Exim - How to deliver to a user maildir beneath domain folder - smtp

Hats off to anyone who has put together exim smtp server!
I have it working with dovecot authentication + dovecot imaps access, using a deovecot passwd formatted file for authentication and zero users setup on linux / no home.
Maildir delivery to a folder#local_part
But its only one domain, the delivery is always to a unique user ie bob#blah.com equates to bob.
I'd like to have a number of domains and there could be bob#blah2.com and bob#blah3.com who are both different bob.
Don't want to add linux users, or use aliases. Just want to deliver the email to a directory named after the domain\user the email was sent to.
I thought it would be as simple as creating directories #domain#local_part and then checking the recipient is authenticated and delivering to that maildir. The authentication works, but not the delivery. #domain_data is empty and #domain is "tainted" error. From what I've read I believe I have to untaint the #domain data which automatically populate #domain_data (untainted). But I've failed for a few weeks to find how.
I'm authenticating via dovecot. It has a user file in the passwd format but with sha512 password.
eg
cat /etc/dovecot/users
bob#blah.com:{SHA512-CRYPT}$6$iAlzfEx8Ft5M1::::::userdb_quota_rule=*:storage=1G
Surely the most logical thing is, once a user is authenticated, if that authentication process contains the domain, then the domain should be authenticated.
So does it need another lookup (in the router section?) to again check the same dovecot/users file to see if bob#blah.com exists, if it does, then deliver to \domain\user?
If I have to add the home dir to each entry in dovecot/users, can do that if it needs to pulled in via lookup. But I was hoping that simply matching the recipient address to an authenticated user is ok
Something like:
my_domains: driver = accept   domains = ${lookup{$local_part}{$domain}lsearch{/etc/dovecot/users}} transport = my_mailboxes
Thank you very much for any help!
EDIT:
Further info, sent email to eximm#MyDomain.uk
cat /etc/dovecot/users
exim:{SHA256-CRYPT}$5$SFHDKJqI.hDb1::::::userdb_quota_rule=*:storage=500M
eximm#MyDomain.uk:{SHA256-CRYPT}$5$SFHDKCx6v4WH.FJqI.hDb1::::::userdb_quota_rule=*:storage=500M
router
my_domains:
driver = accept
domains = lsearch{$local_part#$domain}/etc/dovecot/users
transport = my_mailboxes
transport
my_mailboxes:
driver = appendfile
file = /srv/mail/$domain_data/$local_part_data
user = exim
18:30:43.566 25510 checking domains
18:30:43.566 25510 ╭considering: lsearch{$local_part#$domain}/etc/dovecot/users
18:30:43.566 25510 ├───────text: lsearch{
18:30:43.566 25510 ├considering: $local_part#$domain}/etc/dovecot/users
18:30:43.567 25510 ├considering: #$domain}/etc/dovecot/users
18:30:43.567 25510 ├───────text: #
18:30:43.567 25510 ├considering: $domain}/etc/dovecot/users
18:30:43.567 25510 ├considering: }/etc/dovecot/users
18:30:43.567 25510 ├───────text: }/etc/dovecot/users
18:30:43.567 25510 ├──expanding: lsearch{$local_part#$domain}/etc/dovecot/users
18:30:43.567 25510 ╰─────result: lsearch{eximm#MyDomain.uk}/etc/dovecot/users
18:30:43.567 25510 ╰──(tainted)
18:30:43.567 25510 MyDomain.uk in "lsearch{eximm#MyDomain.uk}/etc/dovecot/users"? no (end of list)
18:30:43.567 25510 my_domains router skipped: domains mismatch
18:30:43.567 25510 --------> system_aliases router <--------
╰──(tainted)
MyDomain.uk in "lsearch{eximm#MyDomain.uk}/etc/dovecot/users"? no (end of list)
I've not got it right, but don't know why. My understanding was domain_data should be untainted and populated after a successful internal lookup.
Even assuming that interpretation is roughly ok, at the moment the lookup fails.
EDIT2: Should say, MyDomain is a find+replace. The actual domain is lowercase in all areas. Although I believe lsearch is case agnostic anyway.
EDIT3: I think I have a working workaround, so will update just to confirm it is working and what the solution was once confirmed.

Related

AWS ACM certificate state is pending validation and not changing to issues

I have requested a public ACM certificate and I have selected the DNS validation method. After requesting the certificate it went to Pending validation state. I have created a hosted zone in Route 53 with the same domain name which I have used for my certificate. After creating the certificate I got the option "Create record in Route 53". I have created the record in Route 53 with the CNAME and it displayed as " Success
The DNS record was written to your Route 53 hosted zone. It can take 30 minutes or longer for the changes to propagate and for AWS to validate the domain and issue the certificate.". But the status of the certificate is not getting changed and it is still in pending validation only. After some time the "Create record in Route 43" option is getting enabled again. I have tried the same process multiple times almost one day but the status is not getting changed. Can someone please help to fix the issue.
In the AWS Console (Web UI), on the Certificate Manager page,
Expand the certificate that is pending
Expand the table that has domain and validation status
Click the blue button that says "Create record in Route 53" (you can also do this manually)
Give it about 10 minutes
Or follow these instructions from AWS - Why is my AWS Certificate Manager (ACM) certificate DNS validation status still pending validation?
Having the same issue here and I found out that my problem is in the NS record in my domain. My mistake was I didn't update the Name Servers in my domain, what I did was the opposite. I updated the values of the NS record in R53 based on the NS on my domain then I realized that the right thing to do was to update your NS (Name Servers) of your domain to the values of the NS record in R53. Haha (english is not my native language btw).
Just make sure you have the correct Name Servers and correct CNAME suggested by ACM. I waited a day before and still Pending Validation, but when I fixed it it took only a few minutes for my certificate to be issued.
What I would do is:
Verify that the DNS returns what is expected.
For that you can use dig (Linux) or nslookup (Windows), or even better > https://www.digwebinterface.com
If you don't get what is expected, you need to reconfigure the DNS.
Once it is verified, wait a little bit (10 min to 2h I'd say).
Something to read while you wait:
https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/
https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html

How to read all mails sent from my server

Currently, almost all mail sent from my server are all saved in receiver junk mail. I am thinking. Is it because my server is sending spam mail? I refer to this post How to check if server is sending out spam?. I can check all email sent from my server by entering this command.
cat /var/log/maillog | grep 'to=<[a-z0-9_\.-]\+#[\da-z\.-]\+\.[a-z\.]\{2,6\}>' -o
I did send a few email by myself but the above command doesn't list out anything. If I cat /var/log/maillog, below is what I got. Not sure how to read this.
...
Jul 3 12:38:32 abcde-id467301 spamd[16679]: spamd: connection from localhost [::1]:37410 to port 783, fd 5
Jul 3 12:38:32 abcde-id467301 spamd[16300]: prefork: child states: I
Jul 3 12:38:32 abcde-id467301 dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<XaTr4hBwNNJ/AAAB>
Jul 3 12:38:33 abcde-id467301 dovecot: lmtp(10026): Connect from local
Jul 3 12:38:33 abcde-id467301 dovecot: lmtp(10026): Disconnect from local: Successful quit
...
Any suggestions to check spam mail? Thanks.
EDIT after fix DMARC, DKIM and SPF (They all pass) - Now gmail is ok but hotmail is NOT ok.
Did several tests
https://www.mail-tester.com/
```
SpamAssassin does not like you
-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Great! Your signature is valid
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name
-1.999 FSL_HELO_BARE_IP_2 IP used in the HELO request
The hostname should be a domain name, not an IP address
-1.985 PYZOR_CHECK Similar message reported on Pyzor (http://pyzor.org)
Please test a real content, test Newsletters will always be flagged by Pyzor
Adjust your message or request whitelisting (http://public.pyzor.org/whitelist/)
-0.865 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-1.274 RDNS_NONE Delivered to internal network by a host with no rDNS
This may be a false-positive, please check the reverse DNS test below to confirm or not this issue
0.001 SPF_PASS SPF: sender matches SPF record
Great! Your SPF is valid
You're not fully authenticated
We didn't find a server (A Record) behind your hostname .......net.
We check if there is a server (A Record) behind your hostname .......net.
You may want to publish a DNS record (A type) for the hostname .......net or use a different hostname in your mail software.
```
send an email to auth-results#verifier.port25.com
```
"iprev" check: fail
SpamAssassin check: ham
"iprev" check details:
Result: fail (reverse lookup failed (NXDOMAIN))
ID(s) verified: policy.iprev=---.--.---.--
DNS record(s):
---.--.---.--.in-addr.arpa. PTR (NXDOMAIN)
SpamAssassin check details:
SpamAssassin v3.4.0 (2014-02-07)
Result: ham (-0.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
-0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
[score: 0.0157]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
```
By default, on a cPanel server, emails are sent using EXIM. So the email log (for received and sent emails) is located at /var/log/exim_mainlog. There you can see detailed info about whatever emails were sent to or by your server.
A lot of factors can lead to your emails being delivered to junk. Just to name a few:
- your server's ip address is blacklisted (you can check it using tools like http://mxtoolbox.com/)
- you do not have a proper hostname defined for your server
- you do not have a proper reverse DNS for your server
- SPF and/or DKIM are not configured properly
Try sending an email from your server to a Gmail address for example, a Gmail address that you own. Then go to Gmail and even if the email landed on Junk, please check the email headers. There you get info about what checks have been made, what Spam score you got for your email and so on. That would be a good starting point for you to figure out why the sent emails land in Spam/Junk.
Since you have provided very little information, is hard to guess or provide a proper answer...

