Loading ...
Sorry, an error occurred while loading the content.

New server, still older software, minimal configuration

Expand Messages
  • postfix-users@...
    Hello my dear Postfix users :) I got a new server, that still runs older software: Debian 6.0.9 with Postfix 2.7.1 I tried to start anew and tried to get my
    Message 1 of 4 , Mar 23, 2014
    • 0 Attachment
      Hello my dear Postfix users :)

      I got a "new" server, that still runs older software: Debian 6.0.9 with
      Postfix 2.7.1

      I tried to start anew and tried to get my configuration as small as
      possible, with only few changes to the default settings.
      I am using "grossd" as greylisting server on port 5525

      Esp. at the smtpd_*_restrictions i am unsure if i did too much ... or
      too few :)
      Maybe someone could have a look at those things?
      Did i do wrong?

      Thank you very much!

      I came out with the following:

      alias_maps = hash:/etc/aliases
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      disable_vrfy_command = yes
      header_checks = regexp:/etc/postfix/header_checks
      mailbox_command = /usr/bin/procmail -a "$EXTENSION"
      DEFAULT=$HOME/MyMail/ MAILDIR=$HOME/MyMail
      mailbox_size_limit = 1073741824
      message_size_limit = 41943040
      mydestination = $myhostname, localhost.$mydomain, localhost,
      /etc/postfix/mydomains
      myhostname = MYFQHN
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, MYOWNIP/32
      mynetworks_style = host
      recipient_delimiter = .
      relocated_maps = hash:/etc/postfix/relocated
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_client_restrictions = check_client_access
      hash:/etc/postfix/client_access, permit_inet_interfaces,
      permit_mynetworks, permit_sasl_authenticated,
      reject_unknown_reverse_client_hostname, reject_unknown_client_hostname,
      permit
      smtpd_data_restrictions = reject_multi_recipient_bounce,
      reject_unauth_pipelining, permit
      smtpd_helo_required = yes
      smtpd_helo_restrictions = check_helo_access
      hash:/etc/postfix/helo_access, permit_mynetworks,
      permit_sasl_authenticated, reject_invalid_helo_hostname,
      reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
      reject_invalid_hostname, permit
      smtpd_recipient_restrictions = check_recipient_access
      hash:/etc/postfix/recipient_access, permit_mynetworks,
      permit_sasl_authenticated, reject_unlisted_recipient,
      reject_non_fqdn_recipient, reject_unauth_destination,
      reject_unknown_recipient_domain, check_policy_service
      inet:localhost:5525, permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = check_sender_access
      hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
      reject_unknown_sender_domain, reject_unknown_address, permit
      smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
      smtpd_tls_key_file = /etc/ssl/private/postfix.key
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      soft_bounce = yes

      At client_access, i added some otherwise problematic clients.
      At header_checks, i remove some header lines (User-Agent and initial
      Received "by" server).
      At helo_access, i added some otherwise problematic servers.
      At mydomains, i list all domains i am hosting.
      At recipient_access, i redirect or reject some "sub-domains" (some
      spammed mail-adresses).
      At relocated, i bounce (or send information about) some old and unused
      mail-adresses.
      sender_access is currently empty.
    • postfix-users@...
      I was suspecting this already: Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from unknown[180.93.167.227] Mar 25 12:16:58 HOSTNAME postfix/smtpd[6243]:
      Message 2 of 4 , Mar 25, 2014
      • 0 Attachment
        I was suspecting this already:

        Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from
        unknown[180.93.167.227]
        Mar 25 12:16:58 HOSTNAME postfix/smtpd[6243]: disconnect from
        unknown[180.93.167.227]

        Something seems to get through possibly should not?
        I have no idea, what i should fix :-(


