public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] clamav and spamassassin
@ 2011-12-03 19:52 Grant
  2011-12-03 22:54 ` Michael Orlitzky
  0 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-03 19:52 UTC (permalink / raw
  To: Gentoo mailing list

I haven't set up any antivirus measures on my Gentoo systems so I
think I should.  Is clamav run as a scheduled filesystem scanner on
each system and as an email scanner on the mail server all that's
necessary?

I'm currently greylisting email to prevent spam from getting through.
It catches a lot, but more and more gets through.  I'm not using any
mailfilters now and If I set up a clamav mailfilter I think I may as
well set up a spamassassin mailfilter to take the place of
greylisting.  Is this the best guide for clamav and spamassassin:

http://www.gentoo.org/doc/en/mailfilter-guide.xml

Could I run into any problems with clamav or spamassassin that might
make we wish I hadn't implemented them?

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-03 19:52 [gentoo-user] clamav and spamassassin Grant
@ 2011-12-03 22:54 ` Michael Orlitzky
  2011-12-04  0:59   ` Grant
  2011-12-04  1:59   ` Pandu Poluan
  0 siblings, 2 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-03 22:54 UTC (permalink / raw
  To: gentoo-user

On 12/03/2011 02:52 PM, Grant wrote:
> I haven't set up any antivirus measures on my Gentoo systems so I
> think I should.  Is clamav run as a scheduled filesystem scanner on
> each system and as an email scanner on the mail server all that's
> necessary?

Nobody (as far as I know?) scans linux filesystems unless there's a 
legal requirement or the files might wind up on a Windows box.


> I'm currently greylisting email to prevent spam from getting through.
> It catches a lot, but more and more gets through.  I'm not using any
> mailfilters now and If I set up a clamav mailfilter I think I may as
> well set up a spamassassin mailfilter to take the place of
> greylisting.  Is this the best guide for clamav and spamassassin:

SpamAssassin shouldn't take the place of greylisting; they reject 
different stuff. Keep the greylisting unless the delays bother you, but 
use postscreen to do it (see below).


> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>
> Could I run into any problems with clamav or spamassassin that might
> make we wish I hadn't implemented them?

Yeah. The first is false positives. The second, related problem is that 
you'll have to manage a quarantine unless you stick amavisd-new in front 
of the postfix queue.

It's in that respect that the tutorial is outdated; otherwise, it looks 
good (I just skimmed it).

There is great benefit to the before-queue setup: mail will never 
disappear. Senders either get a rejection, or the mail is delivered. 
With the after-queue setup, you can no longer reject or else you'll be 
backscattering. So, you either deliver the spam, or you quarantine it 
(very bad if it's a false positive).

The downside is that you use more resources: one amavisd-new per 
connection. However, the addition of postscreen to postfix has largely 
ameliorated this. Since postscreen rejects most of the junk, amavis only 
gets started for smtpd sessions that are likely to succeed.

The easiest way to migrate is through incremental improvement. We used 
to use a system like the one in that guide. I enabled postscreen over 
the course of a week, and retired postgrey, which we had been using for 
greylisting. Once that was working properly, I simply dropped the 
content_filter in favor of smtpd_proxy_filter to move amavis in front of 
the queue.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-03 22:54 ` Michael Orlitzky
@ 2011-12-04  0:59   ` Grant
  2011-12-04  1:35     ` Michael Orlitzky
  2011-12-04  1:59   ` Pandu Poluan
  1 sibling, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-04  0:59 UTC (permalink / raw
  To: gentoo-user

>> I haven't set up any antivirus measures on my Gentoo systems so I
>> think I should.  Is clamav run as a scheduled filesystem scanner on
>> each system and as an email scanner on the mail server all that's
>> necessary?
>
>
> Nobody (as far as I know?) scans linux filesystems unless there's a legal
> requirement or the files might wind up on a Windows box.

Very cool.  I found out clamscan and avgfree scan the filesystem so I
thought I should set it up, but if it's not necessary I won't bother.
All of my mail users are on Gentoo so do I need to bother having
clamav scan my incoming mail?

>> I'm currently greylisting email to prevent spam from getting through.
>> It catches a lot, but more and more gets through.  I'm not using any
>> mailfilters now and If I set up a clamav mailfilter I think I may as
>> well set up a spamassassin mailfilter to take the place of
>> greylisting.  Is this the best guide for clamav and spamassassin:
>
>
> SpamAssassin shouldn't take the place of greylisting; they reject different
> stuff. Keep the greylisting unless the delays bother you, but use postscreen
> to do it (see below).

I just did some reading on postscreen but it doesn't sound like a
greylister.  Should I use postscreen in addition to postgrey, or are
they substitutes for each other?

>> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>>
>> Could I run into any problems with clamav or spamassassin that might
>> make we wish I hadn't implemented them?
>
>
> Yeah. The first is false positives. The second, related problem is that
> you'll have to manage a quarantine unless you stick amavisd-new in front of
> the postfix queue.

Now that sounds like a hassle.  Greylisting leaves me with about 50/50
spam/legit mail and maybe incorporating postscreen I'll do even
better.  Deleting spam in my inbox might be easier than dealing with
false positives and managing a quarantine.

- Grant


> It's in that respect that the tutorial is outdated; otherwise, it looks good
> (I just skimmed it).
>
> There is great benefit to the before-queue setup: mail will never disappear.
> Senders either get a rejection, or the mail is delivered. With the
> after-queue setup, you can no longer reject or else you'll be
> backscattering. So, you either deliver the spam, or you quarantine it (very
> bad if it's a false positive).
>
> The downside is that you use more resources: one amavisd-new per connection.
> However, the addition of postscreen to postfix has largely ameliorated this.
> Since postscreen rejects most of the junk, amavis only gets started for
> smtpd sessions that are likely to succeed.
>
> The easiest way to migrate is through incremental improvement. We used to
> use a system like the one in that guide. I enabled postscreen over the
> course of a week, and retired postgrey, which we had been using for
> greylisting. Once that was working properly, I simply dropped the
> content_filter in favor of smtpd_proxy_filter to move amavis in front of the
> queue.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  0:59   ` Grant
@ 2011-12-04  1:35     ` Michael Orlitzky
  2011-12-04  1:57       ` Grant
  0 siblings, 1 reply; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-04  1:35 UTC (permalink / raw
  To: gentoo-user

On 12/03/2011 07:59 PM, Grant wrote:
>>> I haven't set up any antivirus measures on my Gentoo systems so I
>>> think I should.  Is clamav run as a scheduled filesystem scanner on
>>> each system and as an email scanner on the mail server all that's
>>> necessary?
>>
>>
>> Nobody (as far as I know?) scans linux filesystems unless there's a legal
>> requirement or the files might wind up on a Windows box.
>
> Very cool.  I found out clamscan and avgfree scan the filesystem so I
> thought I should set it up, but if it's not necessary I won't bother.
> All of my mail users are on Gentoo so do I need to bother having
> clamav scan my incoming mail?

