Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
postfix setup
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
redwood
Apprentice
Apprentice


Joined: 27 Jan 2006
Posts: 286

PostPosted: Mon Aug 27, 2012 9:46 pm    Post subject: postfix setup Reply with quote

Hi, I have a question for a postfix guru.

I followed this Gentoo guide to setup a postfix server
[url]
http://en.gentoo-wiki.com/wiki/Postfix,_Courier,_Squirrelmail_and_Spamassassin
[/url]

and also setup SenderPolicyFramework authentication
[url]
http://www.gentoo.org/proj/en/infrastructure/spf-howto.xml
[/url]

Following the configuration guide,
I have a setup which filters out most spam.
However, I'm also rejecting some legitimate emails.
such as email from state goverment agencies and some banks.

I believe the problem is that these particular domains are not using SPF
and that they have outsourced their mail servers.

For instance, I've had to whitelist the following email address in my client_access hash file:
Code:

# XXXXXX@co.accomack.va.us
# cocotel.accomack.gov
38.124.138.118          permit_auth_destination


I've checked the mx and spf records for co.accomack.va.us using mxtoolbox.com's tools
and there is no spf record for the county domain and the mx server is listed as
d18888a.ess.barracudanetworks.com 64.235.150.197
d18888b.ess.barracudanetworks.com 64.235.150.197

And similarly for Virginia's State Corporation Commission:
# user@scc.virginia.gov
# mail0134.smtp25.com [reverse dns]
75.126.84.134 permit_auth_destination

And CHASE bank sends its secure email using isentry
so mail from user@chase.com
actually comes from:

# isentry.com
# ChaseSecureMail@isentry.com
178.32.180.60 permit_auth_destination

And I've just recently run into a problem getting mail
from a mortgage company which seems to be sending
its mail through
smtp[xxx].iad.emailsrvr.com where xxx would be the last
part of the ip address 207.97.245.xxx
and there are many, many xxx where mail is being sent from
for any particular user.
So mail from user@MORTGAGECO.com
actually comes from smtp[xxx].iad.emailsrvr.com

If all these domains used SPF records, then there would be no problem
authenticating the clients in order to receive mail from them.




Does anybody know if my postfix setup is sane?
I want to reject mail with spoofed rfc822 FROM records
and only accept mail delivery to actual users on my system.
I don't want to be a relay and I will authenticate clients with a proper SPF record.

My /etc/postfix/main.cf :
Code:

# cat main.cf|grep -v '^#'|grep -v '^$'
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mx.mydomain.net
mydomain = mydomain.net
myorigin = $mydomain
inet_interfaces = all
proxy_interfaces = 192.168.1.1
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,  www.$mydomain, ftp.$mydomain, pbx.$mydomain
local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
virtual_transport = virtual
virtual_mailbox_domains = mysql:$config_directory/virtual_mailbox_domains.cf
virtual_minimum_uid = 1000
virtual_gid_maps = static:5022
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_uid_maps = static:5006
virtual_mailbox_base = /
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 10.0.0.0/24
relayhost = [outgoing.verizon.net]
alias_maps     = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
home_mailbox = .maildir/
 
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -a "DOMAIN"
 
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.9.3/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.9.3/readme
inet_protocols = ipv4
mail_spool_directory = /var/spool/mail
smtpd_sasl2_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt
smtpd_tls_key_file  = /etc/ssl/postfix/mydomain.net.key
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.org.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt
smtp_tls_key_file = /etc/ssl/postfix/mydomain.net.key
smtp_tls_CAfile = /etc/ssl/postfix/cacert.org.crt
tls_random_source = dev:/dev/urandom
check_sender_access = hash:/etc/postfix/sender_access
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:10030
owner_request_special = no
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/valias
alias_maps         = mysql:/etc/postfix/mysql-aliases.cf
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
allow_mail_to_commands = alias,forward
message_size_limit=30720000
biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 120000000
smtpd_helo_required = yes
content_filter = smtp-amavis:[127.0.0.1]:10024


strict_rfc821_envelopes = yes
smtpd_reject_unlisted_sender = yes
smtpd_client_restrictions = permit_mynetworks,
                            check_client_access hash:/etc/postfix/client_access,
                            reject_unknown_client
smtpd_sender_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_sender_login_mismatch,
        reject_unauthenticated_sender_login_mismatch,
        reject_unlisted_sender,
        warn_if_reject reject_unverified_sender,
        reject_unknown_sender_domain,
        reject_unknown_address
policy_time_limit = 3600
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service unix:private/policy,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client bl.spamcop.net,
        permit
smtpd_data_restrictions = reject_unauth_pipelining, permit



