Loading ...
Sorry, an error occurred while loading the content.
 

Re: Spam Attack on Postmaster

Expand Messages
  • Stan Hoeppner
    ... If you sub the list, ask Rich K about ipdeny. I learned about it from him. He s been a spam fighter since 1994 (maybe earlier). He s old school. As is
    Message 1 of 18 , Mar 1, 2010
      Carlos Williams put forth on 2/28/2010 10:02 PM:
      > On Sun, Feb 28, 2010 at 5:27 PM, Stan Hoeppner <stan@...> wrote:
      >> Carlos, I think it's time you join spam-l and learn all the tricks to
      >> fighting spam. http://spam-l.com/mailman/listinfo/spam-l
      >
      > Thanks. I will research this and see what I can learn from that list.

      If you sub the list, ask Rich K about ipdeny. I learned about it from him.
      He's been a spam fighter since 1994 (maybe earlier). He's old school. As
      is Chris Lewis. Pay close attention to his posts. He's head of network
      security at Nortel networks, as well as the creator/maintainer of a major
      dnsbl, although I can't say which, lest I be shot. ;) The creator of
      Enemies List, Steven Champeon, is also a member, very sharp guy. Lots of
      experience on spam-l going waaay back. Many of the folks on the list
      predate SMTP.

      >> You could have blocked this spam with any number of methods, the simplest
      >> being adding the following to main.cf:
      >>
      >> smtpd_recipient_restrictions =
      >> reject_rbl_client zen.spamhaus.org
      >
      > I do have this in my main.cf. I don't know why it didn't reject it if
      > I have zen.spamhaus.org in my config unless it was added after the
      > spam was sent to me. Do you know? I have attached my output of
      > 'postconf -n' below.

      Look at the date/time stamp on the email transaction in your log, then check
      it against the CBL. If you reported it here the same day you received it,
      then CBL already had it listed. The CBL is incorporated into Spamhaus ZEN,
      but it's easier to check if an IP is listed using the CBL website than the
      Spamhaus website.

      > Is the a guide on how I can build a cidr table and block ALL mail from
      > Russia? I don't ever want / need mail from Russia and don't know how
      > to build this table and how to force Postfix to use the list.

      You don't need a guide. Just download the country files you want to block
      from ipdeny.com and add "REJECT" to the end of each line in the file so
      Postfix can use it, something like this:

      sed 's/$/ REJECT Russian email not welcome/g' ru.zone > russia.cidr

      Stick russia.cidr in /etc/postfix/ and to smtpd_recipient_restrictions,
      close to the top, add:

      check_client_access cidr:/etc/postfix/russia.cidr

      This will block all smtp connections originating from Russian IP space.

      Using ipdeny country listings is a simple and very effective way to stop a
      lot of spam. If you are sure you'll never need to receive email from a
      given country, using ipdeny cidr listings is the single most effective way
      to block spam from those countries. It's cheap on resources too, compared
      to dnsbl lookups.

      --
      Stan
    • Ralf Hildebrandt
      ... Yay, I m old school :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin
      Message 2 of 18 , Mar 1, 2010
        * Stan Hoeppner <stan@...>:

        > If you sub the list, ask Rich K about ipdeny. I learned about it from him.
        > He's been a spam fighter since 1994 (maybe earlier). He's old school.

        Yay, I'm old school :)
        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Noel Jones
        ... That parameter doesn t prevent spammers from sending junk to postmaster, it prevents mail to postmaster from bypassing your existing anti-spam controls.
        Message 3 of 18 , Mar 1, 2010
          On 2/28/2010 1:55 PM, Carlos Williams wrote:
          > On Tue, Oct 27, 2009 at 8:55 AM, Noel Jones<njones@...> wrote:
          >> Or you can have postfix add it to main.cf for you by typing the command:
          >>
          >> # postconf -e 'address_verify_sender=$double_bounce_sender'
          >
          > I added the above parameter
          > (address_verify_sender=$double_bounce_sender) in my main.cf to keep
          > spammers from sending spam / junk email to my built in Postmaster
          > account.