Well, they aren't going to get infected with anything, but ClamAV could 
still keep the virus message (which is obviously unwanted) out of their 
inbox. There are also some third-party signatures[1] for ClamAV that 
catch scam/phishing mail.


>>> I'm currently greylisting email to prevent spam from getting through.
>>> It catches a lot, but more and more gets through.  I'm not using any
>>> mailfilters now and If I set up a clamav mailfilter I think I may as
>>> well set up a spamassassin mailfilter to take the place of
>>> greylisting.  Is this the best guide for clamav and spamassassin:
>>
>>
>> SpamAssassin shouldn't take the place of greylisting; they reject different
>> stuff. Keep the greylisting unless the delays bother you, but use postscreen
>> to do it (see below).
>
> I just did some reading on postscreen but it doesn't sound like a
> greylister.  Should I use postscreen in addition to postgrey, or are
> they substitutes for each other?
>

Postscreen isn't a greylist daemon per se, but it has the same effect if 
you enable the "deep protocol" tests. Once it gets past the initial 
greeting (into the "deep" stages), postscreen can no longer hand off the 
session to a real smtpd. So, even if the client passes all of the tests, 
postscreen will send it a "4xx try again." That's essentially greylisting.

Postscreen, like Postgrey, keeps a database of good clients, so you 
shouldn't lose any functionality there. This is what makes the 
aforementioned 4xx strategy work: when the client reconnects, it 
bypasses postscreen entirely and goes to a real smtpd.

I would make the switch when you have some free time. Postscreen is part 
of postfix, so it removes one dependency from your mail system. It also 
adds a couple of nice anti-spam features for free. And, if you ever 
decide to implement Amavis, postscreen makes the before-queue setup viable.


>>> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>>>
>>> Could I run into any problems with clamav or spamassassin that might
>>> make we wish I hadn't implemented them?
>>
>>
>> Yeah. The first is false positives. The second, related problem is that
>> you'll have to manage a quarantine unless you stick amavisd-new in front of
>> the postfix queue.
>
> Now that sounds like a hassle.  Greylisting leaves me with about 50/50
> spam/legit mail and maybe incorporating postscreen I'll do even
> better.  Deleting spam in my inbox might be easier than dealing with
> false positives and managing a quarantine.

You should be able to do a lot better than that with just postscreen and 
postfix. If you try to implement postscreen, post your main.cf over on 
postfix-users for review. The built-in restrictions combined with a few 
RBLs should get you well below 50/50.

Plus, if you still get too much spam, you'll already have postscreen in 
place and that will make adding amavisd-new that much easier.


[1] http://www.sanesecurity.com/



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  1:35     ` Michael Orlitzky
@ 2011-12-04  1:57       ` Grant
  2011-12-04  2:10         ` Michael Orlitzky
  0 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-04  1:57 UTC (permalink / raw
  To: gentoo-user

>> Very cool.  I found out clamscan and avgfree scan the filesystem so I
>> thought I should set it up, but if it's not necessary I won't bother.
>> All of my mail users are on Gentoo so do I need to bother having
>> clamav scan my incoming mail?
>
>
> Well, they aren't going to get infected with anything, but ClamAV could
> still keep the virus message (which is obviously unwanted) out of their
> inbox. There are also some third-party signatures[1] for ClamAV that catch
> scam/phishing mail.

There is info on Linux viruses here:

http://en.wikipedia.org/wiki/Linux_malware

I shouldn't be concerned about that?

>> I just did some reading on postscreen but it doesn't sound like a
>> greylister.  Should I use postscreen in addition to postgrey, or are
>> they substitutes for each other?
>>
>
> Postscreen isn't a greylist daemon per se, but it has the same effect if you
> enable the "deep protocol" tests. Once it gets past the initial greeting
> (into the "deep" stages), postscreen can no longer hand off the session to a
> real smtpd. So, even if the client passes all of the tests, postscreen will
> send it a "4xx try again." That's essentially greylisting.

Got it.  Sounds like postscreen is the successor to postgrey.  I will
set that up ASAP.

Thanks,
Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-03 22:54 ` Michael Orlitzky
  2011-12-04  0:59   ` Grant
@ 2011-12-04  1:59   ` Pandu Poluan
  2011-12-04  2:17     ` Michael Orlitzky
  1 sibling, 1 reply; 37+ messages in thread
From: Pandu Poluan @ 2011-12-04  1:59 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2682 bytes --]

On Dec 4, 2011 5:58 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 12/03/2011 02:52 PM, Grant wrote:
>>
>> I haven't set up any antivirus measures on my Gentoo systems so I
>> think I should.  Is clamav run as a scheduled filesystem scanner on
>> each system and as an email scanner on the mail server all that's
>> necessary?
>
>
> Nobody (as far as I know?) scans linux filesystems unless there's a legal
requirement or the files might wind up on a Windows box.
>
>
>
>> I'm currently greylisting email to prevent spam from getting through.
>> It catches a lot, but more and more gets through.  I'm not using any
>> mailfilters now and If I set up a clamav mailfilter I think I may as
>> well set up a spamassassin mailfilter to take the place of
>> greylisting.  Is this the best guide for clamav and spamassassin:
>
>
> SpamAssassin shouldn't take the place of greylisting; they reject
different stuff. Keep the greylisting unless the delays bother you, but use
postscreen to do it (see below).
>
>
>
>> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>>
>> Could I run into any problems with clamav or spamassassin that might
>> make we wish I hadn't implemented them?
>
>
> Yeah. The first is false positives. The second, related problem is that
you'll have to manage a quarantine unless you stick amavisd-new in front of
the postfix queue.
>
> It's in that respect that the tutorial is outdated; otherwise, it looks
good (I just skimmed it).
>
> There is great benefit to the before-queue setup: mail will never
disappear. Senders either get a rejection, or the mail is delivered. With
the after-queue setup, you can no longer reject or else you'll be
backscattering. So, you either deliver the spam, or you quarantine it (very
bad if it's a false positive).
>
> The downside is that you use more resources: one amavisd-new per
connection. However, the addition of postscreen to postfix has largely
ameliorated this. Since postscreen rejects most of the junk, amavis only
gets started for smtpd sessions that are likely to succeed.
>
> The easiest way to migrate is through incremental improvement. We used to
use a system like the one in that guide. I enabled postscreen over the
course of a week, and retired postgrey, which we had been using for
greylisting. Once that was working properly, I simply dropped the
content_filter in favor of smtpd_proxy_filter to move amavis in front of
the queue.
>

This is new information to me. If you're subscribed to Gentoo-server,
you'll know that I am in the process of setting up a mailfiltering gateway
for my company.

Any resources on this "postscreen" facility? sounds like a very nice thing
to implement.