        postfix-users@... wrote:
        > Hello my dear Postfix users :)
        >
        > I got a "new" server, that still runs older software: Debian 6.0.9
        > with Postfix 2.7.1
        >
        > I tried to start anew and tried to get my configuration as small as
        > possible, with only few changes to the default settings.
        > I am using "grossd" as greylisting server on port 5525
        >
        > Esp. at the smtpd_*_restrictions i am unsure if i did too much ... or
        > too few :)
        > Maybe someone could have a look at those things?
        > Did i do wrong?
        >
        > Thank you very much!
        >
        > I came out with the following:
        >
        > alias_maps = hash:/etc/aliases
        > biff = no
        > broken_sasl_auth_clients = yes
        > config_directory = /etc/postfix
        > disable_vrfy_command = yes
        > header_checks = regexp:/etc/postfix/header_checks
        > mailbox_command = /usr/bin/procmail -a "$EXTENSION"
        > DEFAULT=$HOME/MyMail/ MAILDIR=$HOME/MyMail
        > mailbox_size_limit = 1073741824
        > message_size_limit = 41943040
        > mydestination = $myhostname, localhost.$mydomain, localhost,
        > /etc/postfix/mydomains
        > myhostname = MYFQHN
        > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, MYOWNIP/32
        > mynetworks_style = host
        > recipient_delimiter = .
        > relocated_maps = hash:/etc/postfix/relocated
        > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
        > smtpd_client_restrictions = check_client_access
        > hash:/etc/postfix/client_access, permit_inet_interfaces,
        > permit_mynetworks, permit_sasl_authenticated,
        > reject_unknown_reverse_client_hostname,
        > reject_unknown_client_hostname, permit
        > smtpd_data_restrictions = reject_multi_recipient_bounce,
        > reject_unauth_pipelining, permit
        > smtpd_helo_required = yes
        > smtpd_helo_restrictions = check_helo_access
        > hash:/etc/postfix/helo_access, permit_mynetworks,
        > permit_sasl_authenticated, reject_invalid_helo_hostname,
        > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
        > reject_invalid_hostname, permit
        > smtpd_recipient_restrictions = check_recipient_access
        > hash:/etc/postfix/recipient_access, permit_mynetworks,
        > permit_sasl_authenticated, reject_unlisted_recipient,
        > reject_non_fqdn_recipient, reject_unauth_destination,
        > reject_unknown_recipient_domain, check_policy_service
        > inet:localhost:5525, permit
        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_authenticated_header = yes
        > smtpd_sasl_path = private/auth
        > smtpd_sasl_type = dovecot
        > smtpd_sender_restrictions = check_sender_access
        > hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
        > reject_unknown_sender_domain, reject_unknown_address, permit
        > smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
        > smtpd_tls_key_file = /etc/ssl/private/postfix.key
        > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
        > smtpd_use_tls = yes
        > soft_bounce = yes
        >
        > At client_access, i added some otherwise problematic clients.
        > At header_checks, i remove some header lines (User-Agent and initial
        > Received "by" server).
        > At helo_access, i added some otherwise problematic servers.
        > At mydomains, i list all domains i am hosting.
        > At recipient_access, i redirect or reject some "sub-domains" (some
        > spammed mail-adresses).
        > At relocated, i bounce (or send information about) some old and unused
        > mail-adresses.
        > sender_access is currently empty.
      • Ansgar Wiechers
        ... Some host connects to your mail server, then disconnects from your mail server. Apparently without doing anything else. What problem do you perceive here
        Message 3 of 4 , Mar 25, 2014
        • 0 Attachment
          On 2014-03-25 postfix-users@... wrote:
          > I was suspecting this already:
          >
          > Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from
          > unknown[180.93.167.227]
          > Mar 25 12:16:58 HOSTNAME postfix/smtpd[6243]: disconnect from
          > unknown[180.93.167.227]
          >
          > Something seems to get through possibly should not?
          > I have no idea, what i should fix :-(

          Some host connects to your mail server, then disconnects from your mail
          server. Apparently without doing anything else. What problem do you
          perceive here that would require fixing?

          Regards
          Ansgar Wiechers
          --
          "Abstractions save us time working, but they don't save us time learning."
          --Joel Spolsky
        • Ansgar Wiechers
          ... Your server would have to be psychic to detect that a client won t do anything before it actually disconnects without having done anything. ... No. Regards
          Message 4 of 4 , Mar 25, 2014
          • 0 Attachment
            On 2014-03-25 postfix-users@... wrote:
            > Ansgar Wiechers wrote:
            >> On 2014-03-25 postfix-users@... wrote:
            >>> I was suspecting this already:
            >>>
            >>> Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from
            >>> unknown[180.93.167.227]
            >>> Mar 25 12:16:58 HOSTNAME postfix/smtpd[6243]: disconnect from
            >>> unknown[180.93.167.227]
            >>>
            >>> Something seems to get through possibly should not?
            >>> I have no idea, what i should fix :-(
            >>
            >> Some host connects to your mail server, then disconnects from your
            >> mail server. Apparently without doing anything else. What problem do
            >> you perceive here that would require fixing?
            >
            > Now, i cannot see, that this connection does or tries ...
            > I thought to block such things - like rejecting "unknown" clients /
            > senders as early as possible.

            Your server would have to be psychic to detect that a client won't do
            anything before it actually disconnects without having done anything.

            > Not needed?

            No.

            Regards
            Ansgar Wiechers
            --
            "Abstractions save us time working, but they don't save us time learning."
            --Joel Spolsky
          Your message has been successfully submitted and would be delivered to recipients shortly.