I have an exchange 2010 multi-tenant email server that has email addresses of many domains. I want to setup a spam filter for my mail server I have been looking on the internet but cant figure out the best solution to implement. Spamassasin with Postfix. Spamassasin i understand does not delete any emails but just marks the email. Postfix can be used as a MTA to forward email to the mail server. but postfix does not store any emails. how can i implement a solution whereby i have a server that stores all ham and spam emails but only forwards the ham emails to my mail server so i can check the spam server if there is any false positives. If you could please just give pointers in the right direction
thanks
Rehan Miah
Just set up spamassassin to mark all of the likely spam emails (set the score pretty high on day 1) and then set a Transport Rule on Exchange that intercepts the spams based on the string added to the subject field, and then does something with them (delete them, drop them in a spam trap mailbox, whatever).
Have the spamassassin box be the MX for the domains and then forward to the Exchange server (have the Exchange consider it a trusted sender) but make sure to lock spamassassin down to only allow mails sent to domains you care about.
If you have multiple domains, set up a test domain to try the spamassassin setup on before getting serious with clients' domains.
Related
I am an email server noob. I own a domain 'mydomain.org' and I'd like to forward emails sent to that domain to other email address, perhaps at 'gmail.com' or 'university.edu'. I thought I set this up right, but my email log is giving me errors like this:
connect to mx1.university.edu[171.67.219.71]:25: Connection timed out
and
Dec 22 05:17:24 mail-server postfix/smtp[6370]: connect to alt1.gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1a]:25: Network is unreachable
I don't know too much about this, but I imagine there must be some kind of authentication that I need to set up, but I'm shy of the laundry list blog posts. Does this look like "authentication stuff"? If so, what do I need to set up next? If not, any idea why the receiving mail servers drop my server?
Yes, network issue. For future folks, Google does not allow outgoing connections for SMTP servers, maybe to prevent spam? Here's info about how to set that up: https://cloud.google.com/compute/docs/sending-mail
I am a front-end developer so the server stuff goes a bit over my head. Please excuse me if the question is dumb.
I am hosting a wordpress site on our server with contact form 7, but we only have a A-records for www pointing to our site. The email management for said domain is held by a third party.
How is contact form sending the emails to the admins? It is using our hosts SMTP service? I am asking because I am getting the emails on gmail, but the client is not receiving them on his service.
Thank you!
When your server is sending email without you configuring anything, the most likely cause is that it is using the server itself. For that, it does not need to "know" any DNS entries, as it just connects to localhost, which always points to the server itself.
When you receive the mail, and your client is not, this is most likely the result of a spam filter. Have you asked your client to check the spam folder?
The problem of - mainly - shared hosting servers is that they tend to end up on spam lists like that of spamhaus.org etc. which greatly enhances your risk to end up in the spam folder. If you control the server, you could request deblocking or even whitelisting your server, but before you do that, you should be certain that your server is not inadvertedly relaying mail because of a misconfiguation, vulnerability, or outright being hacked. Your applications or the server itself could be configured to use an external smtp server, but that's not something that's easily explained here. Maybe try on serverfault.com?
I have configured postfix over SSL and dovecot over SSL and it work fine if I send local relay , and it delivers to mailboxes within my domain name MX record point mail server.
mysysopmnds.com MX 10 mail.mysysopminds.com
However if I send an email to another domain , it bounces... and one of the error in the log is , as below
Jan 10 19:34:56 mail postfix/smtp[5334]: 37FADC28BB: to=, relay=none, delay=34, delays=34/0/0.01/0, dsn=5.4.6, status=bounced (mail for murugeshdomain.com loops back to myself)
what are key configuration that I should check or take care of to send email to other domains or any domains
TIA
hariharan
The is a good chance your internet serivice provider (ISP) is blocking out port 25 for outgoing email. I can tell you, mine is. This is also when i got the bounce message.