Rgds,

[-- Attachment #2: Type: text/html, Size: 3281 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  1:57       ` Grant
@ 2011-12-04  2:10         ` Michael Orlitzky
  0 siblings, 0 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-04  2:10 UTC (permalink / raw
  To: gentoo-user

On 12/03/2011 08:57 PM, Grant wrote:
>>> Very cool.  I found out clamscan and avgfree scan the filesystem so I
>>> thought I should set it up, but if it's not necessary I won't bother.
>>> All of my mail users are on Gentoo so do I need to bother having
>>> clamav scan my incoming mail?
>>
>>
>> Well, they aren't going to get infected with anything, but ClamAV could
>> still keep the virus message (which is obviously unwanted) out of their
>> inbox. There are also some third-party signatures[1] for ClamAV that catch
>> scam/phishing mail.
>
> There is info on Linux viruses here:
>
> http://en.wikipedia.org/wiki/Linux_malware
>
> I shouldn't be concerned about that?
>

The "big" risk (although still negligible) is that someone will mail 
your users an executable that does something bad. But, you would have to 
save it under /home, chmod +x it, and then run it manually for it to be 
dangerous.

If you use portage to install packages, you should not ever need to 
chmod +x anything. It's a big red flag and normal users don't even need 
to know how to do it.

Mount /home noexec for extra safety.

Note that antivirus wouldn't help anyway if your users are going to do 
whatever the email says without question =)



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  1:59   ` Pandu Poluan
@ 2011-12-04  2:17     ` Michael Orlitzky
  2011-12-04  2:48       ` Pandu Poluan
  2011-12-06  0:15       ` Grant
  0 siblings, 2 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-04  2:17 UTC (permalink / raw
  To: gentoo-user

On 12/03/2011 08:59 PM, Pandu Poluan wrote:
>
>
> This is new information to me. If you're subscribed to Gentoo-server,
> you'll know that I am in the process of setting up a mailfiltering
> gateway for my company.
>
> Any resources on this "postscreen" facility? sounds like a very nice
> thing to implement.
>
> Rgds,
>

Postscreen is just part of Postfix; it's a separate daemon added in the 
latest version.

This is the official README:

   http://www.postfix.org/POSTSCREEN_README.html

and the configuration parameters are documented in the usual place:

   http://www.postfix.org/postconf.5.html


Here's the entirety of my main.cf postscreen section for reference. I've 
deemed these safe, but you shouldn't enable them without reading what 
they do!


#
# Postscreen settings
#

postscreen_greet_action = enforce

postscreen_dnsbl_sites =
         psbl.surriel.com,
         bl.spamcop.net,
         zen.spamhaus.org,
         b.barracudacentral.org

postscreen_dnsbl_threshold = 1
postscreen_dnsbl_action = enforce


##
## Deep protocol tests
##

postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce

postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce

postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  2:17     ` Michael Orlitzky
@ 2011-12-04  2:48       ` Pandu Poluan
  2011-12-04  3:06         ` Michael Orlitzky
  2011-12-06  0:15       ` Grant
  1 sibling, 1 reply; 37+ messages in thread
From: Pandu Poluan @ 2011-12-04  2:48 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]

On Dec 4, 2011 9:21 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 12/03/2011 08:59 PM, Pandu Poluan wrote:
>>
>>
>>
>> This is new information to me. If you're subscribed to Gentoo-server,
>> you'll know that I am in the process of setting up a mailfiltering
>> gateway for my company.
>>
>> Any resources on this "postscreen" facility? sounds like a very nice
>> thing to implement.
>>
>> Rgds,
>>
>
> Postscreen is just part of Postfix; it's a separate daemon added in the
latest version.
>
> This is the official README:
>
>  http://www.postfix.org/POSTSCREEN_README.html
>
> and the configuration parameters are documented in the usual place:
>
>  http://www.postfix.org/postconf.5.html
>
>
> Here's the entirety of my main.cf postscreen section for reference. I've
deemed these safe, but you shouldn't enable them without reading what they
do!
>
>
> #
> # Postscreen settings
> #
>
> postscreen_greet_action = enforce
>
> postscreen_dnsbl_sites =
>        psbl.surriel.com,
>        bl.spamcop.net,
>        zen.spamhaus.org,
>        b.barracudacentral.org
>
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_action = enforce
>
>
> ##
> ## Deep protocol tests
> ##
>
> postscreen_pipelining_enable = yes
> postscreen_pipelining_action = enforce
>
> postscreen_non_smtp_command_enable = yes
> postscreen_non_smtp_command_action = enforce
>
> postscreen_bare_newline_enable = yes
> postscreen_bare_newline_action = enforce
>

Thanks! Very helpful resources.

You mentioned amavisd-new. What's their relationship? I mean, if I deploy
postscreen, how will it affect amavisd-new?

TIA

Rgds,

[-- Attachment #2: Type: text/html, Size: 2572 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  2:48       ` Pandu Poluan
@ 2011-12-04  3:06         ` Michael Orlitzky
  2011-12-04  8:27           ` Pandu Poluan
  0 siblings, 1 reply; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-04  3:06 UTC (permalink / raw
  To: gentoo-user

On 12/03/2011 09:48 PM, Pandu Poluan wrote:
>
>
> Thanks! Very helpful resources.
>
> You mentioned amavisd-new. What's their relationship? I mean, if I
> deploy postscreen, how will it affect amavisd-new?
>

Postscreen sits in front of smtpd, and handles all incoming connections. 
It hands the "good" connections off to the real smtpd daemon. 
Amavisd-new (in both before/after-queue configurations) interacts with 
the real smtpd, so postscreen doesn't directly affect it at all.

What was I talking about?

With amavisd-new, a before-queue filter is generally nicer, because you 
can reject spam, notifying the sender, rather than discarding it or 
backscattering. But, amavisd-new is a hog, and with a before-queue 
filter, an amavis process gets used every time ANY connection is made. 
Since 95% of your connections will be crap (that is a technical term), 
you waste tons of resources creating/killing amavisd-new processes for 
botnets and other scum that will be rejected quickly.

On a busy server, it will kill you.

Postscreen only passes the "good" connections to a real smtpd, so with 
postscreen running, new amavis processes only get used for those good 
connections. If postscreen can get reject 90% of the incoming 
connections, you'll use an order of magnitude less resources doing 
before-queue filtering than you would without postscreen.

So, in essence, postscreen is what allows you to run the before-queue 
filter with comparable resources to the after-queue filter.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  3:06         ` Michael Orlitzky
@ 2011-12-04  8:27           ` Pandu Poluan
  0 siblings, 0 replies; 37+ messages in thread
From: Pandu Poluan @ 2011-12-04  8:27 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1694 bytes --]

On Dec 4, 2011 10:10 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 12/03/2011 09:48 PM, Pandu Poluan wrote:
>>
>>
>>
>> Thanks! Very helpful resources.
>>
>> You mentioned amavisd-new. What's their relationship? I mean, if I
>> deploy postscreen, how will it affect amavisd-new?
>>
>
> Postscreen sits in front of smtpd, and handles all incoming connections.
It hands the "good" connections off to the real smtpd daemon. Amavisd-new
(in both before/after-queue configurations) interacts with the real smtpd,
so postscreen doesn't directly affect it at all.
>
> What was I talking about?
>
> With amavisd-new, a before-queue filter is generally nicer, because you
can reject spam, notifying the sender, rather than discarding it or
backscattering. But, amavisd-new is a hog, and with a before-queue filter,
an amavis process gets used every time ANY connection is made. Since 95% of
your connections will be crap (that is a technical term), you waste tons of
resources creating/killing amavisd-new processes for botnets and other scum
that will be rejected quickly.
>
> On a busy server, it will kill you.
>
> Postscreen only passes the "good" connections to a real smtpd, so with
postscreen running, new amavis processes only get used for those good
connections. If postscreen can get reject 90% of the incoming connections,
you'll use an order of magnitude less resources doing before-queue
filtering than you would without postscreen.
>
> So, in essence, postscreen is what allows you to run the before-queue
filter with comparable resources to the after-queue filter.
>