          That parameter doesn't prevent spammers from sending junk to
          postmaster, it prevents mail to postmaster from bypassing your
          existing anti-spam controls. Big difference.


          > I am running a dated version of Postfix 2.3. I added it in my
          > main.cf and reloaded Postfix. I see it listed in my 'postconf -n'&
          > just this weekend received this email:
          >
          > Return-Path:<postmaster@...>
          > X-Original-To: postmaster@...
          > Delivered-To: postmaster@...
          > Received: from localhost (localhost.localdomain [127.0.0.1])
          > by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6
          > for<postmaster@...>; Sat, 27 Feb 2010 15:05:50 -0500 (EST)
          > X-Virus-Scanned: amavisd-new at iamghost.com
          > X-Spam-Flag: YES
          > X-Spam-Score: 7.457
          > X-Spam-Level: *******
          > X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5
          > tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
          > RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
          > RDNS_NONE=0.1] autolearn=no
          > Received: from mail.iamghost.com ([127.0.0.1])
          > by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
          > with LMTP id awUEbrkCfcvq for<postmaster@...>;
          > Sat, 27 Feb 2010 15:05:50 -0500 (EST)
          > Received: from ambianceimports.com (unknown [89.204.40.160])
          > by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
          > for<postmaster@...>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
          > To:<postmaster@...>
          > Subject: ***SPAM*** Delivery Status Notification
          > From: Inez<postmaster@...>
          > MIME-Version: 1.0
          > Content-Type: text/html; charset="ISO-8859-1"
          > Content-Transfer-Encoding: 7bit
          > Message-Id:<20100227200549.179C477ADB5@...>
          > Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST)
          >
          > *************************************************************************
          >
          > Should the above parameter firstly not have allowed this message to be
          > sent to 'Postmaster'?

          No. Apparently you have no controls that would otherwise
          reject this spam.

          > And I am confused why the "Return-Path& Delivered-To" address are the
          > same. Was this spammer attempting to spoof my postmaster's email
          > address?

          Yes, looks as if the spammer forged your postmaster as the
          envelope sender. You can reject mail FROM postmaster@ your
          domain with a check_sender_access map.

          If you need any more help, show your "postconf -n" output.

          -- Noel Jones
        • LuKreme
          ... You re so old school you re PRE school! No, wait, that s not right. ... -- The fact that Bob and John are married does nothing to diminish anyone else s
          Message 4 of 18 , Mar 1, 2010
            On 01-Mar-10 06:08, Ralf Hildebrandt wrote:
            > * Stan Hoeppner<stan@...>:
            >
            >> If you sub the list, ask Rich K about ipdeny. I learned about it from him.
            >> He's been a spam fighter since 1994 (maybe earlier). He's old school.
            >
            > Yay, I'm old school :)

            You're so old school you're PRE school!

            No, wait, that's not right.

            :D

            --
            The fact that Bob and John are married does nothing to diminish
            anyone else's marriage any more than a black woman marrying a
            white man, a Jew marrying a Catholic, or an ugly Lyle marrying
            a Pretty Woman
          • Carlos Williams
            ... It looks like it does pass my anti-spam controls however & I am not sure why or how I can determine what is allowing this particular example to slip
            Message 5 of 18 , Mar 1, 2010
              On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones <njones@...> wrote:
              > That parameter doesn't prevent spammers from sending junk to postmaster, it
              > prevents mail to postmaster from bypassing your existing anti-spam controls.
              >  Big difference.

