Where should the smtpd_client_restrictions be put: in main.cf or in master.cf ?
For me, only the master.cf seems to be working (because my postfix is working fine as a relay) :
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated
in main.cf the following reject rule is not applied:
smtpd_client_restrictions = permit_mynetworks, reject
Thanks
You need to comment the line in master.cf for client restrictions in submission. Submission is for linux CLI users on the same machine. The client restrictions you're trying to use (permit_mynetworks, reject) will only work if the client connects to the smtp ports. An example of a working client restrictions statement in main.cf is like below on my mail relay in the cloud.
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, permit
From what I can recall (someone more knowledgeable can confirm/deny) main.cf restrictions will be by default applied to all smtp processes (so if you have submission/smtps/smtp), but are overwritten by configurations on the actual process (master.cf)
Therefore I'd assume your main.cf value (with reject) is being overwritten by your value on the process (no reject) thus not getting rejected.
Related
I have RBL checks in postfix but it doesn't work and blacklisted IPs get through.
This is the smtpd_recipient_restrictions of my postfix's main.cf file:
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/policyd-spf,
check_client_access pcre:/etc/postfix/rbl_override
My IP has access to query b.barracudacentral.org and
dig +short #b.barracudacentral.org 4.3.2.1.b.barracudacentral.org.
returns 127.0.0.2 but postfix says Host not found.
postfix log:
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: dns_query: 4.3.2.1.b.barracudacentral.org (A): Host not found
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: ctable_locate: install entry key 4.3.2.1.b.barracudacentral.org
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: generic_checks: name=reject_rbl_client status=0
Please check if the smtpd process is running chrooted. For this, check the "chroot" column in master.cf.
Also note that any host in $mynetworks (permit_mynetworks) won't be blacklisted as well as any SASL authenticated client (permit_sasl_authenticated).
Note:
check_client_access pcre:/etc/postfix/rbl_override
can never act as an override to "reject_rbl_client b.barracudacentral.org" since the latter will always trigger first.
I have two domains, dom1.com and dom2.com; dom1.com has IP1; the email for dom1.com are handled by google.
I need to create an email, xxx#dom2.com and redirect all emails to an email account of dom1.com ( example: yyy#dom1.com )
I 'd like to use postfix, installed on dom1.com server.
I set the MX record for dom2.com in this way:
MX mail.dom2.com
mail A IP1
so mail.dom2.com should point to IP1.
To configure postfix on dom1.com server, I did as follow:
myhostname = dom1.com
mydestination = dom1.com, dom2.com
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual
in virtual_domains:
dom1.com #domain
dom2.com #domain
in virtual:
xxx#dom2.com yyy#dom1.com
than I did postmap for both files and I reload postfix ... but sending email to xxx#dom2.com , I don't reveice emails on yyy#dom1.com
Where is the error?
Thanks in advance
Option what you want to use is: Catch-all
This Tutorial will help you to setup catch-all email address with postfix.
Step 1. Configure Catch-All Account
Edit /etc/postfix/virtual and configure your catch-all address like below.
# nano /etc/postfix/virtual
#example.com myuser
If you want to add exception’s in catch-all and do not want to catch-all specific accounts, Add them also in /etc/postfix/virtual file. Below configuration will send all emails to user “myuser” except emails of info#example.com and support#example.com.
#example.com myuser
info#example.com info
support#example.com support
Save /etc/postfix/virtual file and execute following command.
# postmap /etc/postfix/virtual
2. Update Postfix Configuration File
Edit Postfix configuration file /etc/postfix/main.cf and add following line at end of file.
# nano /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
3. Reload Postfix Server
After changing we need to reload server to activate newly settings addedUse following command to reload postfix configuration .
# service postfix reload
I'm trying to get sipp communicate with Asterisk in order to perform
performance tests:
I've been through these steps:
1) In sip.conf
[sippuac]
type=friend
username=sippuac
host=127.0.0.1
port=5061
context=test
dtmfmode=rfc2833
insecure=very
canreinvite=no
nat=yes
[sippuas]
type=friend
username=sippuas
host=127.0.0.1
port=5062
context=test
dtmfmode=rfc2833
insecure=very
canreinvite=no
nat=yes
2) In extensions.conf
[test]
exten=>s,1,Dial(SIP/sippuas,20)
3) Running SIPp
sipp -sn uas -rsa 127.0.0.1:5060 -p 5062 -i 127.0.0.1 -mp 6001
sipp -sn uac 127.0.0.1:5060 -s s -p 5061 -i 127.0.0.1
Finally I get on Asterisk :
[Jun 14 07:36:56] WARNING[2600][C-00000120]: app_dial.c:2437
dial_exec_full: Unable to create channel of type 'SIP' (cause 20 -
Subscriber absent)
How can I solve this and make the UAS receive the calls ?
Thanks for your help !
I think in sip.conf should be type=peer for sippuas.
It is bad idea to run performance test from localhost. SIPP will impact performance of Asterisk. Additionally it make seance to run scenario with audio and I will recommend just answer a call on Asterisk and play some sound, it is not so important to send call out to second sipp.
For receiving calls from asterisk, SIPp user(s) should be registered first to it. You can see if your user is registered or not by using the command:
sip show peers
in the asterisk CLI. If your uas is not registered and you are trying to tell asterisk to dial to a client and not giving the address of it. There are simple xml examples in this link for how to register and make calls to asterisk. Please follow the scenario you want.
Commenting
mynetworks = 127.0.0.0/8
users with shell on system can again send emails using postfix:
main.cf
#mynetworks =
[...]
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
permit_mynetworks,
permit_inet_interfaces,
# reject_sender_login_mismatch,
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
So, also put:
reject_mynetworks,
same problem
I only need force SASL authentication either from lan and from 127.0.0.1 too.
Commenting out mynetworks implies postfix to generate mynetworks based on the value of mynetworks_style
So set mynetworks to empty string to fix this.
I have a specific setup to pipe incoming emails on an ubuntu server. When emails are sent to name#myserver.com they are filtered and piped to a php script
The postfix specific configuration for this piping is as follow (in brief):
**main.cf:**
...
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access
...
**master.cf**
mydestination = myserver.com, localhost.myserver, localhost
...
smtp inet n - - - - smtpd
-o content_filter=myhook:dummy
...
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
...
myhook unix - n n - - pipe
flags=F user=www-data null_sender= argv=//admin/get_mail.php ${sender} ${size} ${recipient}
**access file:**
name#myserver.com FILTER myhook:dummy
Now everything is working fine when emails are sent to 'myserver.com'. Messages are filtered and the php script is triggered.
The problem comes with monit service that is running on the server.
Emails sent by monit from myserver.com are filtered by myhook when emails are sent by the service and sent to the piped php script while they should not and directly sent out to the receipient...
It looks like postfix filter settings are not working in that case.
Curiously, email sent be other web application from the server and going out as they should (from www-data#myserver.com).
Specific configuration for minitrc are:
set mailserver localhost
set mail-format { from: monit#myserver.com }
set alert monit#anotherdomain.com
Could you help my figure out what could be the conflict between monit and postfix here?
thank you.