Siteoverride & Sender Restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Siteoverride & Sender Restrictions

Carlwill
In my /etc/postfix directory I have two hash files:

-rw-r--r--  1 root root 6.0M Jun 19 09:25 sender_restrictions
-rw-r--r--  1 root root  11M Jun 19 09:31 sender_restrictions.db
-rw-r--r--  1 root root 7.4K Jun 19 09:56 siteoverride
-rw-r--r--  1 root root  12K Jun 19 09:56 siteoverride.db

As you can see the "sender_restrictions" file is fairly large for a
text file. I looked in the file and its a endless string of domains to
reject email from (at least that is what I can see).

[root@mail postfix]# tail -f sender_restirctions
zzyfx.org REJECT
zzzaldo.com REJECT
zzzender.info REJECT

Now when I inspect the siteoveride file, I see something similar -
just not as crazy of a list.

[root@mail postfix]# tail -f siteoverride
bigdug.com             550 BLOCKED: SPAM
rrg-net.com            550 BLOCKED: SPAM
0to7.com               550 BLOCKED: SPAM

I placed my personal domain (not the domain of my corp. Postfix
server) in both files and received the same results. The email was
refused by my Postfix server when my domain was entered in either one
of the two files mentioned above. So my question is what is the
reasoning behind both of these separate files? Did the previous admin
set them up wrong or is either of them OK, just redundant? I know you
guys recommend me to disable anything I don't understand however I
hate disabling something if its properly working and if I can combine
the two files into one, assuming that they're both doing the same task
and being used properly by Postfix standards.

Both of the files are being reference in my main.cf so I will post my
postconf -n below as well - just in case anyone would like to see it
and comment:

address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = 127.0.0.1
qmgr_message_active_limit = 20000
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = example.net, example.com
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP debugger_command
= PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
smtpd_client_restrictions =
permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain,
       reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks, permit_sasl_authenticated,
        reject_invalid_hostname, reject_non_fqdn_hostname,
        check_helo_access, regexp:/etc/postfix/helo.regexp
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated,        check_sender_access
hash:/etc/postfix/access, check_sender_access
hash:/etc/postfix/sender_restrictions,        check_sender_access
hash:/etc/postfix/siteoverride, reject_non_fqdn_sender,
reject_unknown_sender_domain,         permit
smtpd_soft_error_limit = 10
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Noel Jones-2
Carlos Williams wrote:

> In my /etc/postfix directory I have two hash files:
>
> -rw-r--r--  1 root root 6.0M Jun 19 09:25 sender_restrictions
> -rw-r--r--  1 root root  11M Jun 19 09:31 sender_restrictions.db
> -rw-r--r--  1 root root 7.4K Jun 19 09:56 siteoverride
> -rw-r--r--  1 root root  12K Jun 19 09:56 siteoverride.db
>
> As you can see the "sender_restrictions" file is fairly large for a
> text file. I looked in the file and its a endless string of domains to
> reject email from (at least that is what I can see).
>
> [root@mail postfix]# tail -f sender_restirctions
> zzyfx.org REJECT
> zzzaldo.com REJECT
> zzzender.info REJECT
>
> Now when I inspect the siteoveride file, I see something similar -
> just not as crazy of a list.
>
> [root@mail postfix]# tail -f siteoverride
> bigdug.com             550 BLOCKED: SPAM
> rrg-net.com            550 BLOCKED: SPAM
> 0to7.com               550 BLOCKED: SPAM
>
> I placed my personal domain (not the domain of my corp. Postfix
> server) in both files and received the same results. The email was
> refused by my Postfix server when my domain was entered in either one
> of the two files mentioned above. So my question is what is the
> reasoning behind both of these separate files? Did the previous admin
> set them up wrong or is either of them OK, just redundant? I know you
> guys recommend me to disable anything I don't understand however I
> hate disabling something if its properly working and if I can combine
> the two files into one, assuming that they're both doing the same task
> and being used properly by Postfix standards.

My wild guess is that the "sender_restriction" file is (or at
some time in the past, was) created automatically by some
method, and the previous admin used a separate file for local
restrictions.  Nothing wrong with that.  Only change I would
make is adding some text to the sender_restriction file so the
reject reason is logged.  ie. make all the entries look
something like:
zzzender.info REJECT  listed in sender_restrictions file

That would give the ability to judge how effective this big
file is and if it's worthwhile to maintain, or even keep.

I didn't examine your postconf -n, maybe someone else will
give comments about it.


--
Noel Jones

>
> Both of the files are being reference in my main.cf so I will post my
> postconf -n below as well - just in case anyone would like to see it
> and comment:
>
> address_verify_sender = <>
> alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> command_time_limit = 1400
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> default_destination_recipient_limit = 100
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_recipient_maps = unix:passwd.byname $alias_maps
> mail_owner = postfix
> mailbox_size_limit = 40000000
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> max_idle = 175
> maximal_backoff_time = 2000s
> message_size_limit = 10240000
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> mydomain = example.org
> myhostname = mail.example.org
> mynetworks = $config_directory/mynetworks
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> parent_domain_matches_subdomains =
> proxy_interfaces = 127.0.0.1
> qmgr_message_active_limit = 20000
> queue_directory = /var/spool/postfix
> queue_run_delay = 500s
> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
> relay_domains = example.net, example.com
> sample_directory = /usr/share/doc/postfix-2.2.10/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP debugger_command
> = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
> $daemon_directory/$process_name $process_id & sleep 5
> smtpd_client_restrictions =
> permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain,
>        reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
>    reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_mynetworks, permit_sasl_authenticated,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> check_helo_access, regexp:/etc/postfix/helo.regexp
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> smtpd_reject_unlisted_recipient = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated,        check_sender_access
> hash:/etc/postfix/access, check_sender_access
> hash:/etc/postfix/sender_restrictions,        check_sender_access
> hash:/etc/postfix/siteoverride, reject_non_fqdn_sender,
> reject_unknown_sender_domain,         permit
> smtpd_soft_error_limit = 10
> smtpd_timeout = 60s
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
> smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 501
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_sender_reject_code = 550

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:

> In my /etc/postfix directory I have two hash files:
>
> -rw-r--r--  1 root root 6.0M Jun 19 09:25 sender_restrictions
> -rw-r--r--  1 root root  11M Jun 19 09:31 sender_restrictions.db
> -rw-r--r--  1 root root 7.4K Jun 19 09:56 siteoverride
> -rw-r--r--  1 root root  12K Jun 19 09:56 siteoverride.db
>
> As you can see the "sender_restrictions" file is fairly large for a
> text file. I looked in the file and its a endless string of domains to
> reject email from (at least that is what I can see).
>
> [root@mail postfix]# tail -f sender_restirctions
> zzyfx.org REJECT
> zzzaldo.com REJECT
> zzzender.info REJECT
>
> Now when I inspect the siteoveride file, I see something similar -
> just not as crazy of a list.
>
> [root@mail postfix]# tail -f siteoverride
> bigdug.com             550 BLOCKED: SPAM
> rrg-net.com            550 BLOCKED: SPAM
> 0to7.com               550 BLOCKED: SPAM
>
> I placed my personal domain (not the domain of my corp. Postfix
> server) in both files and received the same results. The email was
> refused by my Postfix server when my domain was entered in either one
> of the two files mentioned above. So my question is what is the
> reasoning behind both of these separate files? Did the previous admin
> set them up wrong or is either of them OK, just redundant?

they are since your restrictions use them in the same way.
    check_sender_access first_map
    check_sender_access second_map

so you can remove all references to the "override" map (first remove
from main.cf, then postfix reload, then remove the corresponding files).

two things here:
- these maps are not part of postfix. I have never used such maps.
- rejecting sender domains is not really effective. spammers forge
random domains, so you are at risk to block a legitimate domain. and
since they use random domains, your checks won't be much effective.

you are already using zen.spamhaus.org, which should reject a lot of
junk. so just throw away that sender lists.