Edit password_query in Dovecot for 2 factor auth

I want to add two-factor authentication to dovecot and thought of appending a OTP to the normal password a user has then sending that "new" password to Dovecot so i wondered whether it is possible to edit the password_query in dovecot-sql.conf.ext in such a way that it includes a section where the OTP part of the password is verified.
The authentication in dovecat can work via PAM. Most two factor authentication systems (to be specific OTP systems) add the second factor by just appending the OTP value after the password like:
mySecretPassword788293
This is sent to the authentication backend which knows, how to hańdle this.
This means that the PAM stack would only request one password (which consists of the static part/knowledge and the OTPpart/possession) and have the OTP backend verify this.
E.g. you could use privacyIDEA to manage your 2nd factors in conjunction with PAM. http://privacyidea.readthedocs.io/en/latest/application_plugins/index.html
Disclaimer: I am core developer of privacyIDEA

Problems with WebSession when executing a WebService (GeneXus)

Here is the problem: I have a KB Called APP1 that will execute an WebService of an Identity Provider (centralizes all the logins/sessions for different applications) that will return true if there is a logged user in current WebSession that has been granted to access the Application or false otherwise. When I create an web panel at the same KB as the Identity Provider, it works just fine, I get TRUE when there's a logged user, and FALSE when there's not. But when I call it from APP1 it always returns false, I believe that the problem is because the WebSession won't work properly when called through an WS. Any ideas of how to solve it?
My first advice is to try using GAM Single Sign on (X Evolution 3)
WebServices should be Stateless. I think that using the Database instead of WebSession could do the job.
Nonetheless, in order to call a restful WebService you will have to do something more complex as dealing with CookieContainers as stated in the following link.
Consider this solution:
User tries to access App1
There's no web session (App1 doesn't know who is connecting)
App1 redirects User to an IdentityProvider's special login page
If User is not logged, it provides credentials and logs in
IdentityProvider has a session for the user (it knows who is connecting), then it redirects to the referer, appending to the url an encrypted userid parameter.
App1 decodes the parameter, now it knows who is connecting.
App1 saves the userid to the web session, now the user is authenticated
App1 and IdentityProvider must share an encryption key.
Consider that if the encryption key gets compromised or cracked anyone can impersonate another user.
Depending in how secure you want your system to be, you should study other security issues:
every time the user connects it's encrypted login is the same an it shows in the url, it can be easily solved adding a nonce or salt.
The system could be abused generating multiple requests until it gets a valid encrypted userid. It can be mitigated using a large Salt and/or blocking multiple attempts from the same source.
Note that this isn't a tested protocol and I didn't study the security in depth. I got some inspiration from OpenId, but this is a simplified protocol and I could be missing security holes.

