View previous topic :: View next topic |
Author |
Message |
redwood Guru
Joined: 27 Jan 2006 Posts: 306
|
Posted: Mon Aug 27, 2012 9:46 pm Post subject: postfix setup |
|
|
Hi, I have a question for a postfix guru.
I followed this Gentoo guide to setup a postfix server
[url]
http://en.gentoo-wiki.com/wiki/Postfix,_Courier,_Squirrelmail_and_Spamassassin
[/url]
and also setup SenderPolicyFramework authentication
[url]
http://www.gentoo.org/proj/en/infrastructure/spf-howto.xml
[/url]
Following the configuration guide,
I have a setup which filters out most spam.
However, I'm also rejecting some legitimate emails.
such as email from state goverment agencies and some banks.
I believe the problem is that these particular domains are not using SPF
and that they have outsourced their mail servers.
For instance, I've had to whitelist the following email address in my client_access hash file:
Code: |
# XXXXXX@co.accomack.va.us
# cocotel.accomack.gov
38.124.138.118 permit_auth_destination
|
I've checked the mx and spf records for co.accomack.va.us using mxtoolbox.com's tools
and there is no spf record for the county domain and the mx server is listed as
d18888a.ess.barracudanetworks.com 64.235.150.197
d18888b.ess.barracudanetworks.com 64.235.150.197
And similarly for Virginia's State Corporation Commission:
# user@scc.virginia.gov
# mail0134.smtp25.com [reverse dns]
75.126.84.134 permit_auth_destination
And CHASE bank sends its secure email using isentry
so mail from user@chase.com
actually comes from:
# isentry.com
# ChaseSecureMail@isentry.com
178.32.180.60 permit_auth_destination
And I've just recently run into a problem getting mail
from a mortgage company which seems to be sending
its mail through
smtp[xxx].iad.emailsrvr.com where xxx would be the last
part of the ip address 207.97.245.xxx
and there are many, many xxx where mail is being sent from
for any particular user.
So mail from user@MORTGAGECO.com
actually comes from smtp[xxx].iad.emailsrvr.com
If all these domains used SPF records, then there would be no problem
authenticating the clients in order to receive mail from them.
Does anybody know if my postfix setup is sane?
I want to reject mail with spoofed rfc822 FROM records
and only accept mail delivery to actual users on my system.
I don't want to be a relay and I will authenticate clients with a proper SPF record.
My /etc/postfix/main.cf :
Code: |
# cat main.cf|grep -v '^#'|grep -v '^$'
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mx.mydomain.net
mydomain = mydomain.net
myorigin = $mydomain
inet_interfaces = all
proxy_interfaces = 192.168.1.1
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, www.$mydomain, ftp.$mydomain, pbx.$mydomain
local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
virtual_transport = virtual
virtual_mailbox_domains = mysql:$config_directory/virtual_mailbox_domains.cf
virtual_minimum_uid = 1000
virtual_gid_maps = static:5022
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_uid_maps = static:5006
virtual_mailbox_base = /
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 10.0.0.0/24
relayhost = [outgoing.verizon.net]
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
home_mailbox = .maildir/
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -a "DOMAIN"
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.9.3/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.9.3/readme
inet_protocols = ipv4
mail_spool_directory = /var/spool/mail
smtpd_sasl2_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt
smtpd_tls_key_file = /etc/ssl/postfix/mydomain.net.key
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.org.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt
smtp_tls_key_file = /etc/ssl/postfix/mydomain.net.key
smtp_tls_CAfile = /etc/ssl/postfix/cacert.org.crt
tls_random_source = dev:/dev/urandom
check_sender_access = hash:/etc/postfix/sender_access
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:10030
owner_request_special = no
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/valias
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
allow_mail_to_commands = alias,forward
message_size_limit=30720000
biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 120000000
smtpd_helo_required = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
strict_rfc821_envelopes = yes
smtpd_reject_unlisted_sender = yes
smtpd_client_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/client_access,
reject_unknown_client
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
reject_unlisted_sender,
warn_if_reject reject_unverified_sender,
reject_unknown_sender_domain,
reject_unknown_address
policy_time_limit = 3600
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policy,
check_sender_access hash:/etc/postfix/sender_access,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
|
Thanks for any suggestions. |
|
Back to top |
|
|
redwood Guru
Joined: 27 Jan 2006 Posts: 306
|
Posted: Tue Aug 28, 2012 5:22 am Post subject: |
|
|
For now I'm going to try the following
Code: |
smtpd_client_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/client_access,
reject_unknown_reverse_client_hostname,
warn_if_reject reject_unknown_client
|
which will reject using the more foregiving "reject_unknown_reverse_client_hostname"
and warn instead of reject when using the stricter rule 'reject_unknown_client"
I think there may be a separate issue with receiving emails
from some companies with large attachments.
I was receiving most emails from a mortgage company
but was not receiving the critical emails with attachments.
I initially thought postfix was rejecting the client email servers,
but looking throught the maillog
I now think the connections were getting disconnected after a timeout.
(The maillog can be confusing since the log messages
for all the clients trying to deliver mail are all interleaved together
making following the processing of a single email difficult to sort through)
Some Googling suggested I may need to set the MTU of my nic to 1492 to match the setting in
my DD-WRT router for my aDSL connection to internet.
So I've set mtu_eth0=1492 in /etc/conf.d/net
I've also set CLAMPMSS=Yes in shorewall.conf
Hopefully, these changes will fix the postfix missing emails. |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Tue Aug 28, 2012 5:43 am Post subject: |
|
|
one thing to remember with postfix config
the settings you add to main.cf are not "starting from scratch" settings
they are overrides for postfix's defaults
so many of the settings you have in main.cf are not necessarily needed.
as root, type:
this will show you postfix defaults. Anything postconf -d shows, that you have set in main.cf, probably does not need to be in main.cf
this will make your main.cf much easier to read and manage - especially for me, since i am too lazy to look up what every one of those settings mean in the order you've used them
indeed this is not SPF related. The SPF guide you quoted relates to you, the user, sending e-mail, rather than a MTA receiving the e-mail. Specifically, that SPF document is for Gentoo staff using Gentoo mail systems to send e-mail, and instructs Gentoo staff how to set up their mail clients to use Gentoo servers to send their @gentoo.org e-mail. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
redwood Guru
Joined: 27 Jan 2006 Posts: 306
|
Posted: Tue Aug 28, 2012 4:06 pm Post subject: |
|
|
Thanks for your tips!
I setup my postfix mail server years ago and couldn't remember the exact Gentoo guides (which might have changed anyhow since then) so I just Googled for "Gentoo postfix + courier-imap + squirrelmail"
and "Gentoo spf" so maybe I got the spf url wrong -- my apologies.
Anyhow I do use spf policy delegation in my master.cf:
Code: |
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl
|
There is a Gentoo package for a python script for spf (mail-filter/pypolicyd-spf)
but I think I downloaded the perl script instead from
[url]
http://www.openspf.org/Software
https://launchpad.net/postfix-policyd-spf-perl/
[/url] |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|