Thanks for all the information. You really should write a wiki.g.o article
about the new setup :-)

Rgds,

[-- Attachment #2: Type: text/html, Size: 2034 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-04  2:17     ` Michael Orlitzky
  2011-12-04  2:48       ` Pandu Poluan
@ 2011-12-06  0:15       ` Grant
  2011-12-06  0:45         ` Pandu Poluan
  1 sibling, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-06  0:15 UTC (permalink / raw
  To: gentoo-user

> Here's the entirety of my main.cf postscreen section for reference. I've
> deemed these safe, but you shouldn't enable them without reading what they
> do!
>
>
> #
> # Postscreen settings
> #
>
> postscreen_greet_action = enforce
>
> postscreen_dnsbl_sites =
>        psbl.surriel.com,
>        bl.spamcop.net,
>        zen.spamhaus.org,
>        b.barracudacentral.org
>
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_action = enforce
>
>
> ##
> ## Deep protocol tests
> ##
>
> postscreen_pipelining_enable = yes
> postscreen_pipelining_action = enforce
>
> postscreen_non_smtp_command_enable = yes
> postscreen_non_smtp_command_action = enforce
>
> postscreen_bare_newline_enable = yes
> postscreen_bare_newline_action = enforce

I've looked up each of those parameters and they sound fine to me.
How long have you been running them?  Have you been notified of any
mistakenly rejected mail?  It's very important my server doesn't miss
any mail, even if it means dealing with more spam.

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  0:15       ` Grant
@ 2011-12-06  0:45         ` Pandu Poluan
  2011-12-06  0:52           ` Michael Orlitzky
  0 siblings, 1 reply; 37+ messages in thread
From: Pandu Poluan @ 2011-12-06  0:45 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1461 bytes --]

On Dec 6, 2011 7:19 AM, "Grant" <emailgrant@gmail.com> wrote:
>
> > Here's the entirety of my main.cf postscreen section for reference. I've
> > deemed these safe, but you shouldn't enable them without reading what
they
> > do!
> >
> >
> > #
> > # Postscreen settings
> > #
> >
> > postscreen_greet_action = enforce
> >
> > postscreen_dnsbl_sites =
> >        psbl.surriel.com,
> >        bl.spamcop.net,
> >        zen.spamhaus.org,
> >        b.barracudacentral.org
> >
> > postscreen_dnsbl_threshold = 1
> > postscreen_dnsbl_action = enforce
> >
> >
> > ##
> > ## Deep protocol tests
> > ##
> >
> > postscreen_pipelining_enable = yes
> > postscreen_pipelining_action = enforce
> >
> > postscreen_non_smtp_command_enable = yes
> > postscreen_non_smtp_command_action = enforce
> >
> > postscreen_bare_newline_enable = yes
> > postscreen_bare_newline_action = enforce
>
> I've looked up each of those parameters and they sound fine to me.
> How long have you been running them?  Have you been notified of any
> mistakenly rejected mail?  It's very important my server doesn't miss
> any mail, even if it means dealing with more spam.
>

Similar situation with me. Because my company is in the financial sector,
false negatives are much more preferred than false positives.

(Although I can always weasel my way out of any problems caused by slight
configuration mistakes, I prefer not having to put myself into a situation
where weasel-ing is needed :-)

Rgds,

[-- Attachment #2: Type: text/html, Size: 2207 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  0:45         ` Pandu Poluan
@ 2011-12-06  0:52           ` Michael Orlitzky
  2011-12-06  1:01             ` Pandu Poluan
  2011-12-06  3:24             ` Grant
  0 siblings, 2 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-06  0:52 UTC (permalink / raw
  To: gentoo-user

On 12/05/2011 07:45 PM, Pandu Poluan wrote:
>
>  >
>  > I've looked up each of those parameters and they sound fine to me.
>  > How long have you been running them?  Have you been notified of any
>  > mistakenly rejected mail?  It's very important my server doesn't miss
>  > any mail, even if it means dealing with more spam.
>  >
>
> Similar situation with me. Because my company is in the financial
> sector, false negatives are much more preferred than false positives.
>

I have never had a false positive report that I traced back to one of 
the postscreen deep protocol tests.

That being said, they've only been in place for ~4 months.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  0:52           ` Michael Orlitzky
@ 2011-12-06  1:01             ` Pandu Poluan
  2011-12-06  1:14               ` Michael Orlitzky
  2011-12-06  3:24             ` Grant
  1 sibling, 1 reply; 37+ messages in thread
From: Pandu Poluan @ 2011-12-06  1:01 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 829 bytes --]

On Dec 6, 2011 7:58 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 12/05/2011 07:45 PM, Pandu Poluan wrote:
>>
>>
>>  >
>>  > I've looked up each of those parameters and they sound fine to me.
>>  > How long have you been running them?  Have you been notified of any
>>  > mistakenly rejected mail?  It's very important my server doesn't miss
>>  > any mail, even if it means dealing with more spam.
>>  >
>>
>> Similar situation with me. Because my company is in the financial
>> sector, false negatives are much more preferred than false positives.
>>
>
> I have never had a false positive report that I traced back to one of the
postscreen deep protocol tests.
>
> That being said, they've only been in place for ~4 months.
>

Four months without a false positive? Good enough for me. Where do I sign?
:-)

Rgds,

[-- Attachment #2: Type: text/html, Size: 1152 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  1:01             ` Pandu Poluan
@ 2011-12-06  1:14               ` Michael Orlitzky
  0 siblings, 0 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-06  1:14 UTC (permalink / raw
  To: gentoo-user

On 12/05/2011 08:01 PM, Pandu Poluan wrote:
>
>
> Four months without a false positive? Good enough for me. Where do I
> sign? :-)
>

main.cf

=)




^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  0:52           ` Michael Orlitzky
  2011-12-06  1:01             ` Pandu Poluan
@ 2011-12-06  3:24             ` Grant
  2011-12-06  4:43               ` Michael Orlitzky
  1 sibling, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-06  3:24 UTC (permalink / raw
  To: gentoo-user

>>  > I've looked up each of those parameters and they sound fine to me.
>>  > How long have you been running them?  Have you been notified of any
>>  > mistakenly rejected mail?  It's very important my server doesn't miss
>>  > any mail, even if it means dealing with more spam.
>>  >
>>
>> Similar situation with me. Because my company is in the financial
>> sector, false negatives are much more preferred than false positives.
>>
>
> I have never had a false positive report that I traced back to one of the
> postscreen deep protocol tests.
>
> That being said, they've only been in place for ~4 months.

