pfSense Gold Subscription

Author Topic: Postfix - antispam and relay package  (Read 84731 times)

0 Members and 1 Guest are viewing this topic.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Postfix - antispam and relay package
« on: September 05, 2011, 03:57:58 pm »
Hi all,

I've just finished postfix package version 2.3.

Postfix is an amazing mail forwarder that really keep away any misconfigured server or server trying to forge email.
Postfix Forwarder package at pfsense has many antispam features but for now, no SASL support for remote authentication.

  • Zombie blocker (postscreen)
  • Header chekcs
  • Body checks
  • Access lists
  • RBL checks
  • SPF checks
  • Dashboard widgets with mail stats
  • Sqlite logs support
  • Sqlite logs forward to use only one box to search mail
  • Package permissions to allow users to just search mail or view queue
  • Search mail tool
  • view postfix queue in gui

And you can also use an third part antispam engine like mailscanner or policyd v2 for a complete antispam solution.



note: NEVER try to install policydv2 freebsd package, it will break out your pfsense.
if you plan to use policydv2 you must put it on other server or in a jail.

The mailscanner tutorial(or package) is under development, for now you can configure by hand using pkg_add -r MailScanner.


att,
Marcello Coutinho
« Last Edit: December 01, 2011, 10:38:06 am by marcelloc »

Offline mikesamo

  • Full Member
  • ***
  • Posts: 225
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #1 on: September 11, 2011, 07:57:07 am »
it's possible to use them as an outbound smtp proxy ? with the antispam features?

Thanks,

Offline mikesamo

  • Full Member
  • ***
  • Posts: 225
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #2 on: September 11, 2011, 08:02:04 am »
Seem to work but it's possible to disable valid recipient functionnality?

Thanks,


Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #3 on: September 11, 2011, 09:41:26 pm »
You can set your internal mail servers on ACLs -> Client Access List, but I don't know if postscreen('zombie blocker') or rbl checks can validade internal mail servers.

You can check other postfix antispam features with 'strong header verification' and ACLs for filter header,MIME and body settings.

For a deep internal mail server antispam search you may need mailscanner.
I'm working on this package now and will be available soon.


best regards,
Marcello Coutinho
« Last Edit: September 11, 2011, 09:51:26 pm by marcelloc »

Offline mauricioniñoavella

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #4 on: October 10, 2011, 10:02:38 am »
how to do my main.cf configuracuion if I have it in centos bit too high I want to pass this pfSense this is my main.cf I want to enable in pfsnese

thanks for the collaboration

# General settings
bounce_queue_lifetime = 6h
mailbox_size_limit = 51200000
message_size_limit = 10240000
luser_relay =
recipient_delimiter = +
message_strip_characters = \0

# Authentication with SASL
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain

# Encryption with TLS
# smtpd_tls_auth_only = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1

# Mail restrictions (note: Kolab policies are not implemented)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
kolabpolicy_time_limit = 3600
kolabpolicy_max_idle = 20

# Mail routing
mailbox_transport = mailpostfilter
content_filter = mailprefilter
transport_maps = hash:/etc/postfix/transport

# Outbound SMTP authentication
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
unknown_local_recipient_reject_code = 550
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_sasl_type = cyrus
relayhost = [xxxx.com]:587

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #5 on: October 10, 2011, 10:29:29 am »
You can put your options on custom main.cf options at gui.

This package was designed to be a relay server only, I do not recomend enabling mailboxes on it.

Offline mauricioniñoavella

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #6 on: October 11, 2011, 10:11:50 am »
I just want it to pass and I get this

postfix/smtpd[50880]: NOQUEUE: reject: RCPT from unknown[192.168.200.xxx]: 554 5.7.1 <mauricio.nino@xxx.com.co>: Relay access denied; from=<root@localhost.localdomain> to=<mauricio.nino@xxx.com.co> proto=ESMTP helo=<localhost.localdomain>

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #7 on: October 11, 2011, 01:05:35 pm »
Include your 192.168.200.xxx internal ip in ACL/fiter map.