BTW. you can put all your restrictions under
smtpd_recipient_restrictions (it's about STAGE, not about parameter. at
RCPT stage, postfix has all infos it needs, so you can check client,
helo, sender or recipient). this may be easier to read and will avoid
repeating the permit_mumble things. if you rewrite this and have a
doubt, just post the new config here.

> I know you
> guys recommend me to disable anything I don't understand however I
> hate disabling something if its properly working and if I can combine
> the two files into one, assuming that they're both doing the same task
> and being used properly by Postfix standards.
>
> Both of the files are being reference in my main.cf so I will post my
> postconf -n below as well - just in case anyone would like to see it
> and comment:
>
> address_verify_sender = <>
> alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> command_time_limit = 1400
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> default_destination_recipient_limit = 100
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_recipient_maps = unix:passwd.byname $alias_maps
> mail_owner = postfix
> mailbox_size_limit = 40000000
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> max_idle = 175
> maximal_backoff_time = 2000s
> message_size_limit = 10240000
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> mydomain = example.org
> myhostname = mail.example.org
> mynetworks = $config_directory/mynetworks
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> parent_domain_matches_subdomains =
> proxy_interfaces = 127.0.0.1
> qmgr_message_active_limit = 20000
> queue_directory = /var/spool/postfix
> queue_run_delay = 500s
> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
> relay_domains = example.net, example.com
> sample_directory = /usr/share/doc/postfix-2.2.10/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP debugger_command
> = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
> $daemon_directory/$process_name $process_id & sleep 5
> smtpd_client_restrictions =
> permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain,
>        reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
>    reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_mynetworks, permit_sasl_authenticated,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> check_helo_access, regexp:/etc/postfix/helo.regexp
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> smtpd_reject_unlisted_recipient = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated,        check_sender_access
> hash:/etc/postfix/access, check_sender_access
> hash:/etc/postfix/sender_restrictions,        check_sender_access
> hash:/etc/postfix/siteoverride, reject_non_fqdn_sender,
> reject_unknown_sender_domain,         permit
> smtpd_soft_error_limit = 10
> smtpd_timeout = 60s
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
> smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 501
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_sender_reject_code = 550
>  

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Brian Evans - Postfix List
In reply to this post by Carlwill
Carlos Williams wrote:

> In my /etc/postfix directory I have two hash files:
>
> -rw-r--r--  1 root root 6.0M Jun 19 09:25 sender_restrictions
> -rw-r--r--  1 root root  11M Jun 19 09:31 sender_restrictions.db
> -rw-r--r--  1 root root 7.4K Jun 19 09:56 siteoverride
> -rw-r--r--  1 root root  12K Jun 19 09:56 siteoverride.db
>
> As you can see the "sender_restrictions" file is fairly large for a
> text file. I looked in the file and its a endless string of domains to
> reject email from (at least that is what I can see).
>
> [root@mail postfix]# tail -f sender_restirctions
> zzyfx.org REJECT
> zzzaldo.com REJECT
> zzzender.info REJECT
>
> Now when I inspect the siteoveride file, I see something similar -
> just not as crazy of a list.
>
> [root@mail postfix]# tail -f siteoverride
> bigdug.com             550 BLOCKED: SPAM
> rrg-net.com            550 BLOCKED: SPAM
> 0to7.com               550 BLOCKED: SPAM
>
> I placed my personal domain (not the domain of my corp. Postfix
> server) in both files and received the same results. The email was
> refused by my Postfix server when my domain was entered in either one
> of the two files mentioned above. So my question is what is the
> reasoning behind both of these separate files? Did the previous admin
> set them up wrong or is either of them OK, just redundant? I know you
> guys recommend me to disable anything I don't understand however I
> hate disabling something if its properly working and if I can combine
> the two files into one, assuming that they're both doing the same task
> and being used properly by Postfix standards.
>  
They seem to be a, somewhat poor, attempt to capture spammers.  They
both accomplish the same thing.
It's much better to rely on spamassassin/amavisd-new because envelope
senders are easily forged.
> Both of the files are being reference in my main.cf so I will post my
> postconf -n below as well - just in case anyone would like to see it
> and comment:
>  
...
> inet_interfaces = all
> local_recipient_maps = unix:passwd.byname $alias_maps
> mail_owner = postfix
>  
Defaults, possibly remove for clarity.
...
> proxy_interfaces = 127.0.0.1
>  
This is unnecessary and wrong.  This parameter is for when the Postfix
is world facing behind a NAT.
> qmgr_message_active_limit = 20000
>  
default
> relay_domains = example.net, example.com
>  
It's usually not a good idea to list a domain in mydestination and
relay_domains.
You should remove example.com since it's in mydestination and appears to
be the final destination.
...
> setgid_group = postdrop
>  
default
> smtp_use_tls = yes
>  
If you upgrade to Postfix 2.3 or greater, change this to:
smtp_tls_security_level
<http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
> smtpd_banner = $myhostname ESMTP debugger_command
> = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
> $daemon_directory/$process_name $process_id & sleep 5
>  
Double check your main.cf because that's a naughty smtpd_banner.
Better yet, remove smtpd_banner.  The Default is just fine.
> smtpd_client_restrictions =
> permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain,
>        reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
>    reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
>  
list.dsbl.org is defunct for now, and possibly forever.   Remove it
until they decide what to do.
Also, reject_unauth_pipelining isn't worth much here.   You already have
it in smtpd_data_restrictions
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
>  
Defaults
> smtpd_helo_restrictions =
> permit_mynetworks, permit_sasl_authenticated,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> check_helo_access, regexp:/etc/postfix/helo.regexp
>  
It might help to remove the , between check_helo_access and it's map.
> smtpd_reject_unlisted_recipient = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_soft_error_limit = 10
> smtpd_tls_auth_only = no
> smtpd_tls_session_cache_timeout = 3600s
Grouped for easy recognition)
Defaults
> smtpd_use_tls = yes
>  
If you upgrade to Postfix 2.3 or greater, change this to:
smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 501
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_sender_reject_code = 550
>  
I hope you have a local caching DNS server on that box.   DNS failures
will cause mail rejections.

