Using system postfix as mail relay for docker containers

If you configured postfix as a local MTA it will only listen on local network devices. To make it accessible from your docker container add the docker0 interface to inet_interfaces in main.cf:

Since the docker interface is started when the docker service starts you have to make sure docker is started before postfix. With systemd you can do this by creating the file /etc/systemd/system/postfix.service.d/after-docker.conf with the content:

If you want to send outgoing mails with a destination other than the local system you can allow this by adding the docker subnet to mynetworks in main.cf:

mtpolicyd 1.21 has been released

Version 1.21 has been released.

Get the sources from: https://mtpolicyd.org/download.html or from CPAN.

What has changed:

  • New feature vhost_by_policy_context
    New option vhost_by_policy_context will if activated tell mtpolicyd to select the VirtualHost based on the policy_context.For example in postfix main.cf use advanced syntax:

    In mtpolicyd.conf:

    The policy_context feature will be available in postfix 3.1 and later.
  • New plugin SMTPVerify
    The SMTPVerify plugin implements address verification at a remote SMTP server with MAIL FROM and RCPT TO commands. It support the following checks:

    • check if the remote SMTP server would accept mail for a address.
      Apply actions or scores if a permanent or temporary error is returnedIf the
    • remote server support the SIZE extension the SIZE will be passed to the remote SMTP server. This way it could be checked if the message exceeds the message size limit or the quota limit of the recipient.
    • Check if the remote SMTP server announces support for STARTTLS
    • Check if there is a TLSA record for the remote SMTP server
    • Check if there is OPENPGPKEY for the recipient

mtpolicyd 1.20 has been released

Version 1.20 has been released.

Get the sources from: https://mtpolicyd.org/download.html or from CPAN.

What has changed:

  • fix SQL connection handling after child fork
    Closing the connection after child fork did not cause a reconnect on all DBI versions. Instead do a reconnect by overwriting the previous connection.
  • improve request logging
    mtpolicyd now logs the plugin that caused the result.The new log format is:

Use posttls-finger to monitor your DANE configuration in icinga2

First you need to install the posttls-finger command. This command is included in postfix versions >=2.11. On Debian you may just rebuild the packages from unstable for your distribution.

Then download the check_posttls_finger script and make it executable:

Add a command definition to icinga2 by creating /etc/icinga2/conf.d/check_posttls_finger.conf with the following content:

Also add an service definition to /etc/icinga2/conf.d/services.conf:

Now configure the domains your want to monitor in your host definitions. For example to monitor markusbenning.de:

Checking your IP against RBLs in icinga2

To make sure that your IP is listed on any RBL you can implement a daily check in icinga2.

The check can be implement with the check_rbl script:

https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_rbl

The script has a few perl module dependencies. To install them on a debian system execute:

Then download the script and make it executable:

Also download a copy of the configuration file:

Edit the configuration file and add/remove RBLs as needed. When writting this, the list still included the retired AHBL blacklist. To disable it comment the following line:

Now its time to start a test run:

The script will display all checked RBLs and exit with a Nagios status line:

Now add the command/service definitions to your icinga2 configuration and apply the rbl_address to your hosts definition.

Create /etc/icinga2/conf.d/check_rbl.conf with the following content:

Add the following service description to your /etc/icinga2/conf.d/services.conf:

And a rbl_address variable to all hosts you want to check:

Restart the icinga2 service and see the results in icinga-web.

mtpolicyd version 1.15 released

Version 1.15 has been released.

Get the sources from: https://mtpolicyd.org/download.html or from CPAN.

New Features:

  • New Plugins: Accounting, Quota
    These plugins could be used to implement smtp level accounting and quotas. See Mail::MtPolicyd::Cookbook::HowtoAccountingQuota and the plugin reference for details.
  • SQL Infrastructure updates
    Plugins are now able to create their own tables automatically. Collected some shared SQL code into Plugin::Role::SqlUtils.
  • Support for scheduled tasks
    Plugins can execute scheduled tasks by implementing a cron() function.

mtpolicyd version 1.14 released

Version 1.14 of the mtpolicyd has been released.

New Features:

  • Stress Plugin. Trigger an action if postfix is under stress.
  • Added on_error option to plugins.
    If set to continue and the plugin dies mtpolicyd will continue with processing instead of returning an error:
  • Application level profiling has been added.
    A small profiler has been added to record request timings. Timings will be logged at log level 3. Plugins may add their own timings thru the following API: