OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: Recipient validation

From: MacShane, Tracy (Tracy.MacshaneAirservicesAustralia.com)
Date: Mon Dec 03 2007 - 19:52:33 CST

 

> -----Original Message-----
> From: owner-postfix-userspostfix.org
> [mailto:owner-postfix-userspostfix.org] On Behalf Of Rocco Scappatura
> Sent: Tuesday, 4 December 2007 10:42 AM
> To: mouss
> Cc: postfix-userspostfix.org
> Subject: Re: Recipient validation
>
> > if you see no other logs, then the problem is with the filter. if
> > there is a way to make more talkative, try that. try
> connecting to the
> > filter with telnet (from localhost, not from your PC) and
> see what it does.
>
> You are right. But I have no way to increase verbosity..
>
> > PS. Regarding the dns resolution issue, just create a dns zone for
> > your IP network. this way, resolution will fail quickly.
>
> The appliance use a DNS on the same network that is
> responsible for the IP network where it is place. In
> particular, that DNS server resolves its hostname.
>
> Anyway, I have restore the original code for the
>
> content_filter = imss:localhost:10025
>
> And all works. So the key is in these lines:
>
> localhost:10026 inet n - n - 70 smtpd
> -o smtpd_use_tls=no
> -o content_filter=
> -o smtpd_timeout=$imss_timeout
> -o myhostname=av6.sttspa.it
> -o mynetworks=127.0.0.1
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o receive_override_options=no_unknown_recipient_checks,
> no_address_mappings
>
> knowing that with the settings below for the filter:
>
> localhost:10026 inet n - n - 70 smtpd
> -o smtpd_use_tls=no
> -o content_filter=
> -o smtpd_timeout=$imss_timeout
> -o local_recipient_maps=
> -o myhostname=IMSA
> -o smtpd_client_restrictions=
>
> the filter - and so postfix, works.
>
> rocsca

Really, I don't know why you haven't contacted Trend Micro support
regarding all this. You're paying for it, after all.

Regarding the RBL, I've been contemplating using Spamhaus Zen myself,
but making the change could be "political". I have found that the
sensitivity of the RBL can be modified by logging onto the Email
Reputation Service (ERS/NRS, depending on what they're calling it this
week) console at https://nrs.nssg.trendmicro.com/index.php. By going to
Policy -> Reputation Settings, you can adjust the QIL level to 2 or 3,
"less aggressive", from its default of 4 ("most aggressive"). At least
we're randomly not blocking Optus.net here in Australia any more (only
the 2nd largest ISP). If you don't have a logon to the ERS console, all
you need to provide is your registration number to get one.

Anyways, here's part of our Postfix configuration for IMSS - it works
perfectly. This is Postfix 2.2. I think that amavisd-new's
postfix.readme and discussions here were a great help for understanding
how it all fits together. I've only slightly tweaked the concurrency
limits in master.cf - the Trend Micro defaults are:
imss unix - - n - - smtp
localhost:10026 inet n - n - 20 smtpd

main.cf
======

smtpd_helo_required = yes
smtpd_recipient_restrictions =
  reject_non_fqdn_recipient,
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_unauth_destination,
  check_recipient_access pcre:/etc/postfix/recipient_access,
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  check_sender_access hash:/etc/postfix/sender_access,
  check_client_access hash:/etc/postfix/client_access,
  reject_unknown_sender_domain,
  reject_rbl_client <ID>.r.mail-abuse.com,
  reject_rbl_client <ID>.q.mail-abuse.com

message_size_limit = 13107200
strict_rfc821_envelopes = yes
smtpd_timeout = 60

# following required due to IMSS marking messages with
# >500 recipients as "malformed", and not notifying recipients
smtpd_recipient_limit = 500

content_filter = imss:[127.0.0.1]:10025

# Configuration for Trend IMSS scanning

default_process_limit = 200
imss_timeout = 10m
imss_connect_timeout = 1s

# IMSS: content filter interface via transport "imss"
# Using Trend Micro defaults
imss_destination_recipient_limit = 200
imss_destination_concurrency_limit = 20

master.cf
========
### IMSS configuration
#InterScan MSS: content filter smtp transport imss for InterScan MSS
imss unix - - n - 20 smtp
        -o disable_dns_lookups=yes
        -o smtp_connect_timeout=$imss_connect_timeout
        -o smtp_data_done_timeout=$imss_timeout

#InterScan MSS: content filter loop back smtpd
127.0.0.1:10026 inet n - n - 50 smtpd
        -o smtpd_use_tls=no
        -o content_filter=
        -o smtpd_timeout=$imss_timeout
        -o myhostname=imss70.smtp3
        -o mynetworks=127.0.0.1
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o receive_override_options=no_unknown_recipient_checks