Blocking a domain and user

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking a domain and user

Jim McIver
I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking email
from a domain.

Here is a snipet of the postqueue -p:

DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
connection without sending the initial SMTP greeting)
                                         [hidden email]

D5EFB277       3508 Tue Mar  3 18:42:28  MAILER-DAEMON
(connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped
connection without sending the initial SMTP greeting)
                                         [hidden email]

D870B221       3248 Tue Mar  3 15:03:34  MAILER-DAEMON
(connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped
connection without sending the initial SMTP greeting)
                                         [hidden email]

DA5AC227       3583 Tue Mar  3 14:46:26  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
bounce arrival rate exceeds system limit (#4.2.2)
[hidden email] (in reply to RCPT TO command))
                                         [hidden email]

D11AD314       3248 Wed Mar  4 08:21:42  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
bounce arrival rate exceeds system limit (#4.2.2)
[hidden email] (in reply to RCPT TO command))
                                         [hidden email]

D48452DB       3250 Wed Mar  4 11:39:04  MAILER-DAEMON
(host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox
bounce arrival rate exceeds system limit (#4.2.2)
[hidden email] (in reply to RCPT TO command))
                                         [hidden email]

I would like to block the .co.jp so it doesn't pile up in postqueue.

2nd:
I also receive over 400 messages daily from "[hidden email]". The
messages never go anywhere, they just pile up in the postqueue and I'd
like to keep the postqueue -p cleaned out.

Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
unknown[89.218.164.251]: 554 <[hidden email]>: Sender address rejected:
Access denied; from=<[hidden email]> to=<[hidden email]>
proto=SMTP helo=<89.218.164.251.metro.online.kz>
Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from
unknown[86.123.168.197]: 554 <[hidden email]>: Sender address rejected:
Access denied; from=<[hidden email]> to=<[hidden email]>
proto=SMTP helo=<86-123-168-197.brasov.rdsnet.ro>
Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from
unknown[92.83.230.6]: 554 <[hidden email]>: Sender address rejected:
Access denied; from=<[hidden email]> to=<[hidden email]>
proto=SMTP helo=<dsldevice.lan>


In my sender_access and  I have:
co.jp            REJECT
[hidden email]         REJECT

In my access_client I have:
co.jp            REJECT

Output of postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
mail_name = TPC Holdings, We report spam
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 5000000
mydestination = lt.lmtribune.com mail.lmtribune.com
mydomain = lmtribune.com
myhostname = mail.lmtribune.com
mynetworks = 199.5.221.0/24 192.168.0.0/16 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = lmtribune.com dnews.com
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access
hash:/usr/local/etc/postfix/client_access       permit
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks        
reject_unauth_destination       reject_invalid_hostname warn_if_reject
reject_unknown_hostname   reject_unauth_pipelining        
reject_non_fqdn_sender  reject_unknown_sender_domain    
reject_non_fqdn_recipient       reject_unknown_recipient_domain
warn_if_reject reject_unknown_client     reject_non_fqdn_hostname        
check_client_access hash:/usr/local/etc/postfix/access_client  
check_helo_access hash:/usr/local/etc/postfix/helo_access        
check_sender_access hash:/usr/local/etc/postfix/sender_access    
check_recipient_access hash:/usr/local/etc/postfix/recipient_access
smtpd_restriction_classes = restrictive, permissive
smtpd_sender_restrictions = check_sender_access
hash:/usr/local/etc/postfix/sender_access
smtpd_soft_error_limit = 10
strict_rfc821_envelopes = yes
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual


I must not have something set quit right.


Under smtpd_recipient_restrictions =
       permit_mynetworks
        reject_unauth_destination
        reject_invalid_hostname
        warn_if_reject reject_unknown_hostname
        reject_unauth_pipelining
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        reject_non_fqdn_recipient
        reject_unknown_recipient_domain
        warn_if_reject reject_unknown_client
        reject_non_fqdn_hostname
        check_client_access hash:/usr/local/etc/postfix/access_client
        check_helo_access hash:/usr/local/etc/postfix/helo_access
        check_sender_access hash:/usr/local/etc/postfix/sender_access
        check_recipient_access hash:/usr/local/etc/postfix/recipient_access

Behind reject_unauth_destination do I add "
hash:/usr/local/etc/postfix/access
and create an access file with:
co.jp
[hidden email]

Regards,
-jm
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Brian Evans - Postfix List
Jim McIver wrote:
> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
> email from a domain.
>

Postfix 2.1 is ancient.  Recommend an upgrade as some things I mention
may require 2.2 or 2.3 or higher.
> Here is a snipet of the postqueue -p:
>
> DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
> connection without sending the initial SMTP greeting)
>                                         [hidden email]
>
>
You accepted this mail.  You need to find out WHY this
bounce/backscatter is occurring.
Check your mail log for DF6A927D.

