Posted inperl postfix tcp_table

Postfix header_checks using tcp_table and checkdbl.pl script

Postfix implements the header_checks as built-in content inspection classes while receiving mail. Usually the best performance is obtained with pcre (Perl Compatible Regular Expression) tables or slower regexp (POSIX regular expressions). Googling on the net, i’ve found tiny perl script that can queries to dbl.spamhaus.org, multi.surbl.org, black.uribl.com. ( Sahil Tandon wrote it, based on  João Gouveia perl script, i think..)

first download the script

# cd /etc/postfix
# wget http://people.freebsd.org/~sahil/scripts/checkdbl.pl.txt

Rename and make it executable

# mv checkdbl.pl.txt checkdbl.pl
# chmod 755 checkdbl.pl

Edit master.cf add this two lines

127.0.0.1:2526 inet  n       n       n       -       0      spawn
user=nobody argv=/etc/postfix/checkdbl.pl

Make preliminary test, to ensure checkdb.pl sih really spawned and answering our queries

# postfix reload
# telnet 127.0.0.1 2526
Tags: , , , 5
Posted ingit postfix

Compile Postfix 2.7.0 from simon j. mudd git repository

First, we need to clone Simon J. Mudd postfix repository at github

$ git clone git://github.com/sjmudd/postfix-rpm.git

Switch to (also create local) POSTFIX_2_7 branch

$ cd postfix-rpm
$ git checkout --track -b POSTFIX_2_7 origin/POSTFIX_2_7

Copy postfix-rpm, which contain POSTFIX_2_7 branch

$ cd ..
$ cp -rp postfix-rpm postfix-2.7

Create .rpmmacros on your homedir if you don’t have one

$ make setup
Tags: , No Comments
Posted inpostfix

postfix 2.8-20100213 postscreen

I've been experimenting with postfix 2.8-20100213 "postscreen" feature on my development server.this feature is very usefull for detecting/dropping misbehavior smtp client. Configuration : main.cf [text] postscreen_greet_action = drop postscreen_dnsbl_sites = zen.spamhaus.org, spam.ipv6.kutukupret.com postscreen_hangup_action = drop postscreen_dnsbl_action = drop [/text] master.cf [text] smtp inet n - n - 1 postscreen smtpd…
Tags: , No Comments
Posted inpostfix

postfix-2.8.0.src.rpm

I’ve Built SRPM package for postfix 2.8.0 on my spare time today, based on Simon J. Mudd’s template of course :) The Hardest parts was testing and applies the right patches, but it seems okay when it compiled Here’s the srpm file: This how to rebuild the source : [bash]…
Tags: 12
Posted inmta postfix smtp

Compiling Postfix-2.7.0 As RPM Package

I used to have Simon J. Mudd when building postfix rpm package, but seems he’s not releasing official postfix 2.7.0 yet, here’s a way for impatient one

First make RedHat Linux the standard directory structure in our homedir

$ mkdir rpmbuild
$ mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS,tmp}

Create .rpmmacros file

$ vi .rpmmacros

%_topdir                %(echo $HOME)/rpmbuild
%_tmppath               %(echo $HOME)/rpmbuild/tmp

Create tempoerary working directory for postfix

$ mkdir postfix
$ cd postfix
Tags: , , 2
Posted inpostfix

Postfix Bind Sender Domain To Dedicated Outgoing IP Address

Recently there have been requests for sending mail with source IP addresses that depend on the envelope sender, it’s very usefull to protect IP-based domain reputations of different customers.

New Feature in postfix postfix-2.7-20091209 is sender_dependent_default_transport_maps

sender_dependent_default_transport_maps (default: empty)

    A sender-dependent override for the global default_transport parameter setting.
    The tables are searched by the envelope sender address and @domain.
    A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting.
    This information is overruled with the transport(5) table.

    Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport.
          This feature does not support the transport_maps syntax for null transport, null nexthop, or null email addresses.

    For safety reasons, this feature does not allow $number substitutions in regular expression maps.

    This feature is available in Postfix 2.7 and later.

Create file called sdd_transport_maps.regexp:

/@customer1-dom\.tld$/		customer1:
/@customer2-dom\.tld$/		customer2:
/@customer3-dom\.tld$/		customer3:
..... next .....
Tags: 35
Posted inpostfix

Postfix Selective Sender Addresss Verification

The idea is selectively probe valid email sender for certain domain that frequently forged by spammer, we should use sender access verification carefully. Much better if we noticing postmaster/admin that we conducting SAv/probing their server for valid user, or otherwise we’ll end up in backscatterer.org list hehehe…

Create smtpd_restriction_class call verify_sender

smtpd_restriction_classes = verify_sender

Define verify_sender so it should reject all unverified email sender, verified one will be permit/pass

verify_sender = reject_unverified_sender, permit

Create has table called frequently_forged_senders to define sender domain that going to be in verification list

check_sender_access hash:/etc/postfix/frequently_forged_senders

frequently_forged_senders contains

domain1.tld		verify_sender
domain2.tld		verify_sender
domain3.tld		verify_sender
Tags: , No Comments
Posted infedora postfix tls

Postfix TLS Support On Fedora 12

It’s time to make our SMTP transactions encrypted using TLS. TLS itself stands for Transport Layer Security. it encrypts the communication between two hosts.

As usual when building postfix RPM package, i recommended using tutorial on how to compile postfix rpm source at Simon J Mudd’s website

When you’ve done with compiling postyfix with TLS support, continue to these how to create self signed postfix tls certificates

  • Certificates part
    • # cd /etc/postfix
# mkdir ssl
# cd ssl
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cat /etc/pki/tls/openssl.cnf | sed -e 's/\/etc\/pki\/CA/\./' | sed -e 's/\.\/demoCA/\./' > openssl.cnf

# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config openssl.cnf
# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem

# openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

# cp cacert.pem /etc/postfix
# grep -B 100 "END PRIVATE KEY" newreq.pem > /etc/postfix/key.pem
# chmod 400 /etc/postfix/key.pem
# cp newcert.pem /etc/postfix/cert.pem
Tags: , , 1
Posted infedora mysql pam

Postfix Smtp Auth using pam_mysql On Fedora 12

First of all, of course we need to compile postfix for supporting sasl.the easiest way is read tutorial how to compile postfix rpm source at Simon J Mudd’s website

Since i’m using mysql database for storing username/password, i’m gonna show you how to create smtp authentication/SASL.

Install pam_mysql:

# yum -y install pam_mysql

Edit /etc/pam.d/smtp file :

auth required pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0
account sufficient pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0
Tags: , , , No Comments