[opensuse] Email sender address
Hi, I have an application running on a machine that sends status-mails. Unfortunately, it has no means to define a sender address. Instead it uses '@domain-name' (= nothing before the @). I filed a bug-report with the manufacturer. But what make me wonder, postfix _does_ accept the address that is sent and the whole message. Only afterwards the message is bounced, in the log file 127.0.0.1 does this, or at least tries it since there is no real sender-address. I think it's the spam-filter that does this. Shouldn't postfix reject the message immediately when receiving the incomplete sender-address ? Or do I have some configuration error ? Now the application thinks it sent the message OK, and its log-files reports success. Regards, Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-08 09:19, Koenraad Lelong wrote:
Shouldn't postfix reject the message immediately when receiving the incomplete sender-address ? Or do I have some configuration error ?
I think it should, but I can not replicate that send operation to test. :-? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+o9PsACgkQIvFNjefEBxrWLgCbBy2H3uuTaqwaRgr/pEIXMGHA nQ4An324g16KqGzcC1uBEb6zZuJyWDXa =xWGx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08-05-12 12:27, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-08 09:19, Koenraad Lelong wrote:
Shouldn't postfix reject the message immediately when receiving the incomplete sender-address ? Or do I have some configuration error ?
I think it should, but I can not replicate that send operation to test. :-?
If you have a Windows machine, you could download Acronis True Image Home. That's the application that does not have a sender-address. ;-) Regards, Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 8, 2012 at 12:49 PM, Koenraad Lelong
Hi,
I have an application running on a machine that sends status-mails. Unfortunately, it has no means to define a sender address. Instead it uses '@domain-name' (= nothing before the @). I filed a bug-report with the manufacturer. But what make me wonder, postfix _does_ accept the address that is sent and the whole message. Only afterwards the message is bounced, in the log file 127.0.0.1 does this, or at least tries it since there is no real sender-address. I think it's the spam-filter that does this. Shouldn't postfix reject the message immediately when receiving the incomplete sender-address ? Or do I have some configuration error ?
Now the application thinks it sent the message OK, and its log-files reports success.
Regards,
Koenraad Lelong.
can you post the postconf -n and the postfix log entries of that mail transaction ? -- The mysteries of the Universe are revealed when you break stuff. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09-05-12 16:06, The_Ace wrote:
postconf -n
postconf -n alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no disable_vrfy_command = yes header_checks = pcre:/etc/postfix/maps/header_checks.short home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix/html inet_protocols = all local_recipient_maps = mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 20000000 mydestination = $myhostname, localhost.$mydomain mydomain = ace-electronics.be myhostname = mailbox.ace-electronics.be mynetworks = 192.168.0.0/20, 127.0.0.0/8 nested_header_checks = newaliases_path = /usr/bin/newaliases qmgr_message_active_limit = 2000 readme_directory = /usr/share/doc/packages/postfix/README_FILES relayhost = [out.telenet.be] relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/spammers smtpd_tls_CAfile = /etc/postfix/certificate/cacert.org.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certificate/mailbox.pem smtpd_tls_key_file = /etc/postfix/certificate/mailboxkey.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_gid_maps = static:97 virtual_mailbox_base = /net/mail virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 10240000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_minimum_uid = 499 virtual_transport = dovecot virtual_uid_maps = static:499
May 7 22:21:08 lace3 postfix/smtpd[19772]: connect from
QXSN95023.ace-electronics.be[192.168.2.92]
May 7 22:21:08 lace3 postfix/smtpd[19772]: C4EB12D59D3:
client=QXSN95023.ace-electronics.be[192.168.2.92]
May 7 22:21:08 lace3 postfix/cleanup[19893]: C4EB12D59D3:
message-id=
On Thu, May 10, 2012 at 3:42 PM, Koenraad Lelong
On 09-05-12 16:06, The_Ace wrote:
postconf -n
postconf -n [snip] mynetworks = 192.168.0.0/20, 127.0.0.0/8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This makes all IPs from 192.168.0.1 to 192.168.15.255 allowed IPs as far as postfix is concerned.