>
> I would like to block the .co.jp so it doesn't pile up in postqueue.
>
> 2nd:
> I also receive over 400 messages daily from "[hidden email]". The
> messages never go anywhere, they just pile up in the postqueue and I'd
> like to keep the postqueue -p cleaned out.
>
> Snippet from maillog:
>
> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
> unknown[89.218.164.251]: 554 <[hidden email]>: Sender address
> rejected: Access denied; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP helo=<89.218.164.251.metro.online.kz>
>
This message is rejected. It was not queued.

To block more, upgrade and use Zen (see site for usage restrictions)

grknight@mx1 ~ $ host 251.164.218.89.zen.spamhaus.org
251.164.218.89.zen.spamhaus.org has address 127.0.0.11
251.164.218.89.zen.spamhaus.org has address 127.0.0.4

>
> In my sender_access and  I have:
> co.jp            REJECT
> [hidden email]         REJECT
>
> In my access_client I have:
> co.jp            REJECT
>
> Output of postconf -n
> smtpd_client_restrictions = check_client_access
> hash:/usr/local/etc/postfix/client_access       permit
> smtpd_recipient_restrictions = permit_mynetworks      
> reject_unauth_destination       reject_invalid_hostname warn_if_reject
> reject_unknown_hostname   reject_unauth_pipelining      
> reject_non_fqdn_sender  reject_unknown_sender_domain    
> reject_non_fqdn_recipient       reject_unknown_recipient_domain
> warn_if_reject reject_unknown_client    
> reject_non_fqdn_hostname        check_client_access
> hash:/usr/local/etc/postfix/access_client   check_helo_access
> hash:/usr/local/etc/postfix/helo_access        check_sender_access
> hash:/usr/local/etc/postfix/sender_access    check_recipient_access
> hash:/usr/local/etc/postfix/recipient_access
> smtpd_sender_restrictions = check_sender_access
> hash:/usr/local/etc/postfix/sender_access
>
check_client_access expects a connecting IP match not a MAIL FROM match.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Paweł Leśniak
In reply to this post by Jim McIver
W dniu 2009-03-04 21:32, Jim McIver pisze:

> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
> email from a domain.
>
> Here is a snipet of the postqueue -p:
>
> DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
> connection without sending the initial SMTP greeting)
>                                         [hidden email]
>
> D5EFB277       3508 Tue Mar  3 18:42:28  MAILER-DAEMON
> (connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped
> connection without sending the initial SMTP greeting)
>                                         [hidden email]
>
> D870B221       3248 Tue Mar  3 15:03:34  MAILER-DAEMON
> (connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped
> connection without sending the initial SMTP greeting)
>                                         [hidden email]
>
> DA5AC227       3583 Tue Mar  3 14:46:26  MAILER-DAEMON
> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
> bounce arrival rate exceeds system limit (#4.2.2)
> [hidden email] (in reply to RCPT TO command))
>                                         [hidden email]
>
> D11AD314       3248 Wed Mar  4 08:21:42  MAILER-DAEMON
> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
> bounce arrival rate exceeds system limit (#4.2.2)
> [hidden email] (in reply to RCPT TO command))
>                                         [hidden email]
>
> D48452DB       3250 Wed Mar  4 11:39:04  MAILER-DAEMON
> (host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox
> bounce arrival rate exceeds system limit (#4.2.2)
> [hidden email] (in reply to RCPT TO command))
>                                         [hidden email]
>
> I would like to block the .co.jp so it doesn't pile up in postqueue.
This seems like your email address has been used as sender_address with
some spam rejected by yahoo.co.jp (just a guess). Anyways your
MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to check
what's inside those bounced messages to find out what's the real
problem, I mean why your mailserver is generating those bounces.
You could reject those messages by rejecting recipients from
yahoo.co.jp. but this is not recommended.

> 2nd:
> I also receive over 400 messages daily from "[hidden email]". The
> messages never go anywhere, they just pile up in the postqueue and I'd
> like to keep the postqueue -p cleaned out.
>
> Snippet from maillog:
>
> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
> unknown[89.218.164.251]: 554 <[hidden email]>: Sender address
> rejected: Access denied; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP helo=<89.218.164.251.metro.online.kz>
> Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from
> unknown[86.123.168.197]: 554 <[hidden email]>: Sender address
> rejected: Access denied; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP
> helo=<86-123-168-197.brasov.rdsnet.ro>
> Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from
> unknown[92.83.230.6]: 554 <[hidden email]>: Sender address rejected:
> Access denied; from=<[hidden email]> to=<[hidden email]>
> proto=SMTP helo=<dsldevice.lan>
>
Looks fine. You are rejecting mails from [hidden email] (and that obeys
with your config check_sender_access
hash:/usr/local/etc/postfix/sender_access). You shouldn't see those in
queue.