What about trouble with the DNSBL lists?  I know when I changed my IP
address I had to work to get the new one removed from a few blacklists
it had previously been placed on.  I wasn't sending spam, but my
messages would have been blocked under that config if I hadn't done
the work to get the IP off the lists.

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  3:24             ` Grant
@ 2011-12-06  4:43               ` Michael Orlitzky
  2011-12-06 16:32                 ` Grant
  0 siblings, 1 reply; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-06  4:43 UTC (permalink / raw
  To: gentoo-user

On 12/05/2011 10:24 PM, Grant wrote:
>
> What about trouble with the DNSBL lists?  I know when I changed my IP
> address I had to work to get the new one removed from a few blacklists
> it had previously been placed on.  I wasn't sending spam, but my
> messages would have been blocked under that config if I hadn't done
> the work to get the IP off the lists.
>
> - Grant
>

We do get false positives from the blacklists on rare occasion, but 
they're the same ones we got before postscreen.

Before postscreen, we had,

   smtpd_recipient_restrictions =
	permit_mynetworks,
         ...
         reject_rbl_client psbl.surriel.com,
  	reject_rbl_client bl.spamcop.net,
  	reject_rbl_client zen.spamhaus.org,
         reject_rbl_client b.barracudacentral.org,
  	permit

After postscreen, we have,

   smtpd_recipient_restrictions =
	permit_mynetworks,
         ...
  	permit

   postscreen_dnsbl_sites =
         psbl.surriel.com,
         bl.spamcop.net,
         zen.spamhaus.org,
         b.barracudacentral.org

The two should be more or less equivalent considering that 
postscreen_dnsbl_threshold = 1. (I should mention that you have to 
register with barracuda before using their list.)



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06  4:43               ` Michael Orlitzky
@ 2011-12-06 16:32                 ` Grant
  2011-12-06 17:11                   ` Michael Orlitzky
  0 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-06 16:32 UTC (permalink / raw
  To: gentoo-user

>> What about trouble with the DNSBL lists?  I know when I changed my IP
>> address I had to work to get the new one removed from a few blacklists
>> it had previously been placed on.  I wasn't sending spam, but my
>> messages would have been blocked under that config if I hadn't done
>> the work to get the IP off the lists.
>>
>> - Grant
>>
>
> We do get false positives from the blacklists on rare occasion, but they're
> the same ones we got before postscreen.
>
> Before postscreen, we had,
>
>  smtpd_recipient_restrictions =
>        permit_mynetworks,
>        ...
>        reject_rbl_client psbl.surriel.com,
>        reject_rbl_client bl.spamcop.net,
>        reject_rbl_client zen.spamhaus.org,
>        reject_rbl_client b.barracudacentral.org,
>        permit
>
> After postscreen, we have,
>
>  smtpd_recipient_restrictions =
>        permit_mynetworks,
>        ...
>        permit
>
>
>  postscreen_dnsbl_sites =
>        psbl.surriel.com,
>        bl.spamcop.net,
>        zen.spamhaus.org,
>        b.barracudacentral.org
>
> The two should be more or less equivalent considering that
> postscreen_dnsbl_threshold = 1. (I should mention that you have to register
> with barracuda before using their list.)

Got it.  Your explanations are positively lucid.

I added this to /etc/postifx/main.cf:

postscreen_greet_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce

and I commented this and restarted postfix:

#check_policy_service inet:127.0.0.1:10030

Should this effectively disable postgrey and enable postscreen?

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 16:32                 ` Grant
@ 2011-12-06 17:11                   ` Michael Orlitzky
  2011-12-06 19:17                     ` Paul Hartman
                                       ` (2 more replies)
  0 siblings, 3 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-06 17:11 UTC (permalink / raw
  To: gentoo-user

On 12/06/11 11:32, Grant wrote:
> 
> Got it.  Your explanations are positively lucid.
> 
> I added this to /etc/postifx/main.cf:
> 
> postscreen_greet_action = enforce
> postscreen_pipelining_enable = yes
> postscreen_pipelining_action = enforce
> postscreen_non_smtp_command_enable = yes
> postscreen_non_smtp_command_action = enforce
> postscreen_bare_newline_enable = yes
> postscreen_bare_newline_action = enforce
> 
> and I commented this and restarted postfix:
> 
> #check_policy_service inet:127.0.0.1:10030
> 
> Should this effectively disable postgrey and enable postscreen?
> 

That will disable postgrey, but isn't enough to enable postscreen. There
are a couple of daemons you have to enable in master.cf (steps 2 through 6):

  http://www.postfix.org/POSTSCREEN_README.html#enable

That README refers to lines that are commented-out in master.cf; of
course, if you've upgraded from an earlier of postfix, you won't have them.

What I did was to untar the latest postfix release under my home
directory, and find the master.cf that ships with it. Then, I
copy/pasted the lines mentioned in the README over to my real master.cf.

After a restart, you should see lines like this in your mail log:

  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...

that let you know its' working.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 17:11                   ` Michael Orlitzky
@ 2011-12-06 19:17                     ` Paul Hartman
  2011-12-07  0:16                       ` Pandu Poluan
  2011-12-06 21:34                     ` Grant
  2011-12-07  0:57                     ` Grant
  2 siblings, 1 reply; 37+ messages in thread
From: Paul Hartman @ 2011-12-06 19:17 UTC (permalink / raw
  To: gentoo-user

On Tue, Dec 6, 2011 at 11:11 AM, Michael Orlitzky <michael@orlitzky.com> wrote:
> On 12/06/11 11:32, Grant wrote:
>>
>> Got it.  Your explanations are positively lucid.
>>
>> I added this to /etc/postifx/main.cf:
>>
>> postscreen_greet_action = enforce
>> postscreen_pipelining_enable = yes
>> postscreen_pipelining_action = enforce
>> postscreen_non_smtp_command_enable = yes
>> postscreen_non_smtp_command_action = enforce
>> postscreen_bare_newline_enable = yes
>> postscreen_bare_newline_action = enforce
>>
>> and I commented this and restarted postfix:
>>
>> #check_policy_service inet:127.0.0.1:10030
>>
>> Should this effectively disable postgrey and enable postscreen?
>>
>
> That will disable postgrey, but isn't enough to enable postscreen. There
> are a couple of daemons you have to enable in master.cf (steps 2 through 6):
>
>  http://www.postfix.org/POSTSCREEN_README.html#enable
>
> That README refers to lines that are commented-out in master.cf; of
> course, if you've upgraded from an earlier of postfix, you won't have them.
>
> What I did was to untar the latest postfix release under my home
> directory, and find the master.cf that ships with it. Then, I
> copy/pasted the lines mentioned in the README over to my real master.cf.
>
> After a restart, you should see lines like this in your mail log:
>
>  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
>
> that let you know its' working.