Offline mauricioniñoavella

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #8 on: October 11, 2011, 04:51:37 pm »
marcelloc

appreciate your help but I do not work I have this in the log

The truth can not be done now, I only serve as a relay,


Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=check_client_access
Oct 11 16:49:45    postfix/smtpd[29361]: check_namadr_access: name unknown addr 192.168.200.14
Oct 11 16:49:45    postfix/smtpd[29361]: check_domain_access: unknown
Oct 11 16:49:45    postfix/smtpd[29361]: dict_cidr_lookup: /usr/local/etc/postfix/cal_cidr: unknown
Oct 11 16:49:45    postfix/smtpd[29361]: check_addr_access: 192.168.200.14
Oct 11 16:49:45    postfix/smtpd[29361]: dict_cidr_lookup: /usr/local/etc/postfix/cal_cidr: 192.168.200.14
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=check_client_access status=0
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=permit
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=permit status=1
Oct 11 16:49:45    postfix/smtpd[29361]: >>> START Helo command RESTRICTIONS <<<
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unknown_helo_hostname
Oct 11 16:49:45    postfix/smtpd[29361]: reject_unknown_hostname: localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: lookup localhost.localdomain type A flags 0
Oct 11 16:49:45    postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45    postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unknown_helo_hostname status=0
Oct 11 16:49:45    postfix/smtpd[29361]: >>> END Helo command RESTRICTIONS <<<
Oct 11 16:49:45    postfix/smtpd[29361]: >>> START Sender address RESTRICTIONS <<<
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unknown_sender_domain
Oct 11 16:49:45    postfix/smtpd[29361]: reject_unknown_address: root@localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: ctable_locate: move existing entry key root@localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: reject_unknown_mailhost: localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: lookup localhost.localdomain type MX flags 0
Oct 11 16:49:45    postfix/smtpd[29361]: dns_query: localhost.localdomain (MX): Host not found
Oct 11 16:49:45    postfix/smtpd[29361]: lookup localhost.localdomain type A flags 0
Oct 11 16:49:45    postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45    postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unknown_sender_domain status=0
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=permit
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=permit status=1
Oct 11 16:49:45    postfix/smtpd[29361]: >>> START Recipient address RESTRICTIONS <<<
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination
Oct 11 16:49:45    postfix/smtpd[29361]: reject_unauth_destination: mauricio.nino@xxxx.com.co
Oct 11 16:49:45    postfix/smtpd[29361]: permit_auth_destination: mauricio.nino@xxxx.com.co
Oct 11 16:49:45    postfix/smtpd[29361]: ctable_locate: move existing entry key mauricio.nino@xxxx.com.co
Oct 11 16:49:45    postfix/smtpd[29361]: NOQUEUE: reject: RCPT from unknown[192.168.200.14]: 554 5.7.1 <mauricio.nino@itac.com.co>: Relay access denied; from=<root@localhost.localdomain> to=<mauricio.nino@xxx.com.co> proto=ESMTP helo=<localhost.localdomain>
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination status=2
Oct 11 16:49:45    postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.7.1 <mauricio.nino@xxxx.com.co>: Relay access denied
Oct 11 16:49:45    postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45    postfix/smtpd[29361]: < unknown[192.168.200.14]: DATA
Oct 11 16:49:45    postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.5.1 Error: no valid recipients
Oct 11 16:49:45    postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45    postfix/smtpd[29361]: < unknown[192.168.200.14]: RSET
Oct 11 16:49:45    postfix/smtpd[29361]: > unknown[192.168.200.14]: 250 2.0.0 Ok
Oct 11 16:49:45    postfix/smtpd[29361]: watchdog_pat: 0x800e115f0
Oct 11 16:49:45    postfix/smtpd[29361]: < unknown[192.168.200.14]: QUIT
Oct 11 16:49:45    postfix/smtpd[29361]: > unknown[192.168.200.14]: 221 2.0.0 Bye
Oct 11 16:49:45    postfix/smtpd[29361]: match_hostname: unknown ~? 192.168.200.0/23
Oct 11 16:49:45    postfix/smtpd[29361]: match_hostaddr: 192.168.200.14 ~? 192.168.200.0/23
Oct 11 16:49:45    postfix/smtpd[29361]: disconnect from unknown[192.168.200.14]
« Last Edit: October 18, 2011, 10:46:26 am by mauricioniñoavella »