Pawel Lesniak

Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

@lbutlr
In reply to this post by Jim McIver
On 4-Mar-2009, at 13:32, Jim McIver wrote:
> they just pile up in the postqueue and I'd like to keep the  
> postqueue -p cleaned out.
>
> Snippet from maillog:
>
> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT  
> from unknown[89.218.164.251]: 554 <[hidden email]>: Sender address  
> rejected: Access denied; from=<[hidden email]> to=<[hidden email]
> > proto=SMTP helo=<89.218.164.251.metro.online.kz>

How are they piling up in postqueue when the connection is being  
rejected?


--
This is our music from the bachelor's den, the sound of loneliness
        turned up to ten.  A harsh soundtrack from a stagnant waterbed
        and it sounds just like this. This is the sound of someone
        losing the plot making out that they're OK when they're not.
        You're gonna like it, but not a lot.  And the chorus goes like
        this...

Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Noel Jones-2
In reply to this post by Paweł Leśniak
Paweł Leśniak wrote:

> W dniu 2009-03-04 21:32, Jim McIver pisze:
>> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
>> email from a domain.
>>
>> Here is a snipet of the postqueue -p:
>>
>> DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
>> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> D5EFB277       3508 Tue Mar  3 18:42:28  MAILER-DAEMON
>> (connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> D870B221       3248 Tue Mar  3 15:03:34  MAILER-DAEMON
>> (connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> DA5AC227       3583 Tue Mar  3 14:46:26  MAILER-DAEMON
>> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
>> bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> D11AD314       3248 Wed Mar  4 08:21:42  MAILER-DAEMON
>> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
>> bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> D48452DB       3250 Wed Mar  4 11:39:04  MAILER-DAEMON
>> (host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox
>> bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> I would like to block the .co.jp so it doesn't pile up in postqueue.
> This seems like your email address has been used as sender_address with
> some spam rejected by yahoo.co.jp (just a guess). Anyways your
> MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to check
> what's inside those bounced messages to find out what's the real
> problem, I mean why your mailserver is generating those bounces.
> You could reject those messages by rejecting recipients from
> yahoo.co.jp. but this is not recommended.

No, his postfix is generating these bounces.  His postfix
accepted mail addressed from *@yahoo.co.jp, wasn't able to
deliver it, and it attempting to return to sender.

Very likely these non-delivery reports are because his system
is accepting mail to non-existent recipients.  He is
generating backscatter, not a victim of it.

Maybe OP has a wildcard entry in his virtual_alias_maps.


   -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver
In reply to this post by @lbutlr
My mistake, the ones piling up in postqueue -p are the yahoo.co.jp. The
[hidden email] is just listed in the maillog and it's a bogus email
address I'd like not to receive email from.
-jm

LuKreme wrote:

> On 4-Mar-2009, at 13:32, Jim McIver wrote:
>> they just pile up in the postqueue and I'd like to keep the postqueue
>> -p cleaned out.
>>
>> Snippet from maillog:
>>
>> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
>> unknown[89.218.164.251]: 554 <[hidden email]>: Sender address
>> rejected: Access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=SMTP
>> helo=<89.218.164.251.metro.online.kz>
>
> How are they piling up in postqueue when the connection is being
> rejected?
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver
In reply to this post by Paweł Leśniak
My mistake. The [hidden email] is in the maillog. yahoo.co.jp is in
postqueue -p
-jm

Paweł Leśniak wrote:

> W dniu 2009-03-04 21:32, Jim McIver pisze:
>> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
>> email from a domain.
>>
>> Here is a snipet of the postqueue -p:
>>
>> DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
>> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> D5EFB277       3508 Tue Mar  3 18:42:28  MAILER-DAEMON
>> (connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> D870B221       3248 Tue Mar  3 15:03:34  MAILER-DAEMON
>> (connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>> DA5AC227       3583 Tue Mar  3 14:46:26  MAILER-DAEMON
>> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
>> bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> D11AD314       3248 Wed Mar  4 08:21:42  MAILER-DAEMON
>> (host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox
>> bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> D48452DB       3250 Wed Mar  4 11:39:04  MAILER-DAEMON
>> (host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5
>> Mailbox bounce arrival rate exceeds system limit (#4.2.2)
>> [hidden email] (in reply to RCPT TO command))
>>                                         [hidden email]
>>
>> I would like to block the .co.jp so it doesn't pile up in postqueue.
> This seems like your email address has been used as sender_address
> with some spam rejected by yahoo.co.jp (just a guess). Anyways your
> MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to
> check what's inside those bounced messages to find out what's the real
> problem, I mean why your mailserver is generating those bounces.
> You could reject those messages by rejecting recipients from
> yahoo.co.jp. but this is not recommended.
>> 2nd:
>> I also receive over 400 messages daily from "[hidden email]". The
>> messages never go anywhere, they just pile up in the postqueue and
>> I'd like to keep the postqueue -p cleaned out.
>>
>> Snippet from maillog:
>>
>> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
>> unknown[89.218.164.251]: 554 <[hidden email]>: Sender address
>> rejected: Access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=SMTP
>> helo=<89.218.164.251.metro.online.kz>
>> Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from
>> unknown[86.123.168.197]: 554 <[hidden email]>: Sender address
>> rejected: Access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=SMTP
>> helo=<86-123-168-197.brasov.rdsnet.ro>
>> Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from
>> unknown[92.83.230.6]: 554 <[hidden email]>: Sender address rejected:
>> Access denied; from=<[hidden email]> to=<[hidden email]>
>> proto=SMTP helo=<dsldevice.lan>
>>
> Looks fine. You are rejecting mails from [hidden email] (and that
> obeys with your config check_sender_access
> hash:/usr/local/etc/postfix/sender_access). You shouldn't see those in
> queue.
>
> Pawel Lesniak
>
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver
In reply to this post by Brian Evans - Postfix List
In looking at the file in xxx/deferred, my mailserver is trying to
return an undelivable message and it looks like there is something wrong
with the site. " said: 557 Invalid routingNC    request - domain in
BLACK LIST."
Basically I think the site is a spammer and they are blacklisted. How
can I blacklist the .co.jp so I don't receive their message to start with?
-jm

Brian Evans - Postfix List wrote:

> Jim McIver wrote:
>  
>> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
>> email from a domain.
>>
>>    
>
> Postfix 2.1 is ancient.  Recommend an upgrade as some things I mention
> may require 2.2 or 2.3 or higher.
>  
>> Here is a snipet of the postqueue -p:
>>
>> DF6A927D       3512 Tue Mar  3 18:42:35  MAILER-DAEMON
>> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
>> connection without sending the initial SMTP greeting)
>>                                         [hidden email]
>>
>>
>>    
> You accepted this mail.  You need to find out WHY this
> bounce/backscatter is occurring.
> Check your mail log for DF6A927D.
>
>  
>> I would like to block the .co.jp so it doesn't pile up in postqueue.
>>
>> 2nd:
>> I also receive over 400 messages daily from "[hidden email]". The
>> messages never go anywhere, they just pile up in the postqueue and I'd
>> like to keep the postqueue -p cleaned out.
>>
>> Snippet from maillog:
>>
>> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
>> unknown[89.218.164.251]: 554 <[hidden email]>: Sender address
>> rejected: Access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=SMTP helo=<89.218.164.251.metro.online.kz>
>>
>>    
> This message is rejected. It was not queued.
>
> To block more, upgrade and use Zen (see site for usage restrictions)
>
> grknight@mx1 ~ $ host 251.164.218.89.zen.spamhaus.org
> 251.164.218.89.zen.spamhaus.org has address 127.0.0.11
> 251.164.218.89.zen.spamhaus.org has address 127.0.0.4
>
>  
>> In my sender_access and  I have:
>> co.jp            REJECT
>> [hidden email]         REJECT
>>
>> In my access_client I have:
>> co.jp            REJECT
>>
>> Output of postconf -n
>> smtpd_client_restrictions = check_client_access
>> hash:/usr/local/etc/postfix/client_access       permit
>> smtpd_recipient_restrictions = permit_mynetworks      
>> reject_unauth_destination       reject_invalid_hostname warn_if_reject
>> reject_unknown_hostname   reject_unauth_pipelining      
>> reject_non_fqdn_sender  reject_unknown_sender_domain    
>> reject_non_fqdn_recipient       reject_unknown_recipient_domain
>> warn_if_reject reject_unknown_client    
>> reject_non_fqdn_hostname        check_client_access
>> hash:/usr/local/etc/postfix/access_client   check_helo_access
>> hash:/usr/local/etc/postfix/helo_access        check_sender_access
>> hash:/usr/local/etc/postfix/sender_access    check_recipient_access
>> hash:/usr/local/etc/postfix/recipient_access
>> smtpd_sender_restrictions = check_sender_access
>> hash:/usr/local/etc/postfix/sender_access
>>
>>    
> check_client_access expects a connecting IP match not a MAIL FROM match.
>
> Brian
>  
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Noel Jones-2
Jim McIver wrote:
> In looking at the file in xxx/deferred, my mailserver is trying to
> return an undelivable message and it looks like there is something wrong
> with the site. " said: 557 Invalid routingNC    request - domain in
> BLACK LIST."
> Basically I think the site is a spammer and they are blacklisted. How
> can I blacklist the .co.jp so I don't receive their message to start with?
> -jm
>


You're focusing on the wrong problem.

