SPAM: Re: SPAM: MailScanner & Postfix

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SPAM: Re: SPAM: MailScanner & Postfix

jdp-2


-----Original Message-----

>I would suggest you start without chroot, then set up a test environment
>wher you can test your installation without dead line pressure.
>

Thanks for your help. I am getting somewhere. I have a test mail sitting in the postfix queue.  How to I tell Postfix to relay to certain domains? For example, we have three domains on our mail server. I want Postfix to send mail to that server, but not relay to anyone else. How do I accomplish this?

Again, I cannot thank you enough.

By the way, I am not sure what took down the old server. The harddrive was incredibly hot, but the MB may have been the problem too. At any rate, I was looking forward to getting this set up on a Suse system, although I  was hoping for a more leisurely pace. Oh well.

~James

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

Sandy Drobic
JDP wrote:

> -----Original Message-----
>
>  
>> I would suggest you start without chroot, then set up a test environment
>> wher you can test your installation without dead line pressure.
>>
>>    
>
> Thanks for your help. I am getting somewhere. I have a test mail sitting in the postfix queue.  How to I tell Postfix to relay to certain domains? For example, we have three domains on our mail server. I want Postfix to send mail to that server, but not relay to anyone else. How do I accomplish this?
>  
It would help if you described your setup a bit more detailed. At the
moment I assume the following setup:

Internet  <-> Postfix-Gateway  <-> internal Mailserver

All Mails are running through the Postfix server either from outside or
inside. If you have three domains that postfix should accept mails for
and then relay to the internal server you should set up the domains as
relay domains.


/etc/postfix/main.cf:

# internal trusted net that is allowed to relay
mynetworks = 192.168.1.0/24, 127.0.0.0/8
# domains that postfix should accept mails for from the internet
relay_domains = domain1.example.com, domain2.example.com,
domain3.example.com
# reject not listed recipients as invalid, otherwise mail would bounce later
relay_recipient_maps = hash:/etc/postfix/relay_recipients
# accept mails for relay_domains and relay for mynetworks
smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination
# send mail for special domains to the servers within:
transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
# brackets to suppress mx lookup
domain1.example.com:   relay:[192.168.1.13]
domain2.example.com:   relay:[192.168.1.13]
domain2.example.com:   relay:[192.168.1.13]

/path/to/file/with/valid/addresses:
[hidden email]   OK
[hidden email]   OK
[hidden email]   OK
[hidden email]   OK
[hidden email]   OK
[hidden email]   OK
....

This should give you a working installation without any whistles and
bells. If you don't have a list with valid addresses then you either
need to extract it (use an automated script later), use address
verification ( postfix asks the internal server if the address is
valid), or, worst case, disable recipient validation. That would lead to
bounces, so I advise against it.

If you want to get startet as fast as possible set "relay_recipient_maps
= ", that will disable the recipient validation.

All files with hash: in the beginning need to be converted to databases
with the postmap command after every change:

postmap  /etc/postfix/transport
postmap /etc/postfix/relay_recipients

Once you have the transport file set up you can use "postsuper" to tell
postfix to reevaluate the transport settings:
postsuper -r ALL

That will requeue the mails.

If you have further questions, please send the output of "postconf -n"
and the log lines where the problem occurs. Use example.com and private
ip addresses if you want to hide sensitive data. Don't show real mail
addresses here in the mailing list, the spammers like to harvest the web
archives for mail addresses. (^-^)


> Again, I cannot thank you enough.
>
> By the way, I am not sure what took down the old server. The harddrive was incredibly hot, but the MB may have been the problem too. At any rate, I was looking forward to getting this set up on a Suse system, although I  was hoping for a more leisurely pace. Oh well.
>
> ~James
>
>  
Heat the enemy number one of most computers. Even my workstation that I
am writing the mail here has a hardware raid. (^-^)

Sandy

--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com


--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

jdp-2
In reply to this post by jdp-2

>Internet  <-> Postfix-Gateway  <-> internal Mailserver
>
>All Mails are running through the Postfix server either from outside or
>inside. If you have three domains that postfix should accept mails for
>and then relay to the internal server you should set up the domains as
>relay domains.
>
Yes, this is correct; Internet -> Postfix/MailScanner -> Internal MailServer


>/etc/postfix/main.cf:
>
># internal trusted net that is allowed to relay
>mynetworks = 192.168.1.0/24, 127.0.0.0/8
># domains that postfix should accept mails for from the internet
>relay_domains = domain1.example.com, domain2.example.com,
>domain3.example.com
># reject not listed recipients as invalid, otherwise mail would bounce later
>relay_recipient_maps = hash:/etc/postfix/relay_recipients
This is interesting; how to I tell Postfix to check the internal mailserver (Exchange) for address verification?