Brian

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
On Thu, Jun 19, 2008 at 2:37 PM, Brian Evans <[hidden email]> wrote:
>>
>> inet_interfaces = all
>> local_recipient_maps = unix:passwd.byname $alias_maps
>> mail_owner = postfix
>>
>
> Defaults, possibly remove for clarity.
So you're recommending I comment them out and restart Postfix for the 3 above?
> ...
>>
>> proxy_interfaces = 127.0.0.1
>>
>
> This is unnecessary and wrong.  This parameter is for when the Postfix is
> world facing behind a NAT.
My Postfix server is actually wold facing and has a NAT IP - my
main.cf does not show 127.0.0.1 but rather the external NAT IP.
>>
>> qmgr_message_active_limit = 20000
>>
>
> default
So if its a default parameter - do you mean I should comment it out / remove it?
>>
>> relay_domains = example.net, example.com
>>
>
> It's usually not a good idea to list a domain in mydestination and
> relay_domains.
> You should remove example.com since it's in mydestination and appears to be
> the final destination.
I think my final destination is example.org. Well, thats the domain
associated with Postfix. The example.com and example.net are relay
domains.
> ...
>>
>> setgid_group = postdrop
>>
>
> default
I am again assuming I can remove this parameter since its a default
behavior of Postfix...

>>
>> smtp_use_tls = yes
>>
>
> If you upgrade to Postfix 2.3 or greater, change this to:
> smtp_tls_security_level
> <http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
>>
>> smtpd_banner = $myhostname ESMTP        debugger_command
>> =       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin        xxgdb
>> $daemon_directory/$process_name $process_id & sleep 5
>>
>
> Double check your main.cf because that's a naughty smtpd_banner.
> Better yet, remove smtpd_banner.  The Default is just fine.
I agree - that smtp banner looks way wrong. Can I simply comment out
where smtpd_banner is listed in main.cf? If I comment the following
lines:
#smtpd_banner = $myhostname ESMTP
#       debugger_command =
#       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
#       xxgdb $daemon_directory/$process_name $process_id & sleep 5
Will this break anything in Postfix?

>>
>> smtpd_client_restrictions =
>> permit_mynetworks,      permit_sasl_authenticated,
>>  reject_unauth_pipelining,       reject_unknown_sender_domain,
>>       reject_non_fqdn_sender,  reject_rbl_client zen.spamhaus.org,
>>   reject_rbl_client bl.spamcop.net,        reject_rbl_client
>> safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
>>
>
> list.dsbl.org is defunct for now, and possibly forever.   Remove it until
> they decide what to do.
I removed it from smtpd_client_restrictions but noticed that there is
no permit parameter below the last entry. Is this okay?
smtpd_client_restrictions =
#       reject_unknown_client,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_pipelining,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client safe.dnsbl.sorbs.net,

Does the "," after sorbs.net need to be there?
> Also, reject_unauth_pipelining isn't worth much here.   You already have it
> in smtpd_data_restrictions
>>
>> smtpd_error_sleep_time = 1s
>> smtpd_hard_error_limit = 20
>>
>
> Defaults
Again, assuming I can remove default behavior from main.cf and not
break anything?
>>
>> smtpd_helo_restrictions =
>> permit_mynetworks,      permit_sasl_authenticated,
>>        reject_invalid_hostname,        reject_non_fqdn_hostname,
>>        check_helo_access,      regexp:/etc/postfix/helo.regexp
>>
>
> It might help to remove the , between check_helo_access and it's map.
It now appears so in my main.cf:

smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        check_helo_access regexp:/etc/postfix/helo.regexp
>>
>> smtpd_reject_unlisted_recipient = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_soft_error_limit = 10
>> smtpd_tls_auth_only = no
>> smtpd_tls_session_cache_timeout = 3600s
>
> Grouped for easy recognition)
> Defaults
Are you saying every entry you have listed above can be removed from
the main.cf?
>>
>> smtpd_use_tls = yes
>>
>
> If you upgrade to Postfix 2.3 or greater, change this to:
> smtpd_tls_security_level
> <http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
Noted for when I do upgrade.

>>
>> unknown_address_reject_code = 550
>> unknown_client_reject_code = 550
>> unknown_hostname_reject_code = 501
>> unknown_local_recipient_reject_code = 550
>> unverified_recipient_reject_code = 550
>> unverified_sender_reject_code = 550
>>
>
> I hope you have a local caching DNS server on that box.   DNS failures will
> cause mail rejections.
Yes - I do.
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
Carlos Williams wrote:

> On Thu, Jun 19, 2008 at 2:37 PM, Brian Evans <[hidden email]> wrote:
>  
>>> inet_interfaces = all
>>> local_recipient_maps = unix:passwd.byname $alias_maps
>>> mail_owner = postfix
>>>
>>>      
>> Defaults, possibly remove for clarity.
>>    
> So you're recommending I comment them out and restart Postfix for the 3 above?
>  

you can. That said, if they were added by your distro package, then just
leave them (they would reappear after upgrade anyway). also, before
removing default settings, make sure you postfix has the right default
setting. use postconf -d to check this. so if your
# postfix -d inet_interfaces
returns "all", then you can remove this parameter from main.cf if you
want. (unfortunately, some packagers seem to put default settings in
main.cf, so even if you remove it, it may reappear after an upgrade).

>> ...
>>    
>>> proxy_interfaces = 127.0.0.1
>>>
>>>      
>> This is unnecessary and wrong.  This parameter is for when the Postfix is
>> world facing behind a NAT.
>>    
> My Postfix server is actually wold facing and has a NAT IP - my
> main.cf does not show 127.0.0.1 but rather the external NAT IP.
>  

well, 127.0.0.1 never needs to be in proxy_interfaces. remove the
parameter at once and only add it if you really need it (you will know
because you'll see "loops back to me" errors).

>>> qmgr_message_active_limit = 20000
>>>
>>>      
>> default
>>    
> So if its a default parameter - do you mean I should comment it out / remove it?
>  

yes. resetting parameters to their default value only adds noise (to
main.cf and to 'postcoonf -n' output). and you won't benefit from better
defaults if they are added in future releases.

>>> relay_domains = example.net, example.com
>>>
>>>      
>> It's usually not a good idea to list a domain in mydestination and
>> relay_domains.
>> You should remove example.com since it's in mydestination and appears to be
>> the final destination.
>>    
> I think my final destination is example.org. Well, thats the domain
> associated with Postfix. The example.com and example.net are relay
> domains.
>  

whatever you do, each domain must appear in a single class
(mydestination, relay_domains, virtual_mailbox_domains,
virtual_alias_domains).

>> ...
>>    
>>> setgid_group = postdrop
>>>
>>>      
>> default
>>    
> I am again assuming I can remove this parameter since its a default
> behavior of Postfix...
>  

leave this one as it came with your package.

>>> smtp_use_tls = yes
>>>
>>>      
>> If you upgrade to Postfix 2.3 or greater, change this to:
>> smtp_tls_security_level
>> <http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
>>    
>>> smtpd_banner = $myhostname ESMTP        debugger_command
>>> =       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin        xxgdb
>>> $daemon_directory/$process_name $process_id & sleep 5
>>>
>>>      
>> Double check your main.cf because that's a naughty smtpd_banner.
>> Better yet, remove smtpd_banner.  The Default is just fine.
>>    
> I agree - that smtp banner looks way wrong. Can I simply comment out
> where smtpd_banner is listed in main.cf? If I comment the following
> lines:
> #smtpd_banner = $myhostname ESMTP
> #       debugger_command =
> #       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> #       xxgdb $daemon_directory/$process_name $process_id & sleep 5
> Will this break anything in Postfix?
>  

no, you can safely comment out the whole stuff here.

but to understand the problem: there should be no space before
"debugger_command = " because lines starting with spaces are considered
as "continuation lines". and this breaks the definition of smtpd_banner.
anyway, you should not redefine smtpd_banner. the default is good for
almost everybody.