1. Don't accept undeliverable mail to start with.  That will
cure most of the problem.
   - don't use wildcards in relay_recipient_maps
   - don't use wildcards in virtual_alias_maps

2. Use zen.spamhaus.org.  That will cure most of the rest of
the problem.

smtpd_client_restrictions =
   permit_mynetworks
   reject_rbl_client zen.spamhaus.org



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver
Noel,
Guess I'm confused. I have a relay_recipient and recipient_access files
listing only valid user's email addresses for my company.
ie..
relay_recipients
[hidden email]     any_value
[hidden email]     any_value
[hidden email]  any_value

recipient_access
[hidden email]     permissive
[hidden email]     permissive
[hidden email]  permissive

and nothing in virtual_alias_maps. I just seem to be getting hammered
with yahoo.co.jp and wanted to block .co.jp or even .jp.

Putting info in putting .jp in access_client, sender_access or
client_access doesn't seem to stop it.
Sorry for my lack of understanding.
-jm


Noel Jones wrote:

> Jim McIver wrote:
>> In looking at the file in xxx/deferred, my mailserver is trying to
>> return an undelivable message and it looks like there is something
>> wrong with the site. " said: 557 Invalid routingNC    request -
>> domain in BLACK LIST."
>> Basically I think the site is a spammer and they are blacklisted. How
>> can I blacklist the .co.jp so I don't receive their message to start
>> with?
>> -jm
>>
>
>
> You're focusing on the wrong problem.
>
> 1. Don't accept undeliverable mail to start with.  That will cure most
> of the problem.
>   - don't use wildcards in relay_recipient_maps
>   - don't use wildcards in virtual_alias_maps
>
> 2. Use zen.spamhaus.org.  That will cure most of the rest of the problem.
>
> smtpd_client_restrictions =
>   permit_mynetworks
>   reject_rbl_client zen.spamhaus.org
>
>
>
>   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

/dev/rob0
Please don't top-post. Thank you.

On Wed March 4 2009 17:10:49 Jim McIver wrote:

> Guess I'm confused. I have a relay_recipient and recipient_access
> files listing only valid user's email addresses for my company.
> ie..
> relay_recipients
> [hidden email]     any_value
> [hidden email]     any_value
> [hidden email]  any_value
>
> recipient_access
> [hidden email]     permissive
> [hidden email]     permissive
> [hidden email]  permissive

This sounds right. You could use the same map for both purposes.  
There's nothing magical about "any_value", in fact, the lookup result
for relay_recipient_maps is ignored. So it might as well be
"permissive" or "restrictive" or whatever.

> and nothing in virtual_alias_maps. I just seem to be getting hammered
> with yahoo.co.jp and wanted to block .co.jp or even .jp.
>
> Putting info in putting .jp in access_client, sender_access or
> client_access doesn't seem to stop it.
> Sorry for my lack of understanding.

Show the logs for the suspicious mailq entries when they first arrived.
Not the smtp(8) logs showing you being blocked by yahoo.co.jp's MX
hosts.

My WAG here: your Postfix configuration is correct, rejecting unknown
recipients, but the @yahoo.co.jp senders originated from your own
server. Compromised HTTP+PHP service?
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver


/dev/rob0 wrote:

> Please don't top-post. Thank you.
>
> On Wed March 4 2009 17:10:49 Jim McIver wrote:
>  
>> Guess I'm confused. I have a relay_recipient and recipient_access
>> files listing only valid user's email addresses for my company.
>> ie..
>> relay_recipients
>> [hidden email]     any_value
>> [hidden email]     any_value
>> [hidden email]  any_value
>>
>> recipient_access
>> [hidden email]     permissive
>> [hidden email]     permissive
>> [hidden email]  permissive
>>    
>
> This sounds right. You could use the same map for both purposes.  
> There's nothing magical about "any_value", in fact, the lookup result
> for relay_recipient_maps is ignored. So it might as well be
> "permissive" or "restrictive" or whatever.
>
>  
>> and nothing in virtual_alias_maps. I just seem to be getting hammered
>> with yahoo.co.jp and wanted to block .co.jp or even .jp.
>>
>> Putting info in putting .jp in access_client, sender_access or
>> client_access doesn't seem to stop it.
>> Sorry for my lack of understanding.
>>    
>
> Show the logs for the suspicious mailq entries when they first arrived.
> Not the smtp(8) logs showing you being blocked by yahoo.co.jp's MX
> hosts.
>
> My WAG here: your Postfix configuration is correct, rejecting unknown
> recipients, but the @yahoo.co.jp senders originated from your own
> server. Compromised HTTP+PHP service?
>  