              It looks like it does pass my 'anti-spam' controls however & I am not
              sure why or how I can determine what is allowing this particular
              example to slip past. Below is straight from my Postfix logs and in
              the end of this email you can see my postconf -n shows
              '$double_bounce_sender':

              Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
              hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
              service not known
              Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
              Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
              client=unknown[89.204.40.160]
              Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
              message-id=<20100227200549.179C477ADB5@...>
              Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
              from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
              Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
              Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
              client=localhost.localdomain[127.0.0.1]
              Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
              message-id=<20100227200549.179C477ADB5@...>
              Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
              localhost.localdomain[127.0.0.1]
              Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
              from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
              Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
              [89.204.40.160] [89.204.40.160] <postmaster@...> ->
              <postmaster@...>, Message-ID:
              <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
              Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
              Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
              to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
              delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
              Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
              EC5B277ADD6)
              Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
              Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
              to=<carlos@...>, orig_to=<postmaster@...>,
              relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
              status=sent (delivered to maildir)
              Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed

              > No.  Apparently you have no controls that would otherwise reject this spam.

              I guess I didn't really understand fully the full meaning of
              '$double_bounce_sender'.

              > Yes, looks as if the spammer forged your postmaster as the envelope sender.
              >  You can reject mail FROM postmaster@ your domain with a check_sender_access
              > map.

              I do have a 'sender_access' map in /etc/postfix and in main.cf:

              [root@mail postfix]# postconf -n | grep 'sender_access'
              smtpd_recipient_restrictions = permit_mynetworks,
              permit_sasl_authenticated, reject_unauth_pipelining,
              reject_non_fqdn_recipient, reject_unknown_recipient_domain,
              reject_unauth_destination, reject_unlisted_recipient,
              check_policy_service unix:postgrey/socket, check_sender_access
              hash:/etc/postfix/sender_access,
              check_helo_access pcre:/etc/postfix/helo_checks.pcre,
              check_client_access hash:/etc/postfix/client_access,
              reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

              Inside the file however I have domains and specific email addresses.
              Is this wrong formatting for the 'sender_access' file?

              # /etc/postfix/sender_access
              #
              # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
              #
              lmco.com OK
              saic.com OK
              se-core.net OK
              army.mil OK
              us.army.mil OK
              rayhtheonvtc.com OK
              sting_ray1@... OK

              aol.com REJECT
              craigslist.org REJECT
              facebookmail.com REJECT
              gmail.com REJECT
              hotmail.com REJECT
              yahoo.com REJECT
              youtube.com REJECT

              Noel or anyone. If you can please help me understand the following:

              1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
              my main.cf when it appeared in my logs above it didn't have a proper
              formatted fqdn and or hostname?
              2. Was it passed because it was spoofed to come from
              'postmaster@...' & I need to add a rule for this in
              'sender_access'?
              3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
              to 'Postmaster' run through checks?
              4. Based on my postconf -n (below) and my contents above showing
              '/etc/postfix/sender_access', do I have the correct values in the
              'sender_access' file or is it improperly formatted?