># accept mails for relay_domains and relay for mynetworks
>smtpd_recipient_restrictions =
>    permit_mynetworks,
>    reject_unauth_destination
># send mail for special domains to the servers within:
>transport_maps = hash:/etc/postfix/transport
>
>/etc/postfix/transport:
># brackets to suppress mx lookup
>domain1.example.com:   relay:[192.168.1.13]
>domain2.example.com:   relay:[192.168.1.13]
>domain2.example.com:   relay:[192.168.1.13]
>
>/path/to/file/with/valid/addresses:
>[hidden email]   OK
>[hidden email]   OK
>[hidden email]   OK
>[hidden email]   OK
>[hidden email]   OK
>[hidden email]   OK
>....
>
>This should give you a working installation without any whistles and
>bells. If you don't have a list with valid addresses then you either
>need to extract it (use an automated script later), use address
>verification ( postfix asks the internal server if the address is
>valid),
This is very promising.  How does this work against an Exchange server?

or, worst case, disable recipient validation. That would lead to

>bounces, so I advise against it.
>
>If you want to get startet as fast as possible set "relay_recipient_maps
>= ", that will disable the recipient validation.
>
>All files with hash: in the beginning need to be converted to databases
>with the postmap command after every change:
>
>postmap  /etc/postfix/transport
>postmap /etc/postfix/relay_recipients
>
Okay, when running postmap I get an error of,

postmap: warning: /etc/postfix/transport, line 274: record is in "key: value" format; is this an alias file?

Should I drop the colon after the doamin name?

Thank you,

~James

       
       
       

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

Per Jessen
JDP wrote:
>>relay_recipient_maps = hash:/etc/postfix/relay_recipients
> This is interesting; how to I tell Postfix to check the internal
> mailserver (Exchange) for address verification?

Postfix has many options - what service does Exchange make available for
this?  You could turn the above into a mysql lookup for instance.

>>This should give you a working installation without any whistles and
>>bells. If you don't have a list with valid addresses then you either
>>need to extract it (use an automated script later), use address
>>verification ( postfix asks the internal server if the address is
>>valid),
> This is very promising.  How does this work against an Exchange
> server?

Just curious - it sounds like you're looking for to front-end your
Exchange server with a postfix ditto?  



/Per Jessen, Z├╝rich


--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

Sandy Drobic
In reply to this post by jdp-2
JDP wrote:

>> Internet  <-> Postfix-Gateway  <-> internal Mailserver
>>
>> All Mails are running through the Postfix server either from outside or
>> inside. If you have three domains that postfix should accept mails for
>> and then relay to the internal server you should set up the domains as
>> relay domains.
>>
> Yes, this is correct; Internet -> Postfix/MailScanner -> Internal MailServer
>
>
>> /etc/postfix/main.cf:
>>
>> # internal trusted net that is allowed to relay
>> mynetworks = 192.168.1.0/24, 127.0.0.0/8
>> # domains that postfix should accept mails for from the internet
>> relay_domains = domain1.example.com, domain2.example.com,
>> domain3.example.com
>> # reject not listed recipients as invalid, otherwise mail would bounce later
>> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> This is interesting; how to I tell Postfix to check the internal mailserver (Exchange) for address verification?

recipient validation uses a file, in this example
/etc/postfix/relay_recipients.

Recipient verification is a lot more resource intensive and simply queries
the backend server while the mail is transmitted to check if the recipient
address is valid.
This only works if your version of Exchange can reject invalid recipients
during the smtp dialogue.
You tell postfix to check if the recipient address is valid or not.

>> # accept mails for relay_domains and relay for mynetworks
>> smtpd_recipient_restrictions =
>>    permit_mynetworks,
>>    reject_unauth_destination

For recipient verification you would insert a check to invoke the restriction:

main.cf:
smtpd_recipient_restriction =
        permit_mynetworks,
        reject_unauth_destination,
        reject_unverified_recipient

Since the restriction reject_unauth_destination already filters out all
mail that Postfix does not feel responsible for, the
reject_unverified_recipient will query the internal servers, if the
address is valid. That's all.

This will only work as long as your internal exchange is running.
Otherwise mail will be rejected with a temporary error.

That is the reason why a local file with valid recipients is the most
stable way to operate a mail gateway.

>> # send mail for special domains to the servers within:
>> transport_maps = hash:/etc/postfix/transport
>>
>> /etc/postfix/transport:
>> # brackets to suppress mx lookup
>> domain1.example.com:   relay:[192.168.1.13]
>> domain2.example.com:   relay:[192.168.1.13]
>> domain2.example.com:   relay:[192.168.1.13]
>>
>> /path/to/file/with/valid/addresses:
>> [hidden email]   OK
>> [hidden email]   OK
>> [hidden email]   OK
>> [hidden email]   OK
>> [hidden email]   OK
>> [hidden email]   OK
>> ....
>>
>> This should give you a working installation without any whistles and
>> bells. If you don't have a list with valid addresses then you either
>> need to extract it (use an automated script later), use address
>> verification ( postfix asks the internal server if the address is
>> valid),
> This is very promising.  How does this work against an Exchange server?