Here's a snippet from maillog, but not sure if it's what your looking for:
Mar  4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address
syntax from unknown[113.9.198.198] in MAIL co
mmand: [hidden email]
Mar  4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150:
address not listed for hostname mail.medterm.o
d.ua
Mar  4 15:10:15 mail postfix/smtpd[56172]: connect from
unknown[81.25.227.150]
Mar  4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning: RCPT
from unknown[113.9.198.198]: 450 Client
host rejected: cannot find your hostname, [113.9.198.198];
from=<[hidden email]> to=<[hidden email]>
 proto=SMTP helo=<yahoo.co.jp>
Mar  4 15:10:15 mail postfix/smtpd[56190]: E35C331:
client=unknown[113.9.198.198]

Mar  4 15:10:18 mail postfix/cleanup[56217]: E35C331:
message-id=<[hidden email]>
Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331:
from=<[hidden email]>, size=966, nrcpt=1 (queue active
)
Mar  4 15:10:18 mail postfix/smtp[56178]: E35C331:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=3,
 status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing
request - domain in BLACK LIST. (in reply to
 MAIL FROM command))
Mar  4 15:10:18 mail postfix/cleanup[56175]: 5ABF260:
message-id=<[hidden email]>
Mar  4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>, size=2926,
nrcpt=1 (queue active)
Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
Mar  4 15:10:19 mail postfix/smtpd[56190]: disconnect from
unknown[113.9.198.198]
Mar  4 15:10:20 mail postfix/smtp[56178]: 5ABF260:
to=<[hidden email]>, relay=mx1.mail.yahoo.co.jp[124.83
.171.181], delay=2, status=bounced (host
mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
or deactivated due to abuse (#5.1.1) [hidden email] (in reply to
RCPT TO command))
Mar  4 15:10:21 mail postfix/qmgr[56169]: 5ABF260: removed


Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Noel Jones-2
Jim McIver wrote:
>
> Here's a snippet from maillog, but not sure if it's what your looking for:

Thanks, this is very helpful.

> Mar  4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address
> syntax from unknown[113.9.198.198] in MAIL co
> mmand: [hidden email]

The above client is listed in multiple RBLs, including
zen.spamhaus.org, bl.spamcop.net, cbl.abuseat.org,
b.barracudacentral.org, and dnsbl.sorbs.net.

> Mar  4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150:
> address not listed for hostname mail.medterm.o
> d.ua
> Mar  4 15:10:15 mail postfix/smtpd[56172]: connect from
> unknown[81.25.227.150]

This client is also listed in multiple RBLs.

> Mar  4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning: RCPT
> from unknown[113.9.198.198]: 450 Client
> host rejected: cannot find your hostname, [113.9.198.198];
> from=<[hidden email]> to=<[hidden email]>
> proto=SMTP helo=<yahoo.co.jp>

Clearly a forged HELO name.  Grounds for rejecting any mail
from this client.

> Mar  4 15:10:15 mail postfix/smtpd[56190]: E35C331:
> client=unknown[113.9.198.198]
>
> Mar  4 15:10:18 mail postfix/cleanup[56217]: E35C331:
> message-id=<[hidden email]>
> Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331:
> from=<[hidden email]>, size=966, nrcpt=1 (queue active
> )
> Mar  4 15:10:18 mail postfix/smtp[56178]: E35C331:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=3,
> status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing
> request - domain in BLACK LIST. (in reply to
> MAIL FROM command))

What??  Some idiot content_filter at 127.0.0.1 is rejecting
the mail after you've already accepted it.

Don't do that.  Reject mail when first comes from the
internet.  Once mail has been accepted, a content filter must
not reject the message.


> Mar  4 15:10:18 mail postfix/cleanup[56175]: 5ABF260:
> message-id=<[hidden email]>
> Mar  4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>, size=2926,
> nrcpt=1 (queue active)
> Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
> Mar  4 15:10:19 mail postfix/smtpd[56190]: disconnect from
> unknown[113.9.198.198]
> Mar  4 15:10:20 mail postfix/smtp[56178]: 5ABF260:
> to=<[hidden email]>, relay=mx1.mail.yahoo.co.jp[124.83
> .171.181], delay=2, status=bounced (host
> mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
> or deactivated due to abuse (#5.1.1) [hidden email] (in reply to
> RCPT TO command))

Yahoo didn't send this mail, and they don't want your
backscatter bounce.

Eventually they (and others) will blacklist you for
backscatter - ie. returning mail they never sent.

You must fix your content_filter to not reject mail.  Choices
may include tag+deliver, quarantine, or discard, depending on
what your software supports.  It may offer the choice of
reject or bounce, don't do that.

