Siteoverride & Sender Restrictions

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

MrC-7
Carlos Williams wrote:
...

> Mouss - sorry to bother you again. Just wondering if you see any
> problems I have not yet resolved from the data posted above?
>
>
> Jun 25 08:56:35 mail