              ***Postconf -n***

              [root@mail postfix]# postconf -n
              address_verify_sender = $double_bounce_sender
              alias_database = hash:/etc/aliases
              alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
              broken_sasl_auth_clients = yes
              command_directory = /usr/sbin
              config_directory = /etc/postfix
              content_filter = amavisfeed:[127.0.0.1]:10024
              daemon_directory = /usr/libexec/postfix
              home_mailbox = Maildir/
              html_directory = no
              inet_interfaces = all
              mail_owner = postfix
              mailq_path = /usr/bin/mailq.postfix
              manpage_directory = /usr/share/man
              message_size_limit = 20480000
              mydestination = $myhostname, $mydomain, mail.$mydomain
              mydomain = iamghost.com
              myhostname = mail.iamghost.com
              mynetworks = $config_directory/mynetworks
              myorigin = $mydomain
              newaliases_path = /usr/bin/newaliases.postfix
              queue_directory = /var/spool/postfix
              readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
              recipient_delimiter = +
              relay_domains =
              sample_directory = /usr/share/doc/postfix-2.3.3/samples
              sendmail_path = /usr/sbin/sendmail.postfix
              setgid_group = postdrop
              smtp_tls_security_level = may
              smtpd_banner = $myhostname ESMTP
              smtpd_data_restrictions = reject_unauth_pipelining, permit
              smtpd_delay_reject = yes
              smtpd_helo_required = yes
              smtpd_helo_restrictions = permit_mynetworks,
              permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
              reject_invalid_helo_hostname, permit
              smtpd_recipient_restrictions = permit_mynetworks,
              permit_sasl_authenticated, reject_unauth_pipelining,
              reject_non_fqdn_recipient, reject_unknown_recipient_domain,
              reject_unauth_destination, reject_unlisted_recipient,
              check_policy_service unix:postgrey/socket, check_sender_access
              hash:/etc/postfix/sender_access,
              check_helo_access pcre:/etc/postfix/helo_checks.pcre,
              check_client_access hash:/etc/postfix/client_access,
              reject_rbl_client zen.spamhaus.org, reject_rbl_client
              bl.spamcop.net, permit
              smtpd_sasl_auth_enable = yes
              smtpd_sasl_path = private/auth
              smtpd_sasl_security_options = noanonymous
              smtpd_sasl_type = dovecot
              smtpd_sender_restrictions = permit_mynetworks,
              permit_sasl_authenticated, reject_non_fqdn_sender,
              reject_unknown_sender_domain,
              reject_unknown_reverse_client_hostname, permit
              smtpd_tls_CAfile = /etc/ssl/intermediate.crt
              smtpd_tls_auth_only = yes
              smtpd_tls_cert_file = /srv/ssl/mail.crt
              smtpd_tls_key_file = /srv/ssl/mail.key
              smtpd_tls_loglevel = 1
              smtpd_tls_security_level = may
              smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
              smtpd_tls_session_cache_timeout = 3600s
              tls_random_source = dev:/dev/urandom
              unknown_local_recipient_reject_code = 550
            • Noel Jones
              ... It slips past because there are no rules to block it. ... You can add postmaster@your_domain REJECT to this list if you want. ... You have no rules
              Message 6 of 18 , Mar 1, 2010
                On 3/1/2010 10:50 AM, Carlos Williams wrote:
                > On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones<njones@...> wrote:
                >> That parameter doesn't prevent spammers from sending junk to postmaster, it
                >> prevents mail to postmaster from bypassing your existing anti-spam controls.
                >> Big difference.
                >
                > It looks like it does pass my 'anti-spam' controls however& I am not
                > sure why or how I can determine what is allowing this particular
                > example to slip past.

                It "slips past" because there are no rules to block it.

                > Below is straight from my Postfix logs and in
                > the end of this email you can see my postconf -n shows
                > '$double_bounce_sender':
                >
                > Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
                > hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
                > service not known
                > Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
                > Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
                > client=unknown[89.204.40.160]
                > Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
                > message-id=<20100227200549.179C477ADB5@...>
                > Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
                > from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
                > Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
                > Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
                > client=localhost.localdomain[127.0.0.1]
                > Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
                > message-id=<20100227200549.179C477ADB5@...>
                > Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
                > localhost.localdomain[127.0.0.1]
                > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
                > from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
                > Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
                > [89.204.40.160] [89.204.40.160]<postmaster@...> ->
                > <postmaster@...>, Message-ID:
                > <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
                > Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
                > Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
                > to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
                > delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
                > Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
                > EC5B277ADD6)
                > Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
                > Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
                > to=<carlos@...>, orig_to=<postmaster@...>,
                > relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
                > status=sent (delivered to maildir)
                > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed
                >
                >> No. Apparently you have no controls that would otherwise reject this spam.
                >
                > I guess I didn't really understand fully the full meaning of
                > '$double_bounce_sender'.
                >
                >> Yes, looks as if the spammer forged your postmaster as the envelope sender.
                >> You can reject mail FROM postmaster@ your domain with a check_sender_access
                >> map.
                >
                > I do have a 'sender_access' map in /etc/postfix and in main.cf:
                >
                > [root@mail postfix]# postconf -n | grep 'sender_access'
                > smtpd_recipient_restrictions = permit_mynetworks,
                > permit_sasl_authenticated, reject_unauth_pipelining,
                > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                > reject_unauth_destination, reject_unlisted_recipient,
                > check_policy_service unix:postgrey/socket, check_sender_access
                > hash:/etc/postfix/sender_access,
                > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                > check_client_access hash:/etc/postfix/client_access,
                > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
                >
                > Inside the file however I have domains and specific email addresses.
                > Is this wrong formatting for the 'sender_access' file?
                >
                > # /etc/postfix/sender_access
                > #
                > # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
                > #
                > lmco.com OK
                > saic.com OK
                > se-core.net OK
                > army.mil OK
                > us.army.mil OK
                > rayhtheonvtc.com OK
                > sting_ray1@... OK
                >
                > aol.com REJECT
                > craigslist.org REJECT
                > facebookmail.com REJECT
                > gmail.com REJECT
                > hotmail.com REJECT
                > yahoo.com REJECT
                > youtube.com REJECT

