Postfwd configuration

Discussion in 'Installation/Configuration' started by francoisPE, Apr 6, 2021.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello
    I have ISPConfig 3.2 with perfect server ubuntu 20.04
    I try to set limits to my postfix with postfwd.
    I try to limit number of mails and size of mails. Also, I set up postfwd-anti-geoip-spam-plugin as per https://www.howtoforge.com/tutorial/blocking-of-international-spam-botnets-postfix-plugin/ (modified to take into account updates)
    It seems it doesn't work : I send extra size mail, I have no data in my plugin-database when I send mails...

    First, plugin compatibility note says postfwd3. https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin
    But I don't see how to install and/or launch postfwd3...
    even though, it should work for size limitations...

    in /etc/postfix/postfwd.cf :
    Code:
    #limit sender
    id=RATE01; sasl_username=~^(.+)$ ; action=rate(sasl_username/100/600/REJECT  $$sasl_username - Désolé, limite dépassée : 100 emails par heure)
    # recipient count limit 3 per hour per client
    id=RCPT01 ; sasl_username=~^(.+)$ ; action=rcpt(sasl_username/100/3600/REJECT $$sasl_username - Désolé, 100 destinataires maxi par heure)
    # size limit 1.5mb per hour per client
    id=SIZE01 ; sasl_username=~^(.+)$ ; action=size(sasl_username/20971520/3600/REJECT $$sasl_username - Désolé, maximun 20 Mo par heure)
    # Anti spam botnet rule:
    #   This example shows how to limit e-mail address defined by `sasl_username` to be able to login from max. 5 different countries or 20 different IP addresses, otherwise it will be blocked from sending messages.
    id=BAN_BOTNET_COUNTRY ;
       sasl_username=~^(.+)$ ;
       client_uniq_country_login_count > 5 ;
       action=rate(sasl_username/1/3600/554 Votre email ($$sasl_username) semble avoir été attaqué. Changez votre mot de masse lors de votre prochaine connexion.) ;
    id=BAN_BOTNET_IP ;
       sasl_username=~^(.+)$ ;
       client_uniq_ip_login_count > 20 ;
       action=rate(sasl_username/1/3600/554 Votre email ($$sasl_username) semble avoir été attaqué. Changez votre mot de masse lors de votre prochaine connexion.) ;
    
    in /etc/postfix/main.cf
    Code:
    smtpd_recipient_restrictions... , check_policy_service inet:127.0.0.1:10040 (at the very end)
    smtpd_data_restrictions... , check_policy_service inet:127.0.0.1:10040 (at the very end - after 'permit')
    
    I saw on https://serverfault.com/questions/502910/postfwd-not-rate-limiting-sasl-users that there is a logic in 'main.cf' rules
    But, I don't find any documentation except on that site
    I didn't understand how to build smtpd_recipient_restrictions and smtpd_data_restrictions directive...

    My log :
    syslog.1:Apr 5 23:55:25 ns1 postfwd2/cache[2207556]: 2021/04/05-23:55:24 Server closing!
    syslog.1:Apr 5 23:55:25 ns1 postfwd2/policy[2207557]: 2021/04/05-23:55:24 Server closing!
    syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: warning: Use of uninitialized value $send in scalar chomp at /usr/sbin/postfwd line 367.?
    syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: warning: can not open socket to 127.0.0.1:10040: 'Connection refused' 'IO::Socket::INET: connect: Connection refused'?
    syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: postfwd2 1.35 terminating...
    syslog.1:Apr 5 23:55:25 ns1 systemd[1]: postfwd.service: Succeeded.
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786743]: postfwd2 1.35 starting
    syslog.1:Apr 5 23:55:26 ns1 postfwd[2786743]: Pid_file "/var/run/postfwd.pid" already exists. Overwriting!
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786754]: Started cache at pid 2786755
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786755]: 2021/04/05-23:55:26 postfwd2::cache (type Net::Server::Multiplex) starting! pid(2786755)
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786754]: Started server at pid 2786756
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786755]: Binding to UNIX socket file "/var/tmp/postfwd2-cache.socket"
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/cache[2786755]: ready for input
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786756]: 2021/04/05-23:55:26 postfwd2::server (type Net::Server::preFork) starting! pid(2786756)
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786756]: Binding to TCP port 10040 on host 127.0.0.1 with IPv4
    syslog.1:Apr 5 23:55:26 ns1 postfwd2/policy[2786756]: warning: Subroutine inet_aton redefined at /usr/lib/x86_64-linux-gnu/perl5/5.30/NetAddr/IP/InetBase.pm line 206.?
    syslog.1:Apr 5 23:55:27 ns1 postfwd2/policy[2786756]: [PLUGIN] Loaded plugins file: /etc/postfix/postfwd-anti-spam.plugin items: "client_uniq_country_login_c...

    Many thanks
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What do you have for smtpd_recipient_restrictions? Nothing will go to postfwd if it has been permitted by an earlier directive, so your smtpd_data_restrictions change means postfwd will never be used at that point; that's actually ok, as it should use smtpd_end_of_data_restrictions anyways.
     
  3. francoisPE

    francoisPE Member HowtoForge Supporter

    Before modification, my main.cf contained
    '
    smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix: private/quota-status
    smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
    '
    If I well understood,
    - As I have twice "permit" (bold text), I need my 'check_policy_service inet:127.0.0.1:10040' to be before them.
    - I also need 'reject_unauth_destination' (underlind) to be before 'check_policy_service inet:127.0.0.1:10040'
    So I gonna try :
    '
    smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_non_fqdn_recipient, reject_unauth_destination, check_policy_service inet:127.0.0.1:10040, permit_sasl_authenticated, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix: private/quota-status
    smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, check_policy_service inet:127.0.0.1:10040, permit
    '
    As a remark, I don't have 'smtpd_end_of_data_restrictions' in my main.cf... is it correct ?
     
    Last edited: Apr 7, 2021
  4. francoisPE

    francoisPE Member HowtoForge Supporter

    I try a 60Mb attachment...
    My log shows :
    Apr 7 20:40:29 ns1 postfix/proxymap[3469476]: warning: request for unapproved table: "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf"
    Apr 7 20:40:29 ns1 postfix/proxymap[3469476]: warning: to approve this table for read-only access, list proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf in main.cf: proxy_read_maps
    Apr 7 20:40:29 ns1 postfix/trivial-rewrite[3470431]: fatal: proxymap service is not configured for table "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf"

    I kill something, but I don't know what !
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    My guess is you have an outdated conf-custom template that doesn't have proxy_read_maps. Unless you have other changes to preserve, try updating to 3.2.4, allow it to rename your custom templates (or do so manually), then set:
    Code:
    smtpd_end_of_data_restrictions = inet:127.0.0.1:10040
    If that works for you, take the next step of tweaking smtpd_recipient_restrictions (which is more efficient when it can work, but not strictly necessary).
     
  6. francoisPE

    francoisPE Member HowtoForge Supporter

    With ISPC update and
    Code:
    echo "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040" >> /etc/postfix/main.cf
    
    my postfix is back to life. It seems it works : 60Mb mail rejected !
    I'll check other limitations...

    This restriction is much better because ispconfig update doesn't kill it...
    Thanks a lot :):):)
     

Share This Page