Postfix Create Blackhole For Authenticated User’s Outgoing Submission

I don’t know what is the right subject for this topic, the idea is, i just want my outgoing smtp for sending email only, authenticated user not supposed send(or accidentally) to his/her smtp authentication account.which are in my configuration stored in virtual mailbox maps table. In normal case can delivering email to maildir.

I’m using postfixadmin to generate username/password, saslauthd with pam_mysql for querying username/password to mysql virtual mailbox table.Everything is okay with authentication things, except i don’t want username receiving email

In postfix access 5 manual there is actions called DISCARD

       DISCARD optional text...
              Claim successful delivery and silently discard  the
              message.   Log the optional text if specified, oth-
              erwise log a generic message.

              Note: this action currently affects all  recipients
              of  the  message.   To  discard  only one recipient
              without discarding  the  entire  message,  use  the
              transport(5) table to direct mail to the discard(8)
              service.

              This feature is available in Postfix 2.0 and later.

Postfix Smtp Outgoing IP Rotator using iptables

This is the scheme

e.g:

I got 5 Public IPs. i’m Gonna configure them, so Postfix can use multiple interfaces/ips for outgoing smtp connections.

First we need creating Interface aliases for those 5 public IPs.

In my system, using fedora:

# cd /etc/sysconfig/network-scripts/
# cp ifcfg-eth0 ifcfg-eth0:1

Edit ifcfg-eth0:1

# vi ifcfg-eth0\:1

DEVICE=eth0 <-- default device
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
IPADDR=202.XXX.XX.2 <-- default eth0 IP address
PREFIX=24
GATEWAY=202.XXX.XX.1
DNS1=202.XXX.XX.XX

Change DEVICE and IPADDR parameters

Centos 5 Compile Postfix With Tcp Table Support

I've seen someone asking for postfix TCP_TABLE support on centos at mailing list.Actually that was easy to achieved.I'm gonna explain how to build postfix rpm package with TCP_TABLE support.There's great tutorial on how to build postfix RPM package maintain by Simon J Mudd.

I'm gonna used Simon J mud's postfix source RPM package to build the binary.

First download the latest postfix SRPM package

$ rpm -Uvh postfix-2.6.5-1.src.rpm
$ cd `rpm --eval '%{_sourcedir}'`

$ export POSTFIX_SMTPD_MULTILINE_GREETING=1
$ export POSTFIX_LDAP=1
$ export POSTFIX_MYSQL_REDHAT=1
$ export POSTFIX_PCRE=1
$ export POSTFIX_PGSQL=1
$ export POSTFIX_RBL_MAPS=1
$ export POSTFIX_SASL=2
$ export POSTFIX_TLS=1
$ export POSTFIX_VDA=1
$ export POSTFIX_DB=4

Postfix smtp outgoing load balancing

I got good workaround for balancing smtp outgoing from postfix mailing list archives(not using expensive real load balancer). suppose we have 4 smtp servers for outgoing email, and we need to configure/load balance like this:

                                                         +------------+
                                                         |            |
                    +----------> smtp backend a -------->|            |
                    |                                    |            |
clients --------> smtp lb -----> smtp backend b -------->|  Intenet   |
                    |                                    |            |
                    +----------> smtp backend c -------->|            |
                                                         |            |
                                                         +------------+

Here’s the configuration :

Postfix + Centos + Policyd V2 + MySQL

Prerequisites

Requirements for Policyd v2

  • MySQL
  • Net::Server >= 0.96
  • Net::CIDR
  • Config::IniFiles (Debian based: libconfig-inifiles-perl, RPM based: perl-Config-IniFiles)
  • Cache::FastMmap (Debian based: libcache-fastmmap-perl, RPM based: perl-Cache-FastMmap)
  • Mail::SPF (Required for SPF)

Requirements for webui

  • PHP v5+

Download policyd v2

# wget http://downloads.sourceforge.net/project/policyd/2.0.x%20%28Stable%29/v2.0.7/cluebringer-2.0.7.tar.bz2?use_mirror=biznetnetworks

Build rpm from source tarball

# rpmbuild -ta cluebringer-2.0.7.tar.bz2

Postfix + DNSWL

Sometimes we need to do manual whitelisting for mail users whose customers' admins don't respond to your complaints about their server settings. Another option to consider ist automatic whitelisting by using the hand-crafted DNSWL ( http://www.dnswl.org/ ). We should also consider requesting to get added to DNSWL. dnswl-update.sh [bash] #!/bin/sh…

Postfix stress test

Source: The Book of Postfix by Ralf Hildebrandt and Patrick Koetter.

In order to measure how much traffic our postfix  can handle, we need to perform some kind of stress testing. To put an adequate load on the server, We need a fast mail traffic generator. Postfix comes with two  programs named smtp-source and smtp-sink for this purpose. Here’s how they work:

smtp-source

This program connects to a host on a TCP port (port 25 by default) and sends one or more messages, either sequentially or in parallel. The program speaks both SMTP (default) or LMTP and is meant to aid in measuring server performance.

smtp-sink

This test server listens on the named host (or address) and port. It recieves messages from the network and throws them away. You can measure client and network performance with this program.

The following example injects 100 total messages of size 5k each in 20 parallel sessions to a Postfix server running on localhost port 25. Because you’re also interested in how much time this takes, use the time command:

Postfix Debugger

This how to activate postfix debugger on my centos 5.2 in main.cf [text] debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; (strace -p $process_id 2>&1 | logger -p mail.info) & sleep 5 [/text] in master.cf [text] smtp inet n - n - - smtpd -D [/text] [bash] # postfix reload [/bash]

Postfix+DKIM email signatures in amavisd-new

DKIM is a system to verify the sender and integrity of emails.

A DKIM standard (RFC 4871) states the following, which applies to its predecessor DomainKeys (historical: RFC 4870) as well:

DomainKeys Identified Mail (DKIM) defines a mechanism by which email messages can be cryptographically signed, permitting a signing domain to claim responsibility for the introduction of a message into the mail stream. Message recipients can verify the signature by querying the signer’s domain directly to retrieve the appropriate public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain.

The DomainKeys specification was a primary source from which the DomainKeys Identified Mail [DKIM] specification has been derived. The purpose in submitting the RFC 4870 document is as an historical reference for deployed implementations written prior to the DKIM specification.

Implementation and mail flow

              +------+
              |verify|          (verify)
              +--+---+              | (by amavisd and/or SA)
                ^^^ milter          |
incoming:       |||             +---v-------+
  MX ---->  25 smtpd ---> 10024 >           >---> 10025 smtpd -->
                 ||             |           |
  SASL -->  25 smtpd \          |  amavisd  | (notifications)
submission        |   +->       |           >--->_
  mynets->  25 smtpd ---> 10026 >ORIGINATING>---> 10027 smtpd -->
submission            +->       +-------^---+            |
       --> 587 smtpd /  :               |                v milter
                       (convert         |             +------+
                       to 7-bit)      (sign)          | sign |
                                                      +------+