                You can add "postmaster@your_domain REJECT" to this list if
                you want.


                >
                > Noel or anyone. If you can please help me understand the following:
                >
                > 1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
                > my main.cf when it appeared in my logs above it didn't have a proper
                > formatted fqdn and or hostname?

                You have no rules to reject based on this.

                > 2. Was it passed because it was spoofed to come from
                > 'postmaster@...'& I need to add a rule for this in
                > 'sender_access'?

                No, that doesn't appear to have any bearing.


                > 3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
                > to 'Postmaster' run through checks?
                > 4. Based on my postconf -n (below) and my contents above showing
                > '/etc/postfix/sender_access', do I have the correct values in the
                > 'sender_access' file or is it improperly formatted?

                >
                > ***Postconf -n***
                >
                > [root@mail postfix]# postconf -n
                > address_verify_sender = $double_bounce_sender
                > alias_database = hash:/etc/aliases
                > alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
                > broken_sasl_auth_clients = yes
                > command_directory = /usr/sbin
                > config_directory = /etc/postfix
                > content_filter = amavisfeed:[127.0.0.1]:10024
                > daemon_directory = /usr/libexec/postfix
                > home_mailbox = Maildir/
                > html_directory = no
                > inet_interfaces = all
                > mail_owner = postfix
                > mailq_path = /usr/bin/mailq.postfix
                > manpage_directory = /usr/share/man
                > message_size_limit = 20480000
                > mydestination = $myhostname, $mydomain, mail.$mydomain
                > mydomain = iamghost.com
                > myhostname = mail.iamghost.com
                > mynetworks = $config_directory/mynetworks
                > myorigin = $mydomain
                > newaliases_path = /usr/bin/newaliases.postfix
                > queue_directory = /var/spool/postfix
                > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                > recipient_delimiter = +
                > relay_domains =
                > sample_directory = /usr/share/doc/postfix-2.3.3/samples
                > sendmail_path = /usr/sbin/sendmail.postfix
                > setgid_group = postdrop
                > smtp_tls_security_level = may
                > smtpd_banner = $myhostname ESMTP
                > smtpd_data_restrictions = reject_unauth_pipelining, permit
                > smtpd_delay_reject = yes
                > smtpd_helo_required = yes
                > smtpd_helo_restrictions = permit_mynetworks,
                > permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
                > reject_invalid_helo_hostname, permit
                > smtpd_recipient_restrictions = permit_mynetworks,
                > permit_sasl_authenticated, reject_unauth_pipelining,
                > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                > reject_unauth_destination, reject_unlisted_recipient,
                > check_policy_service unix:postgrey/socket, check_sender_access
                > hash:/etc/postfix/sender_access,
                > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                > check_client_access hash:/etc/postfix/client_access,
                > reject_rbl_client zen.spamhaus.org, reject_rbl_client
                > bl.spamcop.net, permit


                No glaring errors, although you might want to remove
                reject_unknown_recipient_domain as the only thing it's likely
                to block is your own domain.


