maps = hash:/​etc/​aliases 
 +  alias_database = $alias_maps 
 + 
 +  smtpd_banner = $myhostname ESMTP http://​www.rfc.net/​rfc2821.html 
 +  mail_name = smtpd 
 + 
 +  # what kind of errors should postmaster receive 
 +  # notify_classes = resource,​software,​protocol,​policy,​delay,​2bounce 
 +  # default is:  notify_classes = resource,​software 
 + 
 +  # postfix tries to get hostname from the system, but it usually failes, because the hostname 
 +  # is not FQDN 
 +  myhostname = host.domain.org 
 + 
 +  # default is: 
 +  # myorigin = $myhostname 
 +  # mydomain = domain part of $myhostname 
 + 
 +  # what domains are LOCAL to this server 
 +  # DO NOT list virtual domains here! 
 +  # Use virtual_maps for virtual domains 
 +  mydestination = $myhostname,​ localhost.$mydomain 
 + 
 + 
 +  #​address_verify_map 
 + 
 +  #​owner_request_special = no 
 +  # for Mailman Mailing-list 
 + 
 +  # virtual domains 
 +  virtual_maps = hash:/​etc/​postfix/​virtual 
 + 
 +  # Reject unknown local/​virtual recipients at the SMTP port. 
 +  # proxy (v2.x) local_recipient_maps = proxy:​unix:​passwd.byname $alias_maps $virtual_maps 
 +  local_recipient_maps = unix:​passwd.byname $alias_maps $virtual_maps 
 + 
 +  mynetworks = 127.0.0.0/8 192.168.0.0/​24 10.3.74.0/​24 
 +  mynetworks_style = host 
 + 
 +  mailbox_size_limit = 0 
 +  recipient_delimiter = + 
 + 
 +  # Maildir format 
 +  # if you use Courier IMAP/POP 
 +  home_mailbox = Maildir/ 
 + 
 +  #if you use maildrop 
 +  #​mailbox_command = /​usr/​bin/​maildrop 
 +  #​local_destination_concurrency_limit = 1 
 + 
 +  delay_warning_time = 3h 
 + 
 +  smtpd_helo_required = yes 
 +  biff = no 
 +  disable_vrfy_command = yes 
 +  strict_rfc821_envelopes = no 
 + 
 +  transport_maps = hash:/​etc/​postfix/​transport 
 +  message_size_limit = 40960000 
 + 
 +  maps_rbl_domains = 
 + list.dsbl.org,​ 
 + relays.ordb.org 
 + 
 +  body_checks = regexp:/​etc/​postfix/​body_checks 
 +  header_checks = regexp:/​etc/​postfix/​header_checks 
 + 
 +  # smart-relay server 
 +  # probably smtp server of your ISP 
 +  #relayhost = [smtp.isp.com] 
 + 
 +  # smtp server to use if we get errors sending directly 
 +  #​fallback_relay = [smtp.isp.com] 
 + 
 +  # use it to TEST(!) your new config 
 +  # smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing 
 +  # transmission later 
 +  #​soft_bounce = yes 
 + 
 +  #broken PIX/cisco firewall 
 +  #​smtp_always_send_ehlo = no 
 + 
 +  smtpd_client_restrictions = hash:/​etc/​postfix/​client_access 
 + 
 +  smtpd_helo_restrictions = hash:/​etc/​postfix/​helo_checks 
 + 
 +  smtpd_sender_restrictions = 
 + regexp:/​etc/​postfix/​sender_checks 
 + 
 +smtpd_recipient_restrictions = 
 +#​ reject_unauth_pipelining,​ http://​www.irbs.net/​internet/​postfix/​0311/​1455.html 
 + reject_non_fqdn_sender,​ 
 + reject_non_fqdn_recipient,​ 
 + reject_unknown_sender_domain,​ 
 + reject_unknown_recipient_domain,​ 
 + permit_mynetworks,​ 
 +#​v1.x reject_maps_rbl 
 + reject_rbl_client relays.ordb.org 
 + reject_rbl_client list.dsbl.org 
 + reject_rbl_client dnsbl.sorbs.net 
 + reject_unauth_destination 
 + 
 +smtpd_data_restrictions =  
 + reject_unauth_pipelining 
 + 
 +#​mime_header_checks = regexp:/​etc/​postfix/​mime_header_checks.regexp 
 + 
 + 
 +# Make domain resolving errors permanent....fatal X-) 
 +#​unknown_address_reject_code = 554 
 +#​unknown_client_reject_code = 554 
 +#​unknown_hostname_reject_code = 554 
 + 
 + 
 +#### 
 +/​etc/​postfix/​client_access 
 +  # amis 
 +  212.18.32.4 ​            OK 
 +  212.18.32.14 ​           OK 
 +  # triera 
 +  213.161.0.24 ​           OK 
 +  213.161.0.25 ​           OK 
 +  # volja 
 +  217.72.64.59 ​           OK 
 +  217.72.64.60 ​           OK 
 +  #  softnet 
 +  212.103.128.68 ​         OK 
 +  # mojnet 
 +  212.93.226.6 ​           OK 
 +  # telemach 
 +  213.143.65.10 ​          OK 
 +  # netsi 
 +  212.72.100.100 ​         OK 
 +  # siol 
 +  193.189.160.25 ​         OK 
 +  193.189.160.18 ​         OK 
 +  # perftech 
 +  195.246.0.20 ​           OK 
 +  195.246.0.21 ​           OK 
 +  195.246.0.22 ​           OK 
 +  # arnes 
 +  193.2.1.74 ​             OK 
 +  193.2.1.75 ​             OK 
 +  # 
 +  BSN-77-157-5.dsl.siol.net ​      OK 
 +  193.77.157.5 ​           OK 
 +  # 
 +  dsl.siol.net ​           554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite ​  '​povratni naslov'​ za vas IP. Za nadaljne informacije klicite 080 1000 
 +  dial-up.siol.net ​       554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 
 +  dial-up.volja.net ​      554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 
 +  dial.netsi.net ​         554 Uporabite streznik smtp.netsi.net za odhodno posto! 