>>> smtpd_client_restrictions =
>>> permit_mynetworks,      permit_sasl_authenticated,
>>>  reject_unauth_pipelining,       reject_unknown_sender_domain,
>>>       reject_non_fqdn_sender,  reject_rbl_client zen.spamhaus.org,
>>>   reject_rbl_client bl.spamcop.net,        reject_rbl_client
>>> safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
>>>
>>>      
>> list.dsbl.org is defunct for now, and possibly forever.  

Indeed.

Anyone knows why they "list" 127.0.0.2
$ host 2.0.0.127.list.dsbl.org
2.0.0.127.list.dsbl.org has address 127.0.0.2
?

>>  Remove it until
>> they decide what to do.
>>    
> I removed it from smtpd_client_restrictions but noticed that there is
> no permit parameter below the last entry. Is this okay?
>  

there is no need or a "last permit". it is the default action.
> smtpd_client_restrictions =
> #       reject_unknown_client,
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_pipelining,
>  

remove this. there is no unauth_pipelining at RCPT TO stage (which is
the default). put the check under smtpd_data_restrictions.

>         reject_unknown_sender_domain,
>  

doesn't catch a lot of spam, but may catch ham sometimes (typo/config
error that can be detected by recipient, or when From: header is
correct). I don't use it anymore.

>         reject_non_fqdn_sender,
>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client safe.dnsbl.sorbs.net,
>
> Does the "," after sorbs.net need to be there?
>  

',' and space are equivalent. I don't put ',' there. it's really up to you.

>> Also, reject_unauth_pipelining isn't worth much here.   You already have it
>> in smtpd_data_restrictions
>>    
>>> smtpd_error_sleep_time = 1s
>>> smtpd_hard_error_limit = 20
>>>
>>>      
>> Defaults
>>    
> Again, assuming I can remove default behavior from main.cf and not
> break anything?
>  
>>> smtpd_helo_restrictions =
>>> permit_mynetworks,      permit_sasl_authenticated,
>>>        reject_invalid_hostname,        reject_non_fqdn_hostname,
>>>        check_helo_access,      regexp:/etc/postfix/helo.regexp
>>>
>>>      
>> It might help to remove the , between check_helo_access and it's map.
>>    
> It now appears so in my main.cf:
>
> smtpd_helo_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname,
>         check_helo_access regexp:/etc/postfix/helo.regexp
>  
>>> smtpd_reject_unlisted_recipient = yes
>>> smtpd_sasl_security_options = noanonymous
>>> smtpd_soft_error_limit = 10
>>> smtpd_tls_auth_only = no
>>> smtpd_tls_session_cache_timeout = 3600s
>>>      
>> Grouped for easy recognition)
>> Defaults
>>    
> Are you saying every entry you have listed above can be removed from
> the main.cf?
>  
>>> smtpd_use_tls = yes
>>>
>>>      
>> If you upgrade to Postfix 2.3 or greater, change this to:
>> smtpd_tls_security_level
>> <http://www.postfix.org/postconf.5.html#smtp_tls_security_level> = may
>>    
> Noted for when I do upgrade.
>  
>>> unknown_address_reject_code = 550
>>> unknown_client_reject_code = 550
>>> unknown_hostname_reject_code = 501
>>> unknown_local_recipient_reject_code = 550
>>> unverified_recipient_reject_code = 550
>>> unverified_sender_reject_code = 550
>>>
>>>      
>> I hope you have a local caching DNS server on that box.   DNS failures will
>> cause mail rejections.
>>    
> Yes - I do.
>  

even if you do, you should use default values unless you really know why
(in which case, you may still be wrong, but at least you feel confident :)


Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
In reply to this post by mouss-2
On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:

> Carlos Williams wrote:
>>
>> On Thu, Jun 19, 2008 at 2:28 PM, mouss <[hidden email]> wrote:
>>
>>>
>>> they are since your restrictions use them in the same way.
>>>  check_sender_access first_map
>>>  check_sender_access second_map
>>>
>>> so you can remove all references to the "override" map (first remove from
>>> main.cf, then postfix reload, then remove the corresponding files).
>>>
>>
>> I am sorry I don't follow what you mean by "override" map? Are
>> speaking of either sender_restrictions & siteoverride?
>>
>
>
> yes, I meant the siteoverride thing. sorry.

OK - I have removed the following maps from my main.cf...

>
>
> Here is an example that is not too far from your config (and not far from
> mine):
>
> smtpd_recipient_restrictions =
>        permit_mynetworks
>        permit_sasl_authenticated
>        reject_unauth_destination
>        reject_non_fqdn_sender
>        reject_non_fqdn_recipient
>        reject_unlisted_recipient       reject_unlisted_sender
>        check_recipient_access hash:/etc/postfix/recipient_acl
>        check_recipient_access pcre:/etc/postfix/recipient_acl.pcre
>        check_client_access cidr:/etc/postfix/client_acl.cidr
>        check_sender_access hash:/etc/postfix/sender_acl
>        check_sender_access pcre:/etc/postfix/sender_acl.pcre
>        #=> to use dnswl, use rsync to download and sync their list
>        check_client_access cidr:/etc/postfix/postfix-dnswl-permit
>        reject_rbl_client zen.spamhaus.org
>        reject_rbl_client bl.spamcop.net
>        reject_rbl_client safe.dnsbl.sorbs.net
>        #reject_rbl_client korea.services.net
>        #reject_rbl_client list.dsbl.org
>        reject_invalid_hostname
>        reject_non_fqdn_hostname
>        check_helo_access hash:/etc/postfix/helo_acl
>        check_helo_access pcre:/etc/postfix/helo_acl.pcre
>
> If you can give me logs for spam transactions, I can propose checks to block
> it.
OK - I am using the template you posted above as a "guide" with my
main.cf. My 1st question is you show "check_helo_access" in
"smtpd_sender_restrictions (last entry) above however I have it also
listed in "smtpd_helo_restrictions". Do I need them in both or as you
noted, can I have everything in "smtpd_recipient_restrictions"?
So basically do I remove it from "smtpd_helo_restrictions"?

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        check_recipient_access hash:/etc/postfix/access,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        reject_unknown_sender_domain,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client safe.dsnbl.sorbs.net,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        check_helo_access regexp:/etc/postfix/helo.regexp,
        permit

Also do I need the final "permit" shown above in
"smtpd_recipient_restrictions? I recall you writing that "permit" is
the default action so there is no need to have it specified there,
right? Is "permit" the default for all smtpd_*_restrictions? This may
sound like redundant questions but I don't understand if each
"smtpd_*_restrictions" have their own default values that may differ.
I don't want to assume the wrong thing and end up breaking my email
server. :)

As for my main.cf as it stands now - here is what I have done after
all your helpful recommendations...