You can also greatly reduce the load on the content filter by
using one or two good RBLs to reject mail before it ever gets
to the content_filter.  zen.spamhaus.org is safe and very
effective.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver

Noel Jones wrote:

> Jim McIver wrote:
>>
>> Here's a snippet from maillog, but not sure if it's what your looking
>> for:
>
> Thanks, this is very helpful.
>
>> Mar  4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address
>> syntax from unknown[113.9.198.198] in MAIL co
>> mmand: [hidden email]
>
> The above client is listed in multiple RBLs, including
> zen.spamhaus.org, bl.spamcop.net, cbl.abuseat.org,
> b.barracudacentral.org, and dnsbl.sorbs.net.
>
>> Mar  4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150:
>> address not listed for hostname mail.medterm.o
>> d.ua
>> Mar  4 15:10:15 mail postfix/smtpd[56172]: connect from
>> unknown[81.25.227.150]
>
> This client is also listed in multiple RBLs.
>
>> Mar  4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning:
>> RCPT from unknown[113.9.198.198]: 450 Client
>> host rejected: cannot find your hostname, [113.9.198.198];
>> from=<[hidden email]> to=<[hidden email]>
>> proto=SMTP helo=<yahoo.co.jp>
>
> Clearly a forged HELO name.  Grounds for rejecting any mail from this
> client.
>
>> Mar  4 15:10:15 mail postfix/smtpd[56190]: E35C331:
>> client=unknown[113.9.198.198]
>>
>> Mar  4 15:10:18 mail postfix/cleanup[56217]: E35C331:
>> message-id=<[hidden email]>
>> Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331:
>> from=<[hidden email]>, size=966, nrcpt=1 (queue active
>> )
>> Mar  4 15:10:18 mail postfix/smtp[56178]: E35C331:
>> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=3,
>> status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing
>> request - domain in BLACK LIST. (in reply to
>> MAIL FROM command))
>
> What??  Some idiot content_filter at 127.0.0.1 is rejecting the mail
> after you've already accepted it.
>
> Don't do that.  Reject mail when first comes from the internet.  Once
> mail has been accepted, a content filter must not reject the message.
>
>
>> Mar  4 15:10:18 mail postfix/cleanup[56175]: 5ABF260:
>> message-id=<[hidden email]>
>> Mar  4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>,
>> size=2926, nrcpt=1 (queue active)
>> Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
>> Mar  4 15:10:19 mail postfix/smtpd[56190]: disconnect from
>> unknown[113.9.198.198]
>> Mar  4 15:10:20 mail postfix/smtp[56178]: 5ABF260:
>> to=<[hidden email]>, relay=mx1.mail.yahoo.co.jp[124.83
>> .171.181], delay=2, status=bounced (host
>> mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
>> or deactivated due to abuse (#5.1.1) [hidden email] (in reply
>> to RCPT TO command))
>
> Yahoo didn't send this mail, and they don't want your backscatter bounce.
>
> Eventually they (and others) will blacklist you for backscatter - ie.
> returning mail they never sent.
>
> You must fix your content_filter to not reject mail.  Choices may
> include tag+deliver, quarantine, or discard, depending on what your
> software supports.  It may offer the choice of reject or bounce, don't
> do that.
>
> You can also greatly reduce the load on the content filter by using
> one or two good RBLs to reject mail before it ever gets to the
> content_filter.  zen.spamhaus.org is safe and very effective.
>   -- Noel Jones
I am using vexira for virus/content filtering and it has an area to put
in blacklisted domains. I'll check if I can change to quarantine.
ie
[mailfrom-blacklist]
*.ro
*.nz
*yourtopbrands.com
*server.rwbtec.com
*.co.jp
etc...

Would I be ahead to remove the domains from vexira and put them in the
access_client file, or is there a better place in postfix to list
domains I want to block?

access_client listing:
co.jp                   REJECT
atripema.com            REJECT
atropema.com            REJECT
co.nz                   REJECT
co.uk                   REJECT
com.au                  REJECT

snippet from main.cf:
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_invalid_hostname
        warn_if_reject reject_unknown_hostname
        reject_unauth_pipelining
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        reject_non_fqdn_recipient
        reject_unknown_recipient_domain
        warn_if_reject reject_unknown_client
        reject_non_fqdn_hostname
        check_client_access hash:/usr/local/etc/postfix/access_client
        check_helo_access hash:/usr/local/etc/postfix/helo_access
        check_sender_access hash:/usr/local/etc/postfix/sender_access
        check_recipient_access hash:/usr/local/etc/postfix/recipient_access

-Jim McIver
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Noel Jones-2
Jim McIver wrote:

> I am using vexira for virus/content filtering and it has an area to put
> in blacklisted domains. I'll check if I can change to quarantine.
> ie
> [mailfrom-blacklist]
> *.ro
> *.nz
> *yourtopbrands.com
> *server.rwbtec.com
> *.co.jp
> etc...

If you can't change it to quarantine or tag+deliver, you might
check if it can be used as an smtpd_proxy_filter.
If it's intended to be used as a proxy it will probably work
just fine as a postfix smtpd_proxy_filter.