See above. More details are available on the postfix site:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

There are scripts available that can extract the valid recipients from an
exchange server. If you have ldap enabled you can use a script on the mail
gateway to query the server directly.

> or, worst case, disable recipient validation. That would lead to
>> bounces, so I advise against it.
>>
>> If you want to get startet as fast as possible set "relay_recipient_maps
>> = ", that will disable the recipient validation.
>>
>> All files with hash: in the beginning need to be converted to databases
>> with the postmap command after every change:
>>
>> postmap  /etc/postfix/transport
>> postmap /etc/postfix/relay_recipients
>>
> Okay, when running postmap I get an error of,
>
> postmap: warning: /etc/postfix/transport, line 274: record is in "key: value" format; is this an alias file?
>
> Should I drop the colon after the doamin name?

Oops! Yes, colons are only allowed in alias files. My bad...

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

Sandy Drobic

>>> This should give you a working installation without any whistles and
>>> bells. If you don't have a list with valid addresses then you either
>>> need to extract it (use an automated script later), use address
>>> verification ( postfix asks the internal server if the address is
>>> valid),
>> This is very promising.  How does this work against an Exchange server?
>
> See above. More details are available on the postfix site:
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
>
> There are scripts available that can extract the valid recipients from
> an exchange server. If you have ldap enabled you can use a script on the
> mail gateway to query the server directly.

Here are two links I found in my bookmarks to create a
relay_recipient_maps file:
http://www.mailscanner.info/serve/cache/290.html
http://www.unixwiz.net/techtips/postfix-exchange-users.html

We use a Domino environment in our company, so I can't give you specific
exchange help.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

jdp-2
In reply to this post by jdp-2
Hello Sandy,

Somehow, things are going terribly wrong. My test emails are not showing up in the queue and they are not getting delivered either. I can see them going into the system, var/log/mail.info, but i don't know what is happening to them.

Aug  6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx]
Aug  6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx]
Aug  6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with SMTP id 8E1D718548C??for <[hidden email]>; Sun,  6 Aug 2006 13:45:09 -0700 (PDT) from unknown[192.168.20.160]; from=[hidden email]> to=<[hidden email]> proto=SMTP helo=<1243876>
Aug  6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<[hidden email]>
Aug  6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx]
Aug  6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 bytes
Aug  6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting
Aug  6 13:46:55 postmaster update.virus.scanners: Found clamav installed
Aug  6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav
Aug  6 13:46:56 postmaster update.virus.scanners: Found generic installed
Aug  6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic

Also, may I e-mail you directly and post my success back to the list? {I accidentally sent a reply to you, and the list, and it was rejected}

Thank you,

~James

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: Re: SPAM: MailScanner & Postfix

Sandy Drobic
JDP wrote:
> Hello Sandy,
>
> Somehow, things are going terribly wrong. My test emails are not showing up in the queue and they are not getting delivered either. I can see them going into the system, var/log/mail.info, but i don't know what is happening to them.
>
>  
If the log doesn't say what is happening with it, chances are that
indeed nothing happens. (^-^)
But if you have a file /var/log/mail.info, you might want to look at
/var/log/mail.warn as well.

What do you see when you use the command "mailq"?

> Aug  6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx]
> Aug  6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx]
> Aug  6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with SMTP id 8E1D718548C??for <[hidden email]>; Sun,  6 Aug 2006 13:45:09 -0700 (PDT) from unknown[192.168.20.160]; from=[hidden email]> to=<[hidden email]> proto=SMTP helo=<1243876>
>  
Mail is received and put into the hold queue to be scanned by
mailscanner. So far so good.

> Aug  6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<[hidden email]>
> Aug  6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx]
> Aug  6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 bytes
> Aug  6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting
> Aug  6 13:46:55 postmaster update.virus.scanners: Found clamav installed
> Aug  6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav
> Aug  6 13:46:56 postmaster update.virus.scanners: Found generic installed
> Aug  6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic
>  
Mailscanner is started, detected the mail and scanned the mail.
Now I would expect Postfix to process the mail again. That does not seem
to happen. It might be that your version of mailscanner is incompatible
with Postfix. Please check on the mailscanner site.
> Also, may I e-mail you directly and post my success back to the list? {I accidentally sent a reply to you, and the list, and it was rejected}
>  
Ah, yes, I am restricting the email addresses I use in mailing lists and
accept mails to these addresses only when they come from the list
server.  In case of private mails please use the address in the footer:
news-reply2@...

Sandy

--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com


--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]