Offline jedblack

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #9 on: October 11, 2011, 04:54:00 pm »
marcelloc,

Thanks for all the hard work!  

I have one question...

can i use the postfix forwarder to forward my mail to GMAIL server... i'm doing this now with a centos/postfix install... below is the pertinent config file entries..

# SASL authentication
smtp_tls_security_level=encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transport

# TLS
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/git01.pem
smtp_tls_key_file = /etc/postfix/certs/git01.key
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/git01.pem
smtpd_tls_key_file = /etc/postfix/certs/git01.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtp_cname_overrides_servername = no
#debug_peer_list=smtp.gmail.com
#debug_peer_level=3

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #10 on: October 11, 2011, 05:03:53 pm »
Did you tried to include your config in custom main.cf options and of course transfer your files to pfsense?

I'm not sure if other options will affect you setup but could work.


Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #11 on: October 11, 2011, 05:49:04 pm »
marcelloc
Oct 11 16:49:45    postfix/smtpd[29361]: dns_query: localhost.localdomain (MX): Host not found
Oct 11 16:49:45    postfix/smtpd[29361]: dns_query: localhost.localdomain (A): OK
Oct 11 16:49:45    postfix/smtpd[29361]: dns_get_answer: type A for localhost.localdomain
Oct 11 16:49:45    postfix/smtpd[29361]: NOQUEUE: reject: RCPT from unknown[192.168.200.14]: 554 5.7.1 <mauricio.nino@itac.com.co>: Relay access denied; from=<root@localhost.localdomain> to=<mauricio.nino@itac.com.co> proto=ESMTP helo=<localhost.localdomain>
Oct 11 16:49:45    postfix/smtpd[29361]: generic_checks: name=reject_unauth_destination status=2
Oct 11 16:49:45    postfix/smtpd[29361]: > unknown[192.168.200.14]: 554 5.5.1 Error: no valid recipients

mauricioniñoavella,

see what postfix is rejecting and correct it.
It looks like you tried to send a email with an invalid sender.
If you need this sender, create this domain in dns server that pfsense uses.

att,
Marcello Coutinho

« Last Edit: October 11, 2011, 05:50:48 pm by marcelloc »

Offline mauricioniñoavella

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #12 on: October 13, 2011, 11:25:46 am »
marcelloc

greeting
I tried to do everything

Current issue if tusabes Nose to issue

generates this error since I only use smtp_sasl

mailserver postfix/smtpd[20836]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
mailserver postfix/smtpd[20836]: connect from unknown[xxxx.xxxx.xxxx.xxx]
mailserver postfix/smtpd[20836]: disconnect from unknown[xxxx.xxxx.xxxx.xxx]

I hit it in the

custom main.cf options

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
relayhost = [smtp.xxx.com]:587


thanks for your collaboration

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #13 on: October 13, 2011, 01:15:04 pm »
Seems that many people need SASL auth, I will put in postfix forwarder TODO list.




Offline mauricioniñoavella

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: NEW Postfix antispam and relay package
« Reply #14 on: October 13, 2011, 03:15:53 pm »
Too bad I could bother you confirm if it works as a relay Services: Postfix relay and antispam (postfix forwarder) and also worked with
STARTTLS

thanks for your collaboration