KutuKupret colorful website
I don’t know what is the right subject for this topic, the idea is, i just want my outgoing smtp for sending email only, authenticated user not supposed send(or accidentally) to his/her smtp authentication account.which are in my configuration stored in virtual mailbox maps table. In normal case can delivering email to maildir.
I’m using postfixadmin to generate username/password, saslauthd with pam_mysql for querying username/password to mysql virtual mailbox table.Everything is okay with authentication things, except i don’t want username receiving email
In postfix access 5 manual there is actions called DISCARD
DISCARD optional text...
Claim successful delivery and silently discard the
message. Log the optional text if specified, oth-
erwise log a generic message.
Note: this action currently affects all recipients
of the message. To discard only one recipient
without discarding the entire message, use the
transport(5) table to direct mail to the discard(8)
service.
This feature is available in Postfix 2.0 and later.
This is the scheme
e.g:
I got 5 Public IPs. i’m Gonna configure them, so Postfix can use multiple interfaces/ips for outgoing smtp connections.
First we need creating Interface aliases for those 5 public IPs.
In my system, using fedora:
# cd /etc/sysconfig/network-scripts/ # cp ifcfg-eth0 ifcfg-eth0:1
Edit ifcfg-eth0:1
# vi ifcfg-eth0\:1 DEVICE=eth0 <-- default device HWADDR=XX:XX:XX:XX:XX:XX ONBOOT=yes TYPE=Ethernet BOOTPROTO=none IPADDR=202.XXX.XX.2 <-- default eth0 IP address PREFIX=24 GATEWAY=202.XXX.XX.1 DNS1=202.XXX.XX.XX
Change DEVICE and IPADDR parameters
I got good workaround for balancing smtp outgoing from postfix mailing list archives(not using expensive real load balancer). suppose we have 4 smtp servers for outgoing email, and we need to configure/load balance like this:
+------------+
| |
+----------> smtp backend a -------->| |
| | |
clients --------> smtp lb -----> smtp backend b -------->| Intenet |
| | |
+----------> smtp backend c -------->| |
| |
+------------+
Here’s the configuration :
Prerequisites
Requirements for Policyd v2
Requirements for webui
Download policyd v2
# wget http://downloads.sourceforge.net/project/policyd/2.0.x%20%28Stable%29/v2.0.7/cluebringer-2.0.7.tar.bz2?use_mirror=biznetnetworks
Build rpm from source tarball
# rpmbuild -ta cluebringer-2.0.7.tar.bz2
Source: The Book of Postfix by Ralf Hildebrandt and Patrick Koetter.
In order to measure how much traffic our postfix can handle, we need to perform some kind of stress testing. To put an adequate load on the server, We need a fast mail traffic generator. Postfix comes with two programs named smtp-source and smtp-sink for this purpose. Here’s how they work:
This program connects to a host on a TCP port (port 25 by default) and sends one or more messages, either sequentially or in parallel. The program speaks both SMTP (default) or LMTP and is meant to aid in measuring server performance.
This test server listens on the named host (or address) and port. It recieves messages from the network and throws them away. You can measure client and network performance with this program.
The following example injects 100 total messages of size 5k each in 20 parallel sessions to a Postfix server running on localhost port 25. Because you’re also interested in how much time this takes, use the time command:
DKIM is a system to verify the sender and integrity of emails.
A DKIM standard (RFC 4871) states the following, which applies to its predecessor DomainKeys (historical: RFC 4870) as well:
DomainKeys Identified Mail (DKIM) defines a mechanism by which email messages can be cryptographically signed, permitting a signing domain to claim responsibility for the introduction of a message into the mail stream. Message recipients can verify the signature by querying the signer’s domain directly to retrieve the appropriate public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain.
The DomainKeys specification was a primary source from which the DomainKeys Identified Mail [DKIM] specification has been derived. The purpose in submitting the RFC 4870 document is as an historical reference for deployed implementations written prior to the DKIM specification.
Implementation and mail flow
+------+
|verify| (verify)
+--+---+ | (by amavisd and/or SA)
^^^ milter |
incoming: ||| +---v-------+
MX ----> 25 smtpd ---> 10024 > >---> 10025 smtpd -->
|| | |
SASL --> 25 smtpd \ | amavisd | (notifications)
submission | +-> | >--->_
mynets-> 25 smtpd ---> 10026 >ORIGINATING>---> 10027 smtpd -->
submission +-> +-------^---+ |
--> 587 smtpd / : | v milter
(convert | +------+
to 7-bit) (sign) | sign |
+------+
Even though spammers may not have thought to do the email forgery yet, I’m publishing SPF txt record in dns.
# dig txt ipv6.kutukupret.com +short "v=spf1 ip6:2001:470:19:13c::2 -all"
I don’t even know whose gonna validate my spf record anyway 😀 But for the sake of my curiousity, i’m continue developing SPF on my ipv6 postfix smtp. first i need to publish spf txt record
ipv6.kutukupret.com. 86400 IN SPF "v=spf1 ip6:2001:470:19:13c::2 -all"
for the scanner, i’m using postfix-policyd-spf-perl, can be download at http://www.openspf.org/Software The following Perl version and packages are required for running postfix-policyd-spf-perl: Perl 5.6 NetAddr-IP 4 Mail-SPF (not Mail-SPF-Query) perl-Net-DNS >= 0.65 perl-Net-IP >= 1.25 Test the postfix-policyd-spf-perl script, just make sure it works with ipv6 address.
# ./postfix-policyd-spf-perl request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=mx.ipv6.kutukupret.com queue_id= instance=71b0.45e2f5f1.d4da1.0 sender=henet@ipv6.kutukupret.com recipient=hari.h@ipv6.kutukupret.com client_address=2001:470:19:13c::2 client_name=another.domain.tld action=PREPEND Received-SPF: pass (ipv6.kutukupret.com: 2001:470:19:13c::2 is authorized to use 'henet@ipv6.kutukupret.com' in 'mfrom' identity (mechanism 'ip6:2001:470:19:13C::2' matched)) receiver=unknown; identity=mailfrom; envelope-from="henet@ipv6.kutukupret.com"; helo=mx.ipv6.kutukupret.com; client-ip="2001:470:19:13c::2"