Postfix / Spamassassin: Undelivered Mail Returned to Sender [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm having an issue with a newly configured mailserver where spam emails that are spoofed to come from the local domain are actually accepted by the mailserver, the mail isnt delivered as is though, the spamassassin tags it as spam and then send an email "Undelivered Mail Returned to Sender" to the spoofed local user.
I know there is a way of fixing this in the configuration but i have no idea where, i'm hoping someone can point me in the right direction.
To be clear, the mailserver is not relaying, this is only a local user issue.
I want postfix to reject any emails supposedly from local users that aren't sent internally. It would stop this problem.
Here is an email to show you whats happening. I've changed the domain to example.com.au.
###############################################
This is the mail system at host example.com.au.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, id=11887-07 - SPAM (in reply to end of DATA command) ?
Reporting-MTA:dns; example.com.au
X-Postfix-Queue-ID: 661DC5D1DE
X-Postfix-Sender: rfc822; dan#example.com.au
Arrival-Date: Tue, 5 May 2009 06:21:38 +1000 (EST)
Final-Recipient: rfc822;dan#example.com.au
Original-Recipient:rfc822;dan#example.com.au
Action: failed Status: 5.7.0
Remote-MTA: dns; 127.0.0.1
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=11887-07 - SPAM ?
From: Berenice Penez
Date: Mon, 4
May 2009 22:21:41 +0200
To: Subject: Were it you, on forum?
Reliable quality and no delays with
delivery! Super online store for
disease treating
http://www.xopfekec.cn/
###############################################
Postfix main.cf (the important parts, not complete)
readme_directory = /usr/share/doc/postfix
mydomain_fallback = localhost
message_size_limit = 0
mailbox_size_limit = 0
myhostname = example.com.au
mailbox_transport = cyrus
mydomain = example.com.au
inet_interfaces = all
enable_server_options = yes
mydestination = $myhostname,localhost.$mydomain,localhost,example.com.au
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_invalid_hostname
smtpd_pw_server_security_options = plain,login
content_filter = smtp-amavis:[127.0.0.1]:10024
mynetworks = 127.0.0.0/8, 10.0.1.0/24
smtpd_client_restrictions = permit_sasl_authenticated,reject_rbl_client dnsbl.sorbs.net
A few different points:
This should be on serverfault.com, but since I'm not on the beta there I'll answer it here.
The output of postconf -n is better than including what you think are the relevant lines in main.cf. Also include relevant lines from master.cf if you have parameter overrides or other customisations in there.
Don't accept then bounce mail like that. If you are using SpamAssassin as an after-queue filter in Postfix (the usual way of running it), you need to either tag-and-deliver (and filter with client-side rules) or quarantine the mail without notifying the sender. From the look of your question, you are probably a backscatter source. Stop it. See for example http://www.postfix.org/BACKSCATTER_README.html. Do consider amavisd-new for integrating SpamAssassin into Postfix with all kinds of useful features.
Consider collapsing all of your restrictions into smtpd_recipient_restrictions. It's generally easier to manage the linear flow of restrictions like that than to deal with the interactions between smtpd_{client,helo,sender,recipient}_restrictions.
To prevent Postfix from accepting mail from outside, add a sender_access map that rejects mail claiming to be from your domains:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:$config_directory/reject_mydomains
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_invalid_hostname
And in reject_mydomains
example.com.au REJECT you are not me
This will probably be prone to false positives with mail that comes from senders with a legitimate(?) reason to use your domain as the envelope sender (E-cards, invitations, maybe some outsourced service like surveys or whatnot). You can whitelist around your you-are-not-me rules with a client_access map before your sender_access map that returns OK or an appropriate restriction class (see http://www.postfix.org/RESTRICTION_CLASS_README.html).
You can use similar HELO checks to weed out clients HELO-ing with your own Hostname/IP or known bad HELO strings
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_helo_access hash:$config_directory/helo_checks
check_sender_access hash:$config_directory/reject_mydomains
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_invalid_hostname
and in helo_checks:
example.com.au REJECT BAD-HELO you are not example.com.au
mailserver.example.com.au REJECT BAD-HELO you are not me
localhost REJECT BAD-HELO you are not me
localhost.localdomain REJECT BAD-HELO you are not me
# where 1.2.3.4 is the IP of your server
1.2.3.4 REJECT BAD-HELO you are not me
127.0.0.1 REJECT BAD-HELO you are not me
Lastly, it's a very good idea to subscribe to a good reputation service such as an RBL. The best RBL for most purposes is zen.spamhaus.org. It's free to use for light to moderate loads, and if your usage is high enough to cross over their free/paid threshold, the cost is well worth it. To configure in Postfix, add
reject_rbl_client zen.spamhaus.org
to your smtpd_recipient_restrictions. Do that after your cheap local checks to save on DNS query load and latency, but before expensive local checks like reject_unverified_recipient (you aren't using that one and probably don't need it from your problem description).