Thanks for any suggestions.
Back to top
View user's profile Send private message
redwood
Apprentice
Apprentice


Joined: 27 Jan 2006
Posts: 286

PostPosted: Tue Aug 28, 2012 5:22 am    Post subject: Reply with quote

For now I'm going to try the following
Code:

smtpd_client_restrictions = permit_mynetworks,
                            check_client_access hash:/etc/postfix/client_access,
                            reject_unknown_reverse_client_hostname,
                            warn_if_reject reject_unknown_client

which will reject using the more foregiving "reject_unknown_reverse_client_hostname"
and warn instead of reject when using the stricter rule 'reject_unknown_client"

I think there may be a separate issue with receiving emails
from some companies with large attachments.
I was receiving most emails from a mortgage company
but was not receiving the critical emails with attachments.
I initially thought postfix was rejecting the client email servers,
but looking throught the maillog
I now think the connections were getting disconnected after a timeout.

(The maillog can be confusing since the log messages
for all the clients trying to deliver mail are all interleaved together
making following the processing of a single email difficult to sort through)

Some Googling suggested I may need to set the MTU of my nic to 1492 to match the setting in
my DD-WRT router for my aDSL connection to internet.
So I've set mtu_eth0=1492 in /etc/conf.d/net
I've also set CLAMPMSS=Yes in shorewall.conf

Hopefully, these changes will fix the postfix missing emails.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Aug 28, 2012 5:43 am    Post subject: Reply with quote

one thing to remember with postfix config
the settings you add to main.cf are not "starting from scratch" settings
they are overrides for postfix's defaults

so many of the settings you have in main.cf are not necessarily needed.

as root, type:

Code:

postconf -d


this will show you postfix defaults. Anything postconf -d shows, that you have set in main.cf, probably does not need to be in main.cf
this will make your main.cf much easier to read and manage - especially for me, since i am too lazy to look up what every one of those settings mean in the order you've used them :)

indeed this is not SPF related. The SPF guide you quoted relates to you, the user, sending e-mail, rather than a MTA receiving the e-mail. Specifically, that SPF document is for Gentoo staff using Gentoo mail systems to send e-mail, and instructs Gentoo staff how to set up their mail clients to use Gentoo servers to send their @gentoo.org e-mail.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
redwood
Apprentice
Apprentice


Joined: 27 Jan 2006
Posts: 286

PostPosted: Tue Aug 28, 2012 4:06 pm    Post subject: Reply with quote

Thanks for your tips!

I setup my postfix mail server years ago and couldn't remember the exact Gentoo guides (which might have changed anyhow since then) so I just Googled for "Gentoo postfix + courier-imap + squirrelmail"
and "Gentoo spf" so maybe I got the spf url wrong -- my apologies.

Anyhow I do use spf policy delegation in my master.cf:
Code:

policy  unix  -       n       n       -       -       spawn
   user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl


There is a Gentoo package for a python script for spf (mail-filter/pypolicyd-spf)
but I think I downloaded the perl script instead from
[url]
http://www.openspf.org/Software
https://launchpad.net/postfix-policyd-spf-perl/
[/url]
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Aug 29, 2012 4:00 am    Post subject: Reply with quote

only thing in that that is somewhat foreign to me is courier - never given it much time. I've either had very simple needs, for which Dovecot fit the bill perfectly, or more complex needs, for which I've used Cyrus IMAP. Result of which, I put together this bit of doc: http://whitehathouston.com/documentation/gentoo/postfix_cyrus_vhost_howto.htm

based on this thread

might be of some use.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum