Loading ...
Sorry, an error occurred while loading the content.

Re: Postfix 2.8.x anti anti backscattering settings

Expand Messages
  • Stan Hoeppner
    ... Ahh, you are correct. This may make things much simpler for Josef. http://www.postfix.org/postconf.5.html#address_verify_relayhost But let s note the
    Message 1 of 12 , Apr 19, 2013
    • 0 Attachment
      On 4/19/2013 1:28 AM, Tom Hendrikx wrote:

      > Last time I read ADDRESS_VERIFICATION_README, I noticed that this isn't
      > true: you can route your probes to the final delivery machine while
      > leaving the current delivery mechanism intact:
      > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing

      Ahh, you are correct. This may make things much simpler for Josef.

      http://www.postfix.org/postconf.5.html#address_verify_relayhost

      But let's note the caveats:

      Inconsistencies can happen when probe messages don't follow the same
      path as regular mail. For example, a message can be accepted when it
      follows the regular route while an otherwise identical probe message is
      rejected when it follows the forced route. The opposite can happen, too,
      but is less likely.

      --
      Stan
    • Josef Karliak
      Hi, thanks for tip. I may be something missed: In main.cf I ve added: address_verify_relayhost = 19.13.13.11 #ip of my mail server that knows all users
      Message 2 of 12 , May 6, 2013
      • 0 Attachment
        Hi,
        thanks for tip. I may be something missed:
        In main.cf I've added:
        address_verify_relayhost = 19.13.13.11 #ip of my mail server that
        knows all users
        address_verify_sender = master@...

        communication between this incoming server and final imap server
        (between them is antispam/antivir server) is enabled. But in the log I
        see no records, that the server wanted to communicate with imap server
        for verification.
        Did I missed something else ? Ofcourse, postmap of main.cf and
        postfix restart has been done...
        Thanks and best regards
        J.Karliak.

        Cituji Stan Hoeppner <stan@...>:

        > On 4/19/2013 1:28 AM, Tom Hendrikx wrote:
        >
        >> Last time I read ADDRESS_VERIFICATION_README, I noticed that this isn't
        >> true: you can route your probes to the final delivery machine while
        >> leaving the current delivery mechanism intact:
        >> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing
        >
        > Ahh, you are correct. This may make things much simpler for Josef.
        >
        > http://www.postfix.org/postconf.5.html#address_verify_relayhost
        >
        > But let's note the caveats:
        >
        > Inconsistencies can happen when probe messages don't follow the same
        > path as regular mail. For example, a message can be accepted when it
        > follows the regular route while an otherwise identical probe message is
        > rejected when it follows the forced route. The opposite can happen, too,
        > but is less likely.
        >
        > --
        > Stan
        >
        >
        >
        >



        --
        Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
        DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
        zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
        My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
        policy and check. If you've problem with sending emails to me, start
        using email origin methods mentioned above. Thank you.

        ----------------------------------------------------------------
        This message was sent using IMP, the Internet Messaging Program.
      • Robert Schetterer
        ... at my knwoledge this dont work verify is done over smtp, you may ask for relay permit ,over imap via saslauthd Best Regards MfG Robert Schetterer -- [*]
        Message 3 of 12 , May 6, 2013
        • 0 Attachment
          Am 06.05.2013 15:08, schrieb Josef Karliak:
          > communication between this incoming server and final imap server

          at my knwoledge this dont work verify is done over smtp, you may ask for
          relay permit ,over imap via saslauthd


          Best Regards
          MfG Robert Schetterer

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Florian Kirstein
        • Wietse Venema
          ... This overrides the relayhost setting, which is used ONLY for REMOTE delivery, not LOCAL. It will NEVER be used to find out if a LOCAL email address is
          Message 4 of 12 , May 6, 2013
          • 0 Attachment
            Josef Karliak:
            > Hi,
            > thanks for tip. I may be something missed:
            > In main.cf I've added:
            > address_verify_relayhost = 19.13.13.11 #ip of my mail server that
            > knows all users
            > address_verify_sender = master@...

            This overrides the "relayhost" setting, which is used ONLY for
            REMOTE delivery, not LOCAL. It will NEVER be used to find out
            if a LOCAL email address is valid.

            Which override SHOULD you use? That depends on your Postfix
            configuration.

            Wietse
          • Josef Karliak
            Ohh. So there is only one solution - on mail server generate an alias list that contains aliases and result. Like : chose OK user OK ... ... And in main.cf
            Message 5 of 12 , May 7, 2013
            • 0 Attachment
              Ohh. So there is only one solution - on mail server generate an
              alias list that contains aliases and result. Like :

              chose OK
              user OK
              ...
              ...


              And in main.cf use directive
              smtpd_recipient_restrictions = <other options>,check_recipient_access
              hash:/etc/postfix/alias_list,<other options>


              So we'll generate aliases into a "alias_list" file and scp it from
              email server to incomming smtp and use it in postfix.

              Is it only one option ? Or there are better ? Just asking.

              Thanks very much.
              J.Karliak.

              Cituji Wietse Venema <wietse@...>:

              > Josef Karliak:
              >> Hi,
              >> thanks for tip. I may be something missed:
              >> In main.cf I've added:
              >> address_verify_relayhost = 19.13.13.11 #ip of my mail server that
              >> knows all users
              >> address_verify_sender = master@...
              >
              > This overrides the "relayhost" setting, which is used ONLY for
              > REMOTE delivery, not LOCAL. It will NEVER be used to find out
              > if a LOCAL email address is valid.
              >
              > Which override SHOULD you use? That depends on your Postfix
              > configuration.
              >
              > Wietse
              >



              --
              Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
              DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
              zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
              My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
              policy and check. If you've problem with sending emails to me, start
              using email origin methods mentioned above. Thank you.

              ----------------------------------------------------------------
              This message was sent using IMP, the Internet Messaging Program.
            • Robert Schetterer
              ... depending to you r setup some easy way would be main.cf relay_domains = hash:/etc/postfix/relay_domains relay_recipient_maps =
              Message 6 of 12 , May 7, 2013
              • 0 Attachment
                Am 07.05.2013 09:00, schrieb Josef Karliak:
                > Ohh. So there is only one solution - on mail server generate an alias
                > list that contains aliases and result. Like :
                >
                > chose OK
                > user OK
                > ...
                > ...
                >
                >
                > And in main.cf use directive
                > smtpd_recipient_restrictions = <other options>,check_recipient_access
                > hash:/etc/postfix/alias_list,<other options>

                depending to "you"r setup some easy way would be

                main.cf
                relay_domains = hash:/etc/postfix/relay_domains
                relay_recipient_maps = hash:/etc/postfix/relay_recipients

                /etc/postfix/relay_domains

                mydomain1.test1 OK
                mydomain2.test2 OK

                /etc/postfix/relay_recipients

                user1@...1 OK
                user2@...1 OK

                ---so you have to find a sync mech, or edit manual each change----

                or/and as catch all ( not recommended without verify )

                @...2 OK


                with verify

                main

                smtpd_recipient_restrictions = ...
                check_recipient_access hash:/etc/postfix/verify_access
                ...


                /etc/postfix/verify_access
                ...
                mydomain2.test2 verify_recipient
                ...

                main.cf

                smtpd_restriction_classes = verify_recipient,
                ...

                verify_recipient = reject_unverified_recipient
                address_verify_map = btree:/var/lib/postfix/verify

                make sure that you have stable con by using smtp verify

                this is typical used for a backup mx setup !!!

                so postfix follows dns mx settings, it may combined with transport setting

                other mehtods may work as well with asking valid recipients via sql,ldap
                on the orig/main server

                there are also milters that check orig/main servers

                i.e

                http://www.benzedrine.cx/milter-checkrcpt.html

                did not tested that

                after all you missed giving more and exact information what setup you
                are trying to goal, and having recipient list is mandatory these spam
                days, but its not a global solution against every backscatter, as
                backscatters may get created for many complex reasons, but mostly as an
                result of abused mail addresses or missconfigurations by sender servers etc


                >
                >
                > So we'll generate aliases into a "alias_list" file and scp it from
                > email server to incomming smtp and use it in postfix.
                >
                > Is it only one option ? Or there are better ? Just asking.
                >
                > Thanks very much.
                > J.Karliak.
                >
                > Cituji Wietse Venema <wietse@...>:
                >
                >> Josef Karliak:
                >>> Hi,
                >>> thanks for tip. I may be something missed:
                >>> In main.cf I've added:
                >>> address_verify_relayhost = 19.13.13.11 #ip of my mail server that
                >>> knows all users
                >>> address_verify_sender = master@...
                >>
                >> This overrides the "relayhost" setting, which is used ONLY for
                >> REMOTE delivery, not LOCAL. It will NEVER be used to find out
                >> if a LOCAL email address is valid.
                >>
                >> Which override SHOULD you use? That depends on your Postfix
                >> configuration.
                >>
                >> Wietse
                >>
                >
                >
                >



                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Florian Kirstein
              Your message has been successfully submitted and would be delivered to recipients shortly.