You can confirm this problem by typing:
telnet aspmx.l.google.com 25
If it does not generate Connected to aspmx.l.google.com but a timeout after half a minute or so than your ISP is blocking your outgoing traffic on port 25.
If this is the case you can solve it by redirecting your outgoing mail through for example a google mail account. You could use this link as guide to set the up the redirection.
It looks like this domain (murugeshdomain.com) has no MX record. For sending mails to another domain just take look in that domain has MX record. To check whether that domain has MX record dig MX domainname(in the case of linux command)
I am about to setup SmarterMail v9.0 on our Windows 2008 server (IIS7) and would first like to know what some security considerations are when opening up port 25 and/or 587 - ie how to prevent relaying, etc.
Thank you.
You must not accept email from untrusted users/sources which is not bound for domains you control.
An open relay is a mail server which allows anyone on the Internet to email anyone else, without verifying that either the source or the destination is known - thus, a relay.
You can check that the source is known by looking for a trusted IP subnet, or by requiring authentication before mail can be sent (via LOGIN over TLS, GSSAPI [called "Integrated Windows Authentication" or whatever], X.509 client certs, or the like).
You can check that the destination is known by comparing it to the list of domains for which your mail server will be the "last stop" (or a relay to another domain you control).
Either a known source or a known destination should be sufficient, but you may also want to make sure that mail inbound for your domains is at least borderline valid (originates from a domain with an MX server, for instance).
Separately, you must be conscious of DoS issues (rate limit inbound mail), and the ability to use your server to send backscatter spam. Backscatter is when I connect to your mail server and say, "why yes, I am unsuspecting_target#not_my_domain.com, please queue up this message for not_an_address#yourdomain.com". Then your mail server delivers a "bounce" message to the unsuspecting target. To mitigate this, you can verify that the recipient is known before accepting mail, or limit the rate at which mail can be accepted from one host, or try to check that the host delivering a message is authorized to use that envelope sender.
These are all well-solved problems.
I want to use Postfix to accept incoming emails and have it send them to an external Python script which parse them and add them to a database.
I read that this could be done via a Policy file.
My first question is what should the policy file return to have Postfix delete the email from the queue with a success message to the sender.
My second question is can I use the Policy file to validate the SMTP authentication that was sent by the client? If not, is there any way of having it use an external script to validate the login?
Thanks!
Christian
If you need SMTP authentication anyway and just want a script to act as MDA, I think you can do it simply by
setting mailbox_command = /path/to/my/script in /etc/postfix/main.cf and configuring an authentication scheme. If you have dovecot running, too, I can recommend having postfix authenticate via dovecot, which is very configurable when it comes to SASL authentication.
Update
Since you will be having plaintext passwords going over the wire (assuming this service is reachable from the network), I recommend permitting authentication only over an encrypted line. The configuration I'm going to show will still accept mails for which the server is the destination without authentication. As far as I know, that behaviour is mandated by an RFC for SMTP servers which are reachable from the internet.
Announce SASL authentication only over encrypted connections
smtpd_tls_auth_only=yes
Don't require everyone to talk to you over an encrypted channel
smtpd_tls_security_level=may
SASL boilerplate
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
For whom to accept mail. This is worked left to right, until a permitting or denying rule is encountered. Fallback behaviour would be to permit.
smtpd_recipient_restrictions = permit_auth_destination, reject_plaintext_session, permit_sasl_authenticated, reject
permit_auth_destination as first rule would make sure that clients may deliver mail to users for which I feel responsible unauthenticated. The clients may choose whether to use TLS or not.
reject_plaintext_session as second rule makes sure that all other rules further down the line can assume an ecrypted channel.
permit_sasl_authenticated is self-explanatory
reject as last rule basically changes the default policy to "deny".
If you don't want to accept mails without SMTP authentication, you may want to drop the first rule of smtpd_recipient_restrictions.
Not shown is the configuration of the SSL certificate and how to tell postfix about it (the latter of which is easy).