Thanks for bringing up postscreen and the rest of your responses to
Grant in this thread, I wasn't aware of it either. None of the HOWTOs
I read ever mentioned it. :) I'm going to give it a try and see how it
goes.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 17:11                   ` Michael Orlitzky
  2011-12-06 19:17                     ` Paul Hartman
@ 2011-12-06 21:34                     ` Grant
  2011-12-06 22:20                       ` Michael Orlitzky
  2011-12-07  0:57                     ` Grant
  2 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-06 21:34 UTC (permalink / raw
  To: gentoo-user

>> Got it.  Your explanations are positively lucid.
>>
>> I added this to /etc/postifx/main.cf:
>>
>> postscreen_greet_action = enforce
>> postscreen_pipelining_enable = yes
>> postscreen_pipelining_action = enforce
>> postscreen_non_smtp_command_enable = yes
>> postscreen_non_smtp_command_action = enforce
>> postscreen_bare_newline_enable = yes
>> postscreen_bare_newline_action = enforce
>>
>> and I commented this and restarted postfix:
>>
>> #check_policy_service inet:127.0.0.1:10030
>>
>> Should this effectively disable postgrey and enable postscreen?
>>
>
> That will disable postgrey, but isn't enough to enable postscreen. There
> are a couple of daemons you have to enable in master.cf (steps 2 through 6):
>
>  http://www.postfix.org/POSTSCREEN_README.html#enable
>
> That README refers to lines that are commented-out in master.cf; of
> course, if you've upgraded from an earlier of postfix, you won't have them.
>
> What I did was to untar the latest postfix release under my home
> directory, and find the master.cf that ships with it. Then, I
> copy/pasted the lines mentioned in the README over to my real master.cf.
>
> After a restart, you should see lines like this in your mail log:
>
>  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
>
> that let you know its' working.

Do you know how smtps comes into play?  Right now I've got the
following uncommented in master.cf:

smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes

Should I write an smtpsd line or does tlsproxy make that unnecessary?

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 21:34                     ` Grant
@ 2011-12-06 22:20                       ` Michael Orlitzky
  2011-12-07  1:02                         ` Grant
  2011-12-07  9:15                         ` Pandu Poluan
  0 siblings, 2 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-06 22:20 UTC (permalink / raw
  To: gentoo-user

On 12/06/2011 04:34 PM, Grant wrote:
>
> Do you know how smtps comes into play?  Right now I've got the
> following uncommented in master.cf:
>
> smtp      inet  n       -       n       -       -       smtpd
> smtps     inet  n       -       n       -       -       smtpd
>    -o smtpd_tls_wrappermode=yes
>
> Should I write an smtpsd line or does tlsproxy make that unnecessary?

SMTPS is deprecated. You probably don't need it at all, unless you do. 
Some older (Microsoft...) clients can't use anything else for encryption.

These days, the "proper" way to secure your users' connections is with 
TLS on the submission port, 587. You should also have a commented-out 
'submission' line in your master.cf; that's what it's for.

The idea is that you can force encryption on port 587, and have your 
users connect there instead of port 25. Then, the only restriction you 
need for those connections is that the username/password be correct. The 
rest of the mail comes in on port 25, unencrypted, as usual, and is 
subjected to your anti-spam checks.

If you're using either SMTPS or the submission service, you don't need 
to change them. Your users will continue to connect to port 465 (smtps) 
or 587 (submission), bypassing postscreen entirely.

If you're not using the submission service, i.e. both external and 
user-submitted mail come in on port 25, then you'll probably want to 
exempt your users from the postscreen restrictions:

   http://www.postfix.org/postconf.5.html#postscreen_access_list

but you should really be using the submission port!



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 19:17                     ` Paul Hartman
@ 2011-12-07  0:16                       ` Pandu Poluan
  0 siblings, 0 replies; 37+ messages in thread
From: Pandu Poluan @ 2011-12-07  0:16 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2111 bytes --]

On Dec 7, 2011 2:22 AM, "Paul Hartman" <paul.hartman+gentoo@gmail.com>
wrote:
>
> On Tue, Dec 6, 2011 at 11:11 AM, Michael Orlitzky <michael@orlitzky.com>
wrote:
> > On 12/06/11 11:32, Grant wrote:
> >>
> >> Got it.  Your explanations are positively lucid.
> >>
> >> I added this to /etc/postifx/main.cf:
> >>
> >> postscreen_greet_action = enforce
> >> postscreen_pipelining_enable = yes
> >> postscreen_pipelining_action = enforce
> >> postscreen_non_smtp_command_enable = yes
> >> postscreen_non_smtp_command_action = enforce
> >> postscreen_bare_newline_enable = yes
> >> postscreen_bare_newline_action = enforce
> >>
> >> and I commented this and restarted postfix:
> >>
> >> #check_policy_service inet:127.0.0.1:10030
> >>
> >> Should this effectively disable postgrey and enable postscreen?
> >>
> >
> > That will disable postgrey, but isn't enough to enable postscreen. There
> > are a couple of daemons you have to enable in master.cf (steps 2
through 6):
> >
> >  http://www.postfix.org/POSTSCREEN_README.html#enable
> >
> > That README refers to lines that are commented-out in master.cf; of
> > course, if you've upgraded from an earlier of postfix, you won't have
them.
> >
> > What I did was to untar the latest postfix release under my home
> > directory, and find the master.cf that ships with it. Then, I
> > copy/pasted the lines mentioned in the README over to my real master.cf.
> >
> > After a restart, you should see lines like this in your mail log:
> >
> >  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
> >
> > that let you know its' working.
>
> Thanks for bringing up postscreen and the rest of your responses to
> Grant in this thread, I wasn't aware of it either. None of the HOWTOs
> I read ever mentioned it. :) I'm going to give it a try and see how it
> goes.
>

Indeed. They are also unclear on how to configure SASL (but that's a
different story).

Luckily, I'm building my mailfiltering gateway from scratch, and have been
logging everything I do. When everything's finished and the mfgw works
well, I'll distill my log into yet-another-wiki-article.

Rgds,

[-- Attachment #2: Type: text/html, Size: 3111 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 17:11                   ` Michael Orlitzky
  2011-12-06 19:17                     ` Paul Hartman
  2011-12-06 21:34                     ` Grant
@ 2011-12-07  0:57                     ` Grant
  2011-12-07  1:11                       ` Pandu Poluan
  2011-12-07 16:34                       ` Michael Orlitzky
  2 siblings, 2 replies; 37+ messages in thread
From: Grant @ 2011-12-07  0:57 UTC (permalink / raw
  To: gentoo-user

> That will disable postgrey, but isn't enough to enable postscreen. There
> are a couple of daemons you have to enable in master.cf (steps 2 through 6):
>
>  http://www.postfix.org/POSTSCREEN_README.html#enable
>
> That README refers to lines that are commented-out in master.cf; of
> course, if you've upgraded from an earlier of postfix, you won't have them.

Don't you let etc-update add them for you?

> What I did was to untar the latest postfix release under my home
> directory, and find the master.cf that ships with it. Then, I
> copy/pasted the lines mentioned in the README over to my real master.cf.
>
> After a restart, you should see lines like this in your mail log:
>
>  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
>
> that let you know its' working.

Working now, thanks a lot.  I should only need the tlsproxy line if my
users connect to port 25 to send mail, correct?