> Would I be ahead to remove the domains from vexira and put them in the
> access_client file, or is there a better place in postfix to list
> domains I want to block?

Yes, postfix will use far less resources rejecting the mail
than passing it to vexira for analysis.  Your vexira domain
blacklist appears to be a sender domain, not a client domain,
so these would go in your sender_access map.  Or maybe it's
all three, client, sender, helo access maps.

Note the syntax difference with postfix; use "example.com" not
"*.example.com".

>
> access_client listing:
> co.jp                   REJECT
> atripema.com            REJECT
> atropema.com            REJECT
> co.nz                   REJECT
> co.uk                   REJECT
> com.au                  REJECT
>
> snippet from main.cf:
> smtpd_recipient_restrictions =
>        permit_mynetworks
>        reject_unauth_destination
>        reject_invalid_hostname
>        warn_if_reject reject_unknown_hostname
>        reject_unauth_pipelining

reject_unauth_pipelining doesn't do much good here as
pipelining of recipients is allowed.  Move this to
smtpd_data_restrictions.

>        reject_non_fqdn_sender
>        reject_unknown_sender_domain
>        reject_non_fqdn_recipient
>        reject_unknown_recipient_domain

Since you've already rejected unauth destinations, there
should be no non-fqdn recipients, and the only time there will
be unknown domains will be yours if your DNS hiccups.  Best to
remove these two.

>        warn_if_reject reject_unknown_client
>        reject_non_fqdn_hostname
>        check_client_access hash:/usr/local/etc/postfix/access_client
>        check_helo_access hash:/usr/local/etc/postfix/helo_access
>        check_sender_access hash:/usr/local/etc/postfix/sender_access
>        check_recipient_access hash:/usr/local/etc/postfix/recipient_access

Here is a good place to add
   reject_rbl_client zen.spamhaus.org
and maybe some other RBLs.  Season to taste.

>
> -Jim McIver

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a domain and user

Jim McIver


Noel Jones wrote:

> Jim McIver wrote:
>> I am using vexira for virus/content filtering and it has an area to
>> put in blacklisted domains. I'll check if I can change to quarantine.
>> ie
>> [mailfrom-blacklist]
>> *.ro
>> *.nz
>> *yourtopbrands.com
>> *server.rwbtec.com
>> *.co.jp
>> etc...
>
> If you can't change it to quarantine or tag+deliver, you might check
> if it can be used as an smtpd_proxy_filter.
> If it's intended to be used as a proxy it will probably work just fine
> as a postfix smtpd_proxy_filter.
>
>> Would I be ahead to remove the domains from vexira and put them in
>> the access_client file, or is there a better place in postfix to list
>> domains I want to block?
>
> Yes, postfix will use far less resources rejecting the mail than
> passing it to vexira for analysis.  Your vexira domain blacklist
> appears to be a sender domain, not a client domain, so these would go
> in your sender_access map.  Or maybe it's all three, client, sender,
> helo access maps.
>
> Note the syntax difference with postfix; use "example.com" not
> "*.example.com".
>
>>
>> access_client listing:
>> co.jp                   REJECT
>> atripema.com            REJECT
>> atropema.com            REJECT
>> co.nz                   REJECT
>> co.uk                   REJECT
>> com.au                  REJECT
>>
>> snippet from main.cf:
>> smtpd_recipient_restrictions =
>>        permit_mynetworks
>>        reject_unauth_destination
>>        reject_invalid_hostname
>>        warn_if_reject reject_unknown_hostname
>>        reject_unauth_pipelining
>
> reject_unauth_pipelining doesn't do much good here as pipelining of
> recipients is allowed.  Move this to smtpd_data_restrictions.
>
>>        reject_non_fqdn_sender
>>        reject_unknown_sender_domain
>>        reject_non_fqdn_recipient
>>        reject_unknown_recipient_domain
>
> Since you've already rejected unauth destinations, there should be no
> non-fqdn recipients, and the only time there will be unknown domains
> will be yours if your DNS hiccups.  Best to remove these two.
>
>>        warn_if_reject reject_unknown_client
>>        reject_non_fqdn_hostname
>>        check_client_access hash:/usr/local/etc/postfix/access_client
>>        check_helo_access hash:/usr/local/etc/postfix/helo_access
>>        check_sender_access hash:/usr/local/etc/postfix/sender_access
>>        check_recipient_access
>> hash:/usr/local/etc/postfix/recipient_access
>
> Here is a good place to add
>   reject_rbl_client zen.spamhaus.org
> and maybe some other RBLs.  Season to taste.
>
>>
>> -Jim McIver
>
>   -- Noel Jones
So in postfix to block:
*.ru
*.ro
*.bg
I would just put:
ru
ro
bg

thx,
-jm