[root@mail postfix]# postconf -n
address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = $mydomain
myhostname = $myhostname
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = X.X.X.X
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain,
       reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net,
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks, permit_sasl_authenticated,
        reject_invalid_hostname, reject_non_fqdn_hostname,
        check_helo_access regexp:/etc/postfix/helo.regexp
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated,        check_sender_access
hash:/etc/postfix/access, check_sender_access
hash:/etc/postfix/sender_restrictions, reject_non_fqdn_sender,
reject_unknown_sender_domain,         permit
smtpd_soft_error_limit = 10
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/ssl.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/ssl.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550



>



--
Man your battle stations...
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
Carlos Williams wrote:
> [snip]
> OK - I am using the template you posted above as a "guide" with my
> main.cf. My 1st question is you show "check_helo_access" in
> "smtpd_sender_restrictions (last entry) above however I have it also
> listed in "smtpd_helo_restrictions". Do I need them in both or as you
> noted, can I have everything in "smtpd_recipient_restrictions"?
> So basically do I remove it from "smtpd_helo_restrictions"?
>  

you don't need (and you should not) repeat checks. putting checks in
smtpd_recipient_restrictions is sufficient, and is generally easier to
"read".

> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unlisted_recipient,
>         reject_unlisted_sender,
>         check_recipient_access hash:/etc/postfix/access,
>         check_sender_access hash:/etc/postfix/access,
>         check_policy_service inet:127.0.0.1:12525,
>         reject_unknown_sender_domain,
>  

consider moving this to after rbl checks. This incurs a DNS query, on a
potentially forged domain (so it somewhat hurts both you and innocent
domains).


>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client safe.dsnbl.sorbs.net,
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname,
>         check_helo_access regexp:/etc/postfix/helo.regexp,
>         permit
>
> Also do I need the final "permit" shown above in
> "smtpd_recipient_restrictions?

no, you don't need it.

> I recall you writing that "permit" is
> the default action so there is no need to have it specified there,
> right? Is "permit" the default for all smtpd_*_restrictions? This may
> sound like redundant questions but I don't understand if each
> "smtpd_*_restrictions" have their own default values that may differ.
> I don't want to assume the wrong thing and end up breaking my email
> server. :)
>  


the default action is always permit. (the default value of
smtpd_mumble_restrictions can be seen using postconf -d. all are empty
except smtpd_reciîent_restrictions which has a setting to prevent open
relay).

> [snip]
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
On Fri, Jun 20, 2008 at 3:19 AM, mouss <[hidden email]> wrote:
> you don't need (and you should not) repeat checks. putting checks in
> smtpd_recipient_restrictions is sufficient, and is generally easier to
> "read".

OK - I made sure anything that has the word "check_*" is only listed
in "smtpd_recipient_restrictions".
>>
>> smtpd_recipient_restrictions =
>>        reject_unknown_sender_domain,
>>
>
> consider moving this to after rbl checks. This incurs a DNS query, on a
> potentially forged domain (so it somewhat hurts both you and innocent
> domains).
Moved as show in the postconf -n below.
>
>
>>
>> Also do I need the final "permit" shown above in
>> "smtpd_recipient_restrictions?
>
> no, you don't need it.
Removed since its not doing anything.

>
>> I recall you writing that "permit" is
>> the default action so there is no need to have it specified there,
>> right? Is "permit" the default for all smtpd_*_restrictions? This may
>> sound like redundant questions but I don't understand if each
>> "smtpd_*_restrictions" have their own default values that may differ.
>> I don't want to assume the wrong thing and end up breaking my email
>> server. :)
>>
>
>
> the default action is always permit. (the default value of
> smtpd_mumble_restrictions can be seen using postconf -d. all are empty
> except smtpd_recipîent_restrictions which has a setting to prevent open
> relay).
OK - but above you noted I don't need the permit in
"smtpd_recipient_restrictions" so I want to be sure by removing this,
I did not open my server as an open relay.
>
So finally I have the final postconf -n shown below - it looks like I
have taken all your positive suggestions and applied them accordingly.
If you don't mind taking a final look and if you see anything I missed
or did wrong, please let me know.

[root@mail ~]# postconf -n
address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = /etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain,
       reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks, permit_sasl_authenticated,
        reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 10
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

My final Postfix question here is basically since you said the
"siteoverride" and "sender_restrictions" files were poor spam
filtering attempts and said you would not want to block a legit domain
just because some spammer forged it - so I should be filtering based
on IP. I do not have Spamassassin installed /configured yet because
the DoD has not approved it as of yet but I am working this. So
basically if I have unwanted emails to 100's of users on my Postfix
server, what is the recommended way to reject emails from that
specific IP? Can I just create /etc/postfix/blacklist text file and
start dumping in IP's?

Thanks again!
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
Carlos Williams wrote:

> On Fri, Jun 20, 2008 at 3:19 AM, mouss <[hidden email]> wrote:
>  
>> you don't need (and you should not) repeat checks. putting checks in
>> smtpd_recipient_restrictions is sufficient, and is generally easier to
>> "read".
>>    
>
> OK - I made sure anything that has the word "check_*" is only listed
> in "smtpd_recipient_restrictions".
>  


it's not about check_*, it's about everything. the example I gave you
assumes that you remove
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions

yes, remove them from your config.

>
>>> I recall you writing that "permit" is
>>> the default action so there is no need to have it specified there,
>>> right? Is "permit" the default for all smtpd_*_restrictions? This may
>>> sound like redundant questions but I don't understand if each
>>> "smtpd_*_restrictions" have their own default values that may differ.
>>> I don't want to assume the wrong thing and end up breaking my email
>>> server. :)
>>>
>>>      
>> the default action is always permit. (the default value of
>> smtpd_mumble_restrictions can be seen using postconf -d. all are empty
>> except smtpd_recipîent_restrictions which has a setting to prevent open
>> relay).
>>    
> OK - but above you noted I don't need the permit in
> "smtpd_recipient_restrictions" so I want to be sure by removing this,
> I did not open my server as an open relay.
>  

open relay is prevented by reject_unauth_destination.

>
> smtpd_client_restrictions =
> permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain,
>        reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
>    reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net
> smtpd_helo_restrictions =
> permit_mynetworks, permit_sasl_authenticated,
> reject_invalid_hostname, reject_non_fqdn_hostname
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
>  
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_non_fqdn_sender,
> reject_unknown_sender_domain
>
>  

you are still using multiple smtpd_mumble_restrictions. please reread my
post (I sent you an example setup which assumes no
smtpd_[client|helo|sender]_restrictions).

> My final Postfix question here is basically since you said the
> "siteoverride" and "sender_restrictions" files were poor spam
> filtering attempts and said you would not want to block a legit domain
> just because some spammer forged it - so I should be filtering based
> on IP.

that's most you can do at smtp time. you are also doing few helo checks,
which is good but here, most junk is blocked by zen.spamhaus.

> I do not have Spamassassin installed /configured yet because
> the DoD has not approved it as of yet but I am working this.

then let it go. wait until recipients complain.

>  So
> basically if I have unwanted emails to 100's of users on my Postfix
> server, what is the recommended way to reject emails from that
> specific IP? Can I just create /etc/postfix/blacklist text file and
> start dumping in IP's?
>  

well, it takes time to manage a site BL/WL. so use public ones first.
but of course, nothing prevents you from having your own bloc/white
lists. it is hard to recommend anything without knowing what
transactions you get (both ham and spam). but don't try to block all
spam at smtp level. you can lower the FN rate to some level, and then
after that, as you lower it, you increase the FP rate.



Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
In reply to this post by mouss-2
On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:

>
> Here is an example that is not too far from your config (and not far from
> mine):
>
> smtpd_recipient_restrictions =
>        permit_mynetworks
>        permit_sasl_authenticated
>        reject_unauth_destination
>        reject_non_fqdn_sender
>        reject_non_fqdn_recipient
>        reject_unlisted_recipient       reject_unlisted_sender
>        check_recipient_access hash:/etc/postfix/recipient_acl
>        check_recipient_access pcre:/etc/postfix/recipient_acl.pcre
>        check_client_access cidr:/etc/postfix/client_acl.cidr
>        check_sender_access hash:/etc/postfix/sender_acl
>        check_sender_access pcre:/etc/postfix/sender_acl.pcre
>        #=> to use dnswl, use rsync to download and sync their list
>        check_client_access cidr:/etc/postfix/postfix-dnswl-permit
>        reject_rbl_client zen.spamhaus.org
>        reject_rbl_client bl.spamcop.net
>        reject_rbl_client safe.dnsbl.sorbs.net
>        #reject_rbl_client korea.services.net
>        #reject_rbl_client list.dsbl.org
>        reject_invalid_hostname
>        reject_non_fqdn_hostname
>        check_helo_access hash:/etc/postfix/helo_acl
>        check_helo_access pcre:/etc/postfix/helo_acl.pcre
>
You were correct in saying that spamhaus filters out a lot of junk but
in all this testing we have done, I am realizing a few things and am
again confused. Does this make any sense to you? In my my logs I
actively see spamhaus rejecting email however I don't think that my
main.cf is reading my "smtpd_recipient_restrictions" entry. 1st reason
is for some strange reason I have separate entries in my main.cf for
"smtpd_recipient_restrictions". The 1st (larger) entry that reads as
follows:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:12525,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client safe.dnsbl.sorbs.net,
        reject_invalid_hostname,
        reject_non_fqdn_hostname

However when I scroll down the main.cf, I then see a second entry:

smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination

So when I delete the smaller one in my main.cf - I am no longer able
to receive email from the Internet. I can send internal email and I
can send email from my Postfix server out to the Internet but no
external email makes it. It appears that all the blocking from
spamhaus I see in my logs are coming from smtpd_client_restrictions.
And when I do a postconf -n, I can see that no rbl_clients are listed
from the "smtpd_recipient_restrictions" - just everything from the 2nd
smptd_recipient_restrictions. So why when I delete the smaller entry
does it no longer read "smtpd_recipient restrictions" and email
breaks.

I don't want to remove all the smtpd_client|helo|sender_checks until I
can understand why my main.cf is not properly reading
smtpd_recipient_restrictions. The only difference between the two
identical entries are that the 1st one is a longer list so every entry
on each line begins with white space & ends with a ",". The second one
is all a single line since it only has 3 or so entries.

Make sense?
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Wietse Venema
Carlos Williams:
> However when I scroll down the main.cf, I then see a second entry:
>
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
>
> So when I delete the smaller one in my main.cf - I am no longer able
> to receive email from the Internet. I can send internal email and I

This is a very good time to start looking at the following:

1) Output from "postconf -n" command.
   http://www.postfix.org/DEBUG_README.html#mail
   Also referenced in the mailing list welcome message.

2) Postfix logging.
   http://www.postfix.org/DEBUG_README.html#logging
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
On Sat, Jun 21, 2008 at 4:51 PM, Wietse Venema <[hidden email]> wrote:
> This is a very good time to start looking at the following:
>
> 1) Output from "postconf -n" command.
>   http://www.postfix.org/DEBUG_README.html#mail
>   Also referenced in the mailing list welcome message.
Correct, this is how I was 1st able to determine what I have listed in
main.cf is not being populated under postconf -n after I reload
Postfix.
>
> 2) Postfix logging.
>   http://www.postfix.org/DEBUG_README.html#logging
>
So I checked the URL provided and did a search in my logs:

grep /var/log/maillog | grep "warning|error|fatal|panic" and really
did not see anything that leads me to understand what is causing
Postfix to break when I attempt to remove a duplicate
"smtpd_recipient_restrictions".

I am wondering if Postfix does not like the location or the way I
edited the main.cf for the smtpd_recipient_restrictions I am trying to
force it to read/use. I am not trying to be lazy but I don't know
where else to look. My logs are avialable but they are thick so I
don't know what to provide to help resolve this. As it stands right
now my email server is working fine my current config but the config
again has duplicate entries and its using the lesser entries and wont
read what I want it to...





--
Man your battle stations...
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Wietse Venema
Carlos Williams:
> On Sat, Jun 21, 2008 at 4:51 PM, Wietse Venema <[hidden email]> wrote:
> > This is a very good time to start looking at the following:
> >
> > 1) Output from "postconf -n" command.
> >   http://www.postfix.org/DEBUG_README.html#mail
> >   Also referenced in the mailing list welcome message.
> Correct, this is how I was 1st able to determine what I have listed in
> main.cf is not being populated under postconf -n after I reload
> Postfix.

It helps to find discrepancies between what you write and what
Postfix reads :-)

> > 2) Postfix logging.
> >   http://www.postfix.org/DEBUG_README.html#logging
> >
> So I checked the URL provided and did a search in my logs:
>
> grep /var/log/maillog | grep "warning|error|fatal|panic" and really
> did not see anything that leads me to understand what is causing
> Postfix to break when I attempt to remove a duplicate
> "smtpd_recipient_restrictions".

You wrote that Postfix refused to receive mail. If those rejects
were not the result of panic/error/fatal/warning messages, then
you should examine the mailog file for "reject:" lines.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:

> [snip]
> You were correct in saying that spamhaus filters out a lot of junk but
> in all this testing we have done, I am realizing a few things and am
> again confused. Does this make any sense to you? In my my logs I
> actively see spamhaus rejecting email however I don't think that my
> main.cf is reading my "smtpd_recipient_restrictions" entry. 1st reason
> is for some strange reason I have separate entries in my main.cf for
> "smtpd_recipient_restrictions". The 1st (larger) entry that reads as
> follows:
>
> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination,
>         check_policy_service inet:127.0.0.1:12525,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unlisted_recipient,
>         reject_unlisted_sender,
>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client safe.dnsbl.sorbs.net,
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname
>
> However when I scroll down the main.cf, I then see a second entry:
>
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
>
> So when I delete the smaller one in my main.cf - I am no longer able
> to receive email from the Internet. I can send internal email and I
> can send email from my Postfix server out to the Internet but no
> external email makes it. It appears that all the blocking from
> spamhaus I see in my logs are coming from smtpd_client_restrictions.
> And when I do a postconf -n, I can see that no rbl_clients are listed
> from the "smtpd_recipient_restrictions" - just everything from the 2nd
> smptd_recipient_restrictions. So why when I delete the smaller entry
> does it no longer read "smtpd_recipient restrictions" and email
> breaks.
>
>  

comment out the check_policy_service line and try again.

if postfix blocks mail, then please post the logs that show this. We
cannot help you without logs.
#mount /dev/crystall/balls
mount: /dev/crystall/balls: unknown special file or file system



> I don't want to remove all the smtpd_client|helo|sender_checks until I
> can understand why my main.cf is not properly reading
> smtpd_recipient_restrictions. The only difference between the two
> identical entries are that the 1st one is a longer list so every entry
> on each line begins with white space & ends with a ",". The second one
> is all a single line since it only has 3 or so entries.
>  

This is not the problem.
> Make sense?
>  

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
In reply to this post by mouss-2
On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:

>
> Here is an example that is not too far from your config (and not far from
> mine):
>
> smtpd_recipient_restrictions =
>        permit_mynetworks
>        permit_sasl_authenticated
>        reject_unauth_destination
>        reject_non_fqdn_sender
>        reject_non_fqdn_recipient
>        reject_unlisted_recipient       reject_unlisted_sender
>        check_recipient_access hash:/etc/postfix/recipient_acl
>        check_recipient_access pcre:/etc/postfix/recipient_acl.pcre
>        check_client_access cidr:/etc/postfix/client_acl.cidr
>        check_sender_access hash:/etc/postfix/sender_acl
>        check_sender_access pcre:/etc/postfix/sender_acl.pcre
>        #=> to use dnswl, use rsync to download and sync their list
>        check_client_access cidr:/etc/postfix/postfix-dnswl-permit
>        reject_rbl_client zen.spamhaus.org
>        reject_rbl_client bl.spamcop.net
>        reject_rbl_client safe.dnsbl.sorbs.net
>        #reject_rbl_client korea.services.net
>        #reject_rbl_client list.dsbl.org
>        reject_invalid_hostname
>        reject_non_fqdn_hostname
>        check_helo_access hash:/etc/postfix/helo_acl
>        check_helo_access pcre:/etc/postfix/helo_acl.pcre

OK - I went back and read through all your suggestions again and I
have a revised main.cf which I hope looks correct in your professional
opinion. I removed some of the noise and still see a few things I
don't think are being recognized even though listed in main.cf. For
example:

transport_destination_concurrency_limit = 50

I have the above parameter in main.cf however it looks not to be
visible in postconf -n and its color value is plain white text in
main.cf which tells me it does not recognize this value. I did a
search on Postfix site and it said that this is available in v2.5
however I am running 2.3 (which is the latest available from my
package maintainer).

So I have since removed "smtpd_client|helo|sender_restrictions" as you
recommended and email is working fine. I had a few junk / spam
messages slip through which I found was due to the changes /
modifications to my main.cf but nothing too bad or un-manageable.

> If you can give me logs for spam transactions, I can propose checks to block
> it.

I checked my logs and spamhaus is catching 98% of junk so it appears
to be working and since "spamhaus" is only listed under
"smtpd_recipeint_restrictions", then Postfix appears to be reading
everything properly.

Now you will notice added to entries in "smtpd_recipient_restrictions"
because they looked important and I don't know if they're making any
impact at this stage of the check but I will let you decide. I added
the 8th and 9th line check below:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client safe.dnsbl.sorbs.net,
        reject_invalid_hostname,
        reject_non_fqdn_hostname

Here is my postconf -n. Everything look better in your opinion?

address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = /etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,        reject_unauth_destination,
reject_non_fqdn_sender,        reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unlisted_sender, reject_invalid_hostname,
reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,
     reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net,        reject_invalid_hostname,
reject_non_fqdn_hostname
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_soft_error_limit = 10
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550






--
Man your battle stations...
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
On Mon, Jun 23, 2008 at 11:38 AM, Carlos Williams <[hidden email]> wrote:

> On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:
>>
>> Here is an example that is not too far from your config (and not far from
>> mine):
>>
>> smtpd_recipient_restrictions =
>>        permit_mynetworks
>>        permit_sasl_authenticated
>>        reject_unauth_destination
>>        reject_non_fqdn_sender
>>        reject_non_fqdn_recipient
>>        reject_unlisted_recipient       reject_unlisted_sender
>>        check_recipient_access hash:/etc/postfix/recipient_acl
>>        check_recipient_access pcre:/etc/postfix/recipient_acl.pcre
>>        check_client_access cidr:/etc/postfix/client_acl.cidr
>>        check_sender_access hash:/etc/postfix/sender_acl
>>        check_sender_access pcre:/etc/postfix/sender_acl.pcre
>>        #=> to use dnswl, use rsync to download and sync their list
>>        check_client_access cidr:/etc/postfix/postfix-dnswl-permit
>>        reject_rbl_client zen.spamhaus.org
>>        reject_rbl_client bl.spamcop.net
>>        reject_rbl_client safe.dnsbl.sorbs.net
>>        #reject_rbl_client korea.services.net
>>        #reject_rbl_client list.dsbl.org
>>        reject_invalid_hostname
>>        reject_non_fqdn_hostname
>>        check_helo_access hash:/etc/postfix/helo_acl
>>        check_helo_access pcre:/etc/postfix/helo_acl.pcre
>
> OK - I went back and read through all your suggestions again and I
> have a revised main.cf which I hope looks correct in your professional
> opinion. I removed some of the noise and still see a few things I
> don't think are being recognized even though listed in main.cf. For
> example:
>
> transport_destination_concurrency_limit = 50
>
> I have the above parameter in main.cf however it looks not to be
> visible in postconf -n and its color value is plain white text in
> main.cf which tells me it does not recognize this value. I did a
> search on Postfix site and it said that this is available in v2.5
> however I am running 2.3 (which is the latest available from my
> package maintainer).
>
> So I have since removed "smtpd_client|helo|sender_restrictions" as you
> recommended and email is working fine. I had a few junk / spam
> messages slip through which I found was due to the changes /
> modifications to my main.cf but nothing too bad or un-manageable.
>
>> If you can give me logs for spam transactions, I can propose checks to block
>> it.
>
> I checked my logs and spamhaus is catching 98% of junk so it appears
> to be working and since "spamhaus" is only listed under
> "smtpd_recipeint_restrictions", then Postfix appears to be reading
> everything properly.
>
> Now you will notice added to entries in "smtpd_recipient_restrictions"
> because they looked important and I don't know if they're making any
> impact at this stage of the check but I will let you decide. I added
> the 8th and 9th line check below:
>
> smtpd_recipient_restrictions =
>        permit_mynetworks,
>        permit_sasl_authenticated,
>        reject_unauth_destination,
>        reject_non_fqdn_sender,
>        reject_non_fqdn_recipient,
>        reject_unlisted_recipient,
>        reject_unlisted_sender,
>        reject_invalid_hostname,
>        reject_non_fqdn_hostname,
>        reject_rbl_client zen.spamhaus.org,
>        reject_rbl_client bl.spamcop.net,
>        reject_rbl_client safe.dnsbl.sorbs.net,
>        reject_invalid_hostname,
>        reject_non_fqdn_hostname
>
> Here is my postconf -n. Everything look better in your opinion?
>
> address_verify_sender = <>
> alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> command_time_limit = 1400
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> default_destination_recipient_limit = 100
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_recipient_maps = unix:passwd.byname $alias_maps
> mail_owner = postfix
> mailbox_size_limit = 40000000
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> max_idle = 175
> maximal_backoff_time = 2000s
> message_size_limit = 10240000
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> mydomain = example.org
> myhostname = mail.example.org
> mynetworks = $config_directory/mynetworks
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> parent_domain_matches_subdomains =
> queue_directory = /var/spool/postfix
> queue_run_delay = 500s
> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
> relay_domains = /etc/postfix/relay_domains
> sample_directory = /usr/share/doc/postfix-2.2.10/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,        reject_unauth_destination,
> reject_non_fqdn_sender,        reject_non_fqdn_recipient,
> reject_unlisted_recipient,
> reject_unlisted_sender, reject_invalid_hostname,
> reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,
>     reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net,        reject_invalid_hostname,
> reject_non_fqdn_hostname
> smtpd_reject_unlisted_recipient = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_soft_error_limit = 10
> smtpd_timeout = 60s
> smtpd_tls_auth_only = no
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 501
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_sender_reject_code = 550
>
Mouss - sorry to bother you again. Just wondering if you see any
problems I have not yet resolved from the data posted above?

I am getting like perhaps 2-3 messages of spam per day:

Jun 25 08:56:35 mail postfix/smtpd[32092]: connect from
119-47-26-185.catv296.ne.jp[119.47.26.185]
Jun 25 08:56:52 mail postfix/smtpd[32092]: A55AB15C065:
client=119-47-26-185.catv296.ne.jp[119.47.26.185]
Jun 25 08:56:54 mail amavis[6768]: (06768-05) Passed CLEAN,
[119.47.26.185] [119.47.26.185]
<[hidden email]> ->
<[hidden email]>, Message-ID:
<01c8d70e$5ffd2a00$b91a2f77@akstcameublierinteramamnsdgs>, mail_id:
HX3PRPt0MIEO, Hits: -, size: 910, queued_as: 0D29D15C069, 128 ms
Jun 25 08:56:54 mail postfix/smtpd[32092]: disconnect from
119-47-26-185.catv296.ne.jp[119.47.26.185]

Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
[87.25.215.95] [87.25.215.95] <[hidden email]> ->
<[hidden email]>, Message-ID:
<[hidden email]>, mail_id:
J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]

Those are two examples of spam that for some reason my rbl checks are
not rejecting. Any thoughts?
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Brian Evans - Postfix List
Carlos Williams wrote:

> Mouss - sorry to bother you again. Just wondering if you see any
> problems I have not yet resolved from the data posted above?
>
> I am getting like perhaps 2-3 messages of spam per day:
>
> Jun 25 08:56:35 mail postfix/smtpd[32092]: connect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:52 mail postfix/smtpd[32092]: A55AB15C065:
> client=119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:54 mail amavis[6768]: (06768-05) Passed CLEAN,
> [119.47.26.185] [119.47.26.185]
> <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <01c8d70e$5ffd2a00$b91a2f77@akstcameublierinteramamnsdgs>, mail_id:
> HX3PRPt0MIEO, Hits: -, size: 910, queued_as: 0D29D15C069, 128 ms
> Jun 25 08:56:54 mail postfix/smtpd[32092]: disconnect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
>  
Patience wins here:  http://cbl.abuseat.org/lookup.cgi?ip=119.47.26.185
IP Address 119.47.26.185 is currently listed in the CBL.

It was detected at 2008-06-25 13:00 GMT (+/- 30 minutes), approximately
3 hours, 30 minutes ago.

(cbl is part of zen)

> Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
> client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
> [87.25.215.95] [87.25.215.95] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <[hidden email]>, mail_id:
> J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
> Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>
> Those are two examples of spam that for some reason my rbl checks are
> not rejecting. Any thoughts?
>  
For "new" or random spam, I prefer to use policyd-weight as a front end
weighted check that pulls in several factors including RBLs.
Other projects also do this, such as postfwd (but without the RBL checks).

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Brian Evans - Postfix List
Brian Evans wrote:

> Carlos Williams wrote:
>> Mouss - sorry to bother you again. Just wondering if you see any
>> problems I have not yet resolved from the data posted above?
>>
>> I am getting like perhaps 2-3 messages of spam per day:
>>
>> Jun 25 08:56:35 mail postfix/smtpd[32092]: connect from
>> 119-47-26-185.catv296.ne.jp[119.47.26.185]
>> Jun 25 08:56:52 mail postfix/smtpd[32092]: A55AB15C065:
>> client=119-47-26-185.catv296.ne.jp[119.47.26.185]
>> Jun 25 08:56:54 mail amavis[6768]: (06768-05) Passed CLEAN,
>> [119.47.26.185] [119.47.26.185]
>> <[hidden email]> ->
>> <[hidden email]>, Message-ID:
>> <01c8d70e$5ffd2a00$b91a2f77@akstcameublierinteramamnsdgs>, mail_id:
>> HX3PRPt0MIEO, Hits: -, size: 910, queued_as: 0D29D15C069, 128 ms
>> Jun 25 08:56:54 mail postfix/smtpd[32092]: disconnect from
>> 119-47-26-185.catv296.ne.jp[119.47.26.185]
>>  
> Patience wins here:  http://cbl.abuseat.org/lookup.cgi?ip=119.47.26.185
> IP Address 119.47.26.185 is currently listed in the CBL.
>
> It was detected at 2008-06-25 13:00 GMT (+/- 30 minutes),
> approximately 3 hours, 30 minutes ago.
>
> (cbl is part of zen)
>> Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
>> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>> Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
>> client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>> Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
>> [87.25.215.95] [87.25.215.95] <[hidden email]> ->
>> <[hidden email]>, Message-ID:
>> <[hidden email]>, mail_id:
>> J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
>> Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
>> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>>
>> Those are two examples of spam that for some reason my rbl checks are
>> not rejecting. Any thoughts?
>>  
> For "new" or random spam, I prefer to use policyd-weight as a front
> end weighted check that pulls in several factors including RBLs.
> Other projects also do this, such as postfwd (but without the RBL
> checks).
Oops:
s/RBL/HELO/
>
> Brian

Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
In reply to this post by Brian Evans - Postfix List
On Wed, Jun 25, 2008 at 12:20 PM, Brian Evans <[hidden email]> wrote:

>
> Patience wins here:  http://cbl.abuseat.org/lookup.cgi?ip=119.47.26.185
> IP Address 119.47.26.185 is currently listed in the CBL.
>
> It was detected at 2008-06-25 13:00 GMT (+/- 30 minutes), approximately 3
> hours, 30 minutes ago.
>
> (cbl is part of zen)
>>
>> Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
>> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>> Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
>> client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>> Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
>> [87.25.215.95] [87.25.215.95] <[hidden email]> ->
>> <[hidden email]>, Message-ID:
>> <[hidden email]>, mail_id:
>> J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
>> Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
>> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>>
>> Those are two examples of spam that for some reason my rbl checks are
>> not rejecting. Any thoughts?
>>
>
> For "new" or random spam, I prefer to use policyd-weight as a front end
> weighted check that pulls in several factors including RBLs.
> Other projects also do this, such as postfwd (but without the RBL checks).
>
Thanks! I guess my only concern now is that the changes I made (which
I feel were major config changes to main.cf) are correct and that all
your recommendations were followed properly. Sometimes suggestions via
email to translate properly to my keyboard and I mess something up :)

If you still see anything in postconf -n I posted today that can be
changed to improve performance and or config - please let me know.

Thanks!

Carlos
12