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 22:20                       ` Michael Orlitzky
@ 2011-12-07  1:02                         ` Grant
  2011-12-07 16:38                           ` Michael Orlitzky
  2011-12-07  9:15                         ` Pandu Poluan
  1 sibling, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-07  1:02 UTC (permalink / raw
  To: gentoo-user

> SMTPS is deprecated. You probably don't need it at all, unless you do. Some
> older (Microsoft...) clients can't use anything else for encryption.
>
> These days, the "proper" way to secure your users' connections is with TLS
> on the submission port, 587. You should also have a commented-out
> 'submission' line in your master.cf; that's what it's for.
>
> The idea is that you can force encryption on port 587, and have your users
> connect there instead of port 25. Then, the only restriction you need for
> those connections is that the username/password be correct. The rest of the
> mail comes in on port 25, unencrypted, as usual, and is subjected to your
> anti-spam checks.
>
> If you're using either SMTPS or the submission service, you don't need to
> change them. Your users will continue to connect to port 465 (smtps) or 587
> (submission), bypassing postscreen entirely.
>
> If you're not using the submission service, i.e. both external and
> user-submitted mail come in on port 25, then you'll probably want to exempt
> your users from the postscreen restrictions:
>
>  http://www.postfix.org/postconf.5.html#postscreen_access_list
>
> but you should really be using the submission port!

Aye aye.  Should I make the change like this:

#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

And then switch my clients from port 465 to 587?

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07  0:57                     ` Grant
@ 2011-12-07  1:11                       ` Pandu Poluan
  2011-12-07 16:34                       ` Michael Orlitzky
  1 sibling, 0 replies; 37+ messages in thread
From: Pandu Poluan @ 2011-12-07  1:11 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1214 bytes --]

On Dec 7, 2011 8:01 AM, "Grant" <emailgrant@gmail.com> wrote:
>
> > That will disable postgrey, but isn't enough to enable postscreen. There
> > are a couple of daemons you have to enable in master.cf (steps 2
through 6):
> >
> >  http://www.postfix.org/POSTSCREEN_README.html#enable
> >
> > That README refers to lines that are commented-out in master.cf; of
> > course, if you've upgraded from an earlier of postfix, you won't have
them.
>
> Don't you let etc-update add them for you?
>
> > What I did was to untar the latest postfix release under my home
> > directory, and find the master.cf that ships with it. Then, I
> > copy/pasted the lines mentioned in the README over to my real master.cf.
> >
> > After a restart, you should see lines like this in your mail log:
> >
> >  Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
> >
> > that let you know its' working.
>
> Working now, thanks a lot.  I should only need the tlsproxy line if my
> users connect to port 25 to send mail, correct?
>

I've perused the relevant documentation, and to my knowledge you need to
enable tlsproxy if you want to use TLS, be it through port 25 or 587.

Don't forget to test it using openssl s_client.

Rgds,

[-- Attachment #2: Type: text/html, Size: 1778 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-06 22:20                       ` Michael Orlitzky
  2011-12-07  1:02                         ` Grant
@ 2011-12-07  9:15                         ` Pandu Poluan
  2011-12-07 16:01                           ` Grant
  1 sibling, 1 reply; 37+ messages in thread
From: Pandu Poluan @ 2011-12-07  9:15 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 134 bytes --]

Michael, after I configured postscreen, how do I test it?

I tried doing out of turn talking but it didn't seem to block me...

Rgds,

[-- Attachment #2: Type: text/html, Size: 165 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07  9:15                         ` Pandu Poluan
@ 2011-12-07 16:01                           ` Grant
  2011-12-07 16:47                             ` Pandu Poluan
  0 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-07 16:01 UTC (permalink / raw
  To: gentoo-user

> Michael, after I configured postscreen, how do I test it?
>
> I tried doing out of turn talking but it didn't seem to block me...

Are you getting lines like this in your mail log:

Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07  0:57                     ` Grant
  2011-12-07  1:11                       ` Pandu Poluan
@ 2011-12-07 16:34                       ` Michael Orlitzky
  2011-12-07 18:08                         ` Grant
  1 sibling, 1 reply; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-07 16:34 UTC (permalink / raw
  To: gentoo-user

On 12/06/11 19:57, Grant wrote:
>> That will disable postgrey, but isn't enough to enable postscreen. There
>> are a couple of daemons you have to enable in master.cf (steps 2 through 6):
>>
>>  http://www.postfix.org/POSTSCREEN_README.html#enable
>>
>> That README refers to lines that are commented-out in master.cf; of
>> course, if you've upgraded from an earlier of postfix, you won't have them.
> 
> Don't you let etc-update add them for you?

Well, etc-update offers to overwrite the old one with the new, but that
would be bad since we have a few custom services. I do try to patch the
new comments into my configuration files when possible, but my master.cf
is so far away from upstream's that the patch file is basically,

 - Everything old
 + Everything new

These days I'm almost ready to claim that I actually understand how
postfix works, so I'm not afraid to maintain main.cf and master.cf by
hand anymore.


> Working now, thanks a lot.  I should only need the tlsproxy line if my
> users connect to port 25 to send mail, correct?

You should enable it anyway: many remote MTAs will use encryption if you
let them.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07  1:02                         ` Grant
@ 2011-12-07 16:38                           ` Michael Orlitzky
  2011-12-07 18:16                             ` Grant
  0 siblings, 1 reply; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-07 16:38 UTC (permalink / raw
  To: gentoo-user

On 12/06/11 20:02, Grant wrote:
> 
> Aye aye.  Should I make the change like this:
> 
> #smtps     inet  n       -       n       -       -       smtpd
> #  -o smtpd_tls_wrappermode=yes
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> And then switch my clients from port 465 to 587?
> 
> - Grant
> 

Yup, but be sure to uncomment the rest of the -o lines.

Depending on which mail clients you use, you may have to fiddle with the
"secure connection" setting. Some of them allow you to choose between
SSL and TLS (ignoring that the distinction is ambiguous). You'll want to
set them to (START)TLS if you have the option.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 16:01                           ` Grant
@ 2011-12-07 16:47                             ` Pandu Poluan
  0 siblings, 0 replies; 37+ messages in thread
From: Pandu Poluan @ 2011-12-07 16:47 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

On Dec 7, 2011 11:05 PM, "Grant" <emailgrant@gmail.com> wrote:
>
> > Michael, after I configured postscreen, how do I test it?
> >
> > I tried doing out of turn talking but it didn't seem to block me...
>
> Are you getting lines like this in your mail log:
>
> Dec  6 03:13:46 mx1 postfix/postscreen[2810]: CONNECT from ...
>

No... but then I realize I've been testing from a host that's part of
$my_networks >.<

It indeed works now :-)

Rgds,

[-- Attachment #2: Type: text/html, Size: 646 bytes --]

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 16:34                       ` Michael Orlitzky
@ 2011-12-07 18:08                         ` Grant
  0 siblings, 0 replies; 37+ messages in thread
From: Grant @ 2011-12-07 18:08 UTC (permalink / raw
  To: gentoo-user

>>> That will disable postgrey, but isn't enough to enable postscreen. There
>>> are a couple of daemons you have to enable in master.cf (steps 2 through 6):
>>>
>>>  http://www.postfix.org/POSTSCREEN_README.html#enable
>>>
>>> That README refers to lines that are commented-out in master.cf; of
>>> course, if you've upgraded from an earlier of postfix, you won't have them.
>>
>> Don't you let etc-update add them for you?
>
> Well, etc-update offers to overwrite the old one with the new, but that
> would be bad since we have a few custom services. I do try to patch the
> new comments into my configuration files when possible, but my master.cf
> is so far away from upstream's that the patch file is basically,
>
>  - Everything old
>  + Everything new

Yeah, I try to keep mine as close to default as possible (comments and
all) so etc-update does an easy "interactive" merge.