 +  dial-up.arnes.si ​       554 Uporabite streznik mail.arnes.si za odhodno posto! 
 +  dial-up.moj.net ​        554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! 
 +  dialup.amis.net ​        554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 
 +  adsl.amis.net ​          554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite '​povratni naslov'​ za vas IP. Za nadaljne informacije klicite 080 2010 
 +  cable.triera.net ​       554 Uporabite streznik smtp.triera.net za odhodno e-posto. 
 + 
 +  dsl.net ​                554 Use smtp.dsl.net as outgoing e-mail server! 
 + 
 + 
 +**B wrote** 
 +To matchne vsak hostname, v katerem se pojavi "​.dsl."​ 
 + 
 +ali ce hoces bit natancen: 
 +/​^.*\.dsl\..*$/​ (^ in $ sta zacetek in konec stringa, na zacetku in koncu stringa je lahko karkoli (.*), nekje v stringu pa je tudi "​.dsl."​) 
 + 
 + 
 +/​etc/​postfix/​sender_checks 
 +  /​@\[(10|127|0)\.|(192\.168)\./ ​         554 Use real IP numbers or FQDN 
 +  /​@\[172\.1[6-9]\./ ​                     554 Use real IP numbers or FQDN 
 +  /​@\[172\.2[0-9]\./ ​                     554 Use real IP numbers or FQDN 
 +  /​@\[172\.3[01]\./ ​                      554 Use real IP numbers or FQDN 
 + 
 +/​etc/​postfix/​helo_checks 
 +  your_fqdn_hostname_here ​    ​551 ​   Bogus HELO 
 +  A.B.C.D ​          ​551 ​    Bogus HELO 
 +  [A.B.C.D] ​        ​551 ​    Bogus HELO 
 + 
 + 
 +/​etc/​postfix/​virtual 
 +  virtual_domain.com whatever_that_is_not_used 
 +  abuse@virtual_domain.com root 
 +  postmaster@virtual_domain.com root 
 +  hostmaster@virtual_domain.com root 
 +  fu@virtual_domain.com other@email.com 
 +  fuu@virtual_domain.com local_user 
 +   
 +  # all e-mails go into one/single mbox 
 +  v_domain.org whatever_that_is_not_used 
 +  @v_domain.org hegetsallmailfor@domena.org 
 + 
 +/​etc/​postfix/​header_checks 
 +  # NIMDA 
 +  /​^.*boundary=\"​====_ABC1234567890DEF_====\"/ ​     REJECT 
 +  /​^.*boundary=\"​====_ABC123456j7890DEF_====\"/ ​     REJECT 
 +  # 
 +  /​Subject:​.*new photos from my party/ ​  ​REJECT 
 +  # 
 +  /​^Content-Type:​ multipart\/​mixed;​ boundary="​----[a-zA-Z0-9]+_Outlook_Express_message_boundary"/​ 554   ​Infected with SirCam. 
 +  # SIRCAM 
 +  #/​^.*_Outlook_Express_message_boundary/ ​ REJECT 
 +  # HYBRIS 
 +  #/​^.*boundary="​--VE/ ​    ​REJECT 
 +  # ALIZ 
 +  #/​^.*boundary="​bound"/ ​  ​REJECT 
 +  # SPAM 
 +  #/​^Subject:​.*Try It BEFORE You Buy It.*/         ​REJECT 
 +  #NextPart 
 +  #/​^.*boundary="​----_=_NextPart_001.*"/ ​  ​REJECT 
 + 
 + 
 +/​etc/​postfix/​body_checks 
 + 
 +/​^U*EsDBAoAAQAAA/​ REJECT Encrypted Zip archive. ​  /​^Content-(Disposition|Type):​.+file.+="?​.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)"?​$/​ REJECT  
 +/^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/​ REJECT  
 +/​^<​iframe src=(3D)?​cid:​.* height=(3D)?​0 width=(3D)?​0>​$/​ reject keep your viruses with you  
 +/​AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/​ REJECT  
 +# Win32.Klez.Worm.H  
 +/​^Content-Type:​.*audio\/​x-midi/​ REJECT  
 +/<​(iframe src=(3D)?​cid:​.* height=(3D)?​0 width=(3D)?​0)>/​ REJECT content rejected: ${1}: virus code detected in this email  
 + 
 +#or even more restrictive:​  
 +  /<​(iframe src=(3D)?​cid:​)/​ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: 
 +/​^\s*Content-(Disposition|Type).*name\s*=\s*"?​(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?​=)?"?​\s*$/​x REJECT Attachment name "​$2"​ may not end with ".$3"
postfix.txt · Last modified: 2012/07/31 12:45 by greebo
CC Attribution-Noncommercial-Share Alike 4.0 International
Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0 ipv6 ready