                > smtpd_sasl_auth_enable = yes
                > smtpd_sasl_path = private/auth
                > smtpd_sasl_security_options = noanonymous
                > smtpd_sasl_type = dovecot
                > smtpd_sender_restrictions = permit_mynetworks,
                > permit_sasl_authenticated, reject_non_fqdn_sender,
                > reject_unknown_sender_domain,
                > reject_unknown_reverse_client_hostname, permit
                > smtpd_tls_CAfile = /etc/ssl/intermediate.crt
                > smtpd_tls_auth_only = yes
                > smtpd_tls_cert_file = /srv/ssl/mail.crt
                > smtpd_tls_key_file = /srv/ssl/mail.key
                > smtpd_tls_loglevel = 1
                > smtpd_tls_security_level = may
                > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
                > smtpd_tls_session_cache_timeout = 3600s
                > tls_random_source = dev:/dev/urandom
                > unknown_local_recipient_reject_code = 550

                -- Noel Jones
              • Carlos Williams
                ... I am assuming I would add this to sender_access , correct? ... LuKreme suggested the above which is different from your suggestion above. I guess I am
                Message 7 of 18 , Mar 1, 2010
                  On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
                  > It "slips past" because there are no rules to block it.
                  > You can add "postmaster@your_domain   REJECT" to this list if you want.

                  I am assuming I would add this to 'sender_access', correct?

                  On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
                  > Often people have an exclusion to pass email to postmaster no matter what.
                  > Check you sender_access and helo_checks for such an exclusion.
                  >
                  > Mine looks like this:
                  >
                  > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                  > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                  > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                  > /^postmaster\@/ OK

                  LuKreme suggested the above which is different from your suggestion
                  above. I guess I am just not sure which works or do they simply do the
                  same thing. I don't know if the above example from LuKreme is for
                  'sender_access' or another type of file. Do you care to add to this
                  for my understanding?

                  > No glaring errors, although you might want to remove
                  > reject_unknown_recipient_domain as the only thing it's likely to block is
                  > your own domain.

                  Thanks. I will try this. You're the 1st to suggest this so far. Thanks.
                • mouss
                  ... do not allow mail sent by receive only addresses such as psotmaster. I am assuming that you don t send mail from postmaster . that said, this won t
                  Message 8 of 18 , Mar 1, 2010
                    Carlos Williams a écrit :
                    > On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
                    >> It "slips past" because there are no rules to block it.
                    >> You can add "postmaster@your_domain REJECT" to this list if you want.
                    >
                    > I am assuming I would add this to 'sender_access', correct?
                    >
                    > On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
                    >> Often people have an exclusion to pass email to postmaster no matter what.
                    >> Check you sender_access and helo_checks for such an exclusion.
                    >>
                    >> Mine looks like this:
                    >>
                    >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                    >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                    >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                    >> /^postmaster\@/ OK
                    >
                    > LuKreme suggested the above which is different from your suggestion
                    > above. I guess I am just not sure which works or do they simply do the
                    > same thing. I don't know if the above example from LuKreme is for
                    > 'sender_access' or another type of file. Do you care to add to this
                    > for my understanding?
                    >
                    >> No glaring errors, although you might want to remove
                    >> reject_unknown_recipient_domain as the only thing it's likely to block is
                    >> your own domain.
                    >
                    > Thanks. I will try this. You're the 1st to suggest this so far. Thanks.

                    do not allow mail sent by "receive only" addresses such as psotmaster. I
                    am assuming that you don't send mail "from postmaster".

                    that said, this won't block all your spam. block _sources_ of spam:

                    $ host 89.204.40.160
                    160.40.204.89.in-addr.arpa domain name pointer
                    160.40.204.89.access.ttknet.ru.


                    so use a

                    regex=pcre:/etc/postfix/pcre

                    smtpd_recipient_restrictions =
                    ...
                    reject_unauth_destination
                    ...
                    check_helo_access $regex/access_host
                    check_reverse_client_hostname_access $regex/access_host


                    == access_host
                    /^(d\+\W){4}.*\.ttknet\.ru$/ REJECT generic hostname....

                    In these spam days, it's no more possible to play mail with "generic"
                    hostnames. The above is still "conservative". it'll only take me some
                    time to go for a /(d\+\W){4}/.... ;-p
                  Your message has been successfully submitted and would be delivered to recipients shortly.