[snip]
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org [snip]
By having permit_mynetworks listed first, the above set IP range is white listed regardless of the from address syntax. Which is why the mail is accepted first and then rejected. White listing IPs like that is generally a not good idea as it allows even a zombified pc in that range to send mail. Recommended way is to use SMTP authentication. Anyway, change the smtpd_recipient_restrictions to : smtpd_recipient_restrictions = reject_non_fqdn_sender, permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org and see if that rectifies the problem. -- The mysteries of the Universe are revealed when you break stuff. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10-05-12 15:49, The_Ace wrote:
On Thu, May 10, 2012 at 3:42 PM, Koenraad Lelong
wrote: [snip] Anyway, change the smtpd_recipient_restrictions to : smtpd_recipient_restrictions = reject_non_fqdn_sender, permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org and see if that rectifies the problem.
Hi, I hadn't time to respond, but it's not working. I'll append the new postconf. This morning I had a response from Acronis. They say that the message is accepted, so all should be OK. They seem to have not seen that later the message is rejected. So if I could postfix have reject the mail they would be more willing to act, I think. I am going to repond that their software does not comply to RFC 5321. Did I say I'm using postfix 2.4.5 ? It's the version of Opensuse 10.3. Thanks, Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05-06-12 14:56, Koenraad Lelong wrote:
On 10-05-12 15:49, The_Ace wrote: Hi,
I hadn't time to respond, but it's not working. I'll append the new postconf.
alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no disable_vrfy_command = yes header_checks = pcre:/etc/postfix/maps/header_checks.short home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix/html inet_protocols = all local_recipient_maps = mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 20000000 mydestination = $myhostname, localhost.$mydomain mydomain = ace-electronics.be myhostname = mailbox.ace-electronics.be mynetworks = 192.168.0.0/20, 127.0.0.0/8 nested_header_checks = newaliases_path = /usr/bin/newaliases qmgr_message_active_limit = 2000 readme_directory = /usr/share/doc/packages/postfix/README_FILES relayhost = [out.telenet.be] relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/spammers smtpd_tls_CAfile = /etc/postfix/certificate/cacert.org.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certificate/mailbox.pem smtpd_tls_key_file = /etc/postfix/certificate/mailboxkey.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_gid_maps = static:97 virtual_mailbox_base = /net/mail virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 10240000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_minimum_uid = 499 virtual_transport = dovecot virtual_uid_maps = static:499 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Koenraad Lelong wrote:
On 10-05-12 15:49, The_Ace wrote:
On Thu, May 10, 2012 at 3:42 PM, Koenraad Lelong
wrote: [snip] Anyway, change the smtpd_recipient_restrictions to : smtpd_recipient_restrictions = reject_non_fqdn_sender, permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org and see if that rectifies the problem.
Hi,
I hadn't time to respond, but it's not working. I'll append the new postconf.
I'm not 100% sure, but I don't think reject_non_fqdn_sender will reject emails coming from <@example.com>, i.e. with empty user. 'fqdn' = fully qualified domain name. Instead, the rejection mighthappen when the mail is attempted delivered to an unknown mailbox. -- Per Jessen, Zürich (19.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Koenraad Lelong wrote:
On 10-05-12 15:49, The_Ace wrote:
On Thu, May 10, 2012 at 3:42 PM, Koenraad Lelong
wrote: [snip] Anyway, change the smtpd_recipient_restrictions to : smtpd_recipient_restrictions = reject_non_fqdn_sender, permit_mynetworks,permit_sasl_authenticated, check_policy_service unix:postgrey/socket,reject_unauth_destination,reject_rbl_client zen.spamhaus.org and see if that rectifies the problem.
Hi,
I hadn't time to respond, but it's not working. I'll append the new postconf.
I'm not 100% sure, but I don't think reject_non_fqdn_sender will reject emails coming from <@example.com>, i.e. with empty user. 'fqdn' = fully qualified domain name. Instead, the rejection mighthappen when the mail is attempted delivered to an unknown mailbox.
Ignore that last bit, I was obviously not thinking. Anyway, I've tested my setup with a sender address of <@example.com> and it is also let through, but afaict only because something (probably postfix) changes the address to <""@example.com>. If you really want to reject such addresses, I think you need to look at using smtpd_sender_restrictions:check_sender_access A sender_access table to check for <@example.com> could be: ----- @ REJECT ----- I'm not sure that works, but it's worth a try. Alternatively, use a PCRE table: ----- /^@[^@]+$/ REJECT ----- (this one works, I've tested it). -- Per Jessen, Zürich (15.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-06-06 09:04, Per Jessen wrote:
Anyway, I've tested my setup with a sender address of <@example.com> and it is also let through, but afaict only because something (probably postfix) changes the address to <""@example.com>. If you really want to reject such addresses, I think you need to look at using smtpd_sender_restrictions:check_sender_access A sender_access table to check for <@example.com> could be:
I think he wants it to work :-) He said: ]> I have an application running on a machine that sends status-mails. Unfortunately, it has no means to define a sender address. Instead it uses ]> '@domain-name' (= nothing before the @). I filed a bug-report with the manufacturer. ]> But what make me wonder, postfix _does_ accept the address that is sent and the whole message. Only afterwards the message is bounced, in the ]> log file 127.0.0.1 does this, or at least tries it since there is no real sender-address. I think it's the spam-filter that does this. ]> Shouldn't postfix reject the message immediately when receiving the incomplete sender-address ? Or do I have some configuration error ? Or to fail earlier :-? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/PIaMACgkQIvFNjefEBxp58gCfX/Kn9+TOmIWP8+2jD6ehDS81 dKcAn0Xq0Ed0IR+Feb0/v0Iv/3A0aivs =Y5/M -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06-06-12 11:23, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Or to fail earlier :-?
Hi, I definitly want it to fail as soon as possible. Those crippled sender-addresses are not legal according to (my interpretation of) the RFC. So I want postfix to reject it when the transaction is at the "MAIL FROM" stage. I'll try Per's PCRE approach. Thanks all. Koenraad Lelong -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06-06-12 09:04, Per Jessen wrote:
Per Jessen wrote: ... ----- /^@[^@]+$/ REJECT -----
Hi, I wanted to implement this, but on the next line of the smtpd_sender_restrictions of my config-file I saw this : strict_rfc821_envelopes = no. After investigating I changed this to strict_rfc821_envelopes = yes and restarted postfix Now the offending sender-address is rejected right away. I'll have to keep an eye on the logs to see if I reject "good" mail. Any remarks ? Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-06-07 08:36, Koenraad Lelong wrote:
After investigating I changed this to strict_rfc821_envelopes = yes and restarted postfix Now the offending sender-address is rejected right away. I'll have to keep an eye on the logs to see if I reject "good" mail.
Any remarks ?
Interesting :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/QmycACgkQIvFNjefEBxqUTACfRXZ/kS6kYuz7k7POYCklwXSt iGYAoLcltS5wWIyfsGjz6VPmRjde3DE5 =j7KI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Koenraad Lelong wrote:
On 06-06-12 09:04, Per Jessen wrote:
Per Jessen wrote: ... ----- /^@[^@]+$/ REJECT -----
Hi,
I wanted to implement this, but on the next line of the smtpd_sender_restrictions of my config-file I saw this : strict_rfc821_envelopes = no. After investigating I changed this to strict_rfc821_envelopes = yes and restarted postfix Now the offending sender-address is rejected right away. I'll have to keep an eye on the logs to see if I reject "good" mail.
Any remarks ?
I run a number of mailservers, all with strict_rfc821_envelopes=no, the postfix default. I don't know what I'd lose or gain by enabling it. -- Per Jessen, Zürich (24.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Carlos E. R.
-
Koenraad Lelong
-
Per Jessen
-
The_Ace