- Grant


> These days I'm almost ready to claim that I actually understand how
> postfix works, so I'm not afraid to maintain main.cf and master.cf by
> hand anymore.
>
>
>> Working now, thanks a lot.  I should only need the tlsproxy line if my
>> users connect to port 25 to send mail, correct?
>
> You should enable it anyway: many remote MTAs will use encryption if you
> let them.



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 16:38                           ` Michael Orlitzky
@ 2011-12-07 18:16                             ` Grant
  2011-12-07 18:56                               ` Michael Orlitzky
  0 siblings, 1 reply; 37+ messages in thread
From: Grant @ 2011-12-07 18:16 UTC (permalink / raw
  To: gentoo-user

>> Aye aye.  Should I make the change like this:
>>
>> #smtps     inet  n       -       n       -       -       smtpd
>> #  -o smtpd_tls_wrappermode=yes
>> submission inet n       -       n       -       -       smtpd
>>   -o smtpd_tls_security_level=encrypt
>> #  -o smtpd_sasl_auth_enable=yes
>> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> #  -o milter_macro_daemon_name=ORIGINATING
>>
>> And then switch my clients from port 465 to 587?
>>
>> - Grant
>>
>
> Yup, but be sure to uncomment the rest of the -o lines.

Are you sure?  I was using smtps like this:

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

but I should switch to the below?

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 18:16                             ` Grant
@ 2011-12-07 18:56                               ` Michael Orlitzky
  2011-12-07 19:00                                 ` Michael Orlitzky
  2011-12-08  0:49                                 ` Grant
  0 siblings, 2 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-07 18:56 UTC (permalink / raw
  To: gentoo-user

On 12/07/11 13:16, Grant wrote:
> 
> Are you sure?  I was using smtps like this:
> 
> smtps     inet  n       -       n       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> but I should switch to the below?

Are all of your clients in mynetworks? If so, it doesn't really matter
unless you want to prevent your own users from forging the envelope
sender or "From:" address.

This would enable SASL:

>   -o smtpd_sasl_auth_enable=yes


This would allow authenticated users to relay, and reject everything else:

>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject


And this does nothing unless you use a filter and want to distinguish
between incoming and outgoing mail:

>   -o milter_macro_daemon_name=ORIGINATING




^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 18:56                               ` Michael Orlitzky
@ 2011-12-07 19:00                                 ` Michael Orlitzky
  2011-12-08  0:49                                 ` Grant
  1 sibling, 0 replies; 37+ messages in thread
From: Michael Orlitzky @ 2011-12-07 19:00 UTC (permalink / raw
  To: gentoo-user

On 12/07/11 13:56, Michael Orlitzky wrote:
> 
> Are all of your clients in mynetworks? If so, it doesn't really matter
> unless you want to prevent your own users from forging the envelope
> sender or "From:" address.
> 

Whoops, correction: you can still forge the "From:" header with
reject_authenticated_sender_login_mismatch.




^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [gentoo-user] clamav and spamassassin
  2011-12-07 18:56                               ` Michael Orlitzky
  2011-12-07 19:00                                 ` Michael Orlitzky
@ 2011-12-08  0:49                                 ` Grant
  1 sibling, 0 replies; 37+ messages in thread
From: Grant @ 2011-12-08  0:49 UTC (permalink / raw
  To: gentoo-user

>> Are you sure?  I was using smtps like this:
>>
>> smtps     inet  n       -       n       -       -       smtpd
>>   -o smtpd_tls_wrappermode=yes
>> #  -o smtpd_sasl_auth_enable=yes
>> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> #  -o milter_macro_daemon_name=ORIGINATING
>>
>> but I should switch to the below?
>
> Are all of your clients in mynetworks? If so, it doesn't really matter
> unless you want to prevent your own users from forging the envelope
> sender or "From:" address.
>
> This would enable SASL:
>
>>   -o smtpd_sasl_auth_enable=yes
>
>
> This would allow authenticated users to relay, and reject everything else:
>
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
>
> And this does nothing unless you use a filter and want to distinguish
> between incoming and outgoing mail:
>
>>   -o milter_macro_daemon_name=ORIGINATING

Thanks a lot Michael.  Much appreciated.

- Grant



^ permalink raw reply	[flat|nested] 37+ messages in thread

end of thread, other threads:[~2011-12-08  0:51 UTC | newest]

Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-03 19:52 [gentoo-user] clamav and spamassassin Grant
2011-12-03 22:54 ` Michael Orlitzky
2011-12-04  0:59   ` Grant
2011-12-04  1:35     ` Michael Orlitzky
2011-12-04  1:57       ` Grant
2011-12-04  2:10         ` Michael Orlitzky
2011-12-04  1:59   ` Pandu Poluan
2011-12-04  2:17     ` Michael Orlitzky
2011-12-04  2:48       ` Pandu Poluan
2011-12-04  3:06         ` Michael Orlitzky
2011-12-04  8:27           ` Pandu Poluan
2011-12-06  0:15       ` Grant
2011-12-06  0:45         ` Pandu Poluan
2011-12-06  0:52           ` Michael Orlitzky
2011-12-06  1:01             ` Pandu Poluan
2011-12-06  1:14               ` Michael Orlitzky
2011-12-06  3:24             ` Grant
2011-12-06  4:43               ` Michael Orlitzky
2011-12-06 16:32                 ` Grant
2011-12-06 17:11                   ` Michael Orlitzky
2011-12-06 19:17                     ` Paul Hartman
2011-12-07  0:16                       ` Pandu Poluan
2011-12-06 21:34                     ` Grant
2011-12-06 22:20                       ` Michael Orlitzky
2011-12-07  1:02                         ` Grant
2011-12-07 16:38                           ` Michael Orlitzky
2011-12-07 18:16                             ` Grant
2011-12-07 18:56                               ` Michael Orlitzky
2011-12-07 19:00                                 ` Michael Orlitzky
2011-12-08  0:49                                 ` Grant
2011-12-07  9:15                         ` Pandu Poluan
2011-12-07 16:01                           ` Grant
2011-12-07 16:47                             ` Pandu Poluan
2011-12-07  0:57                     ` Grant
2011-12-07  1:11                       ` Pandu Poluan
2011-12-07 16:34                       ` Michael Orlitzky
2011-12-07 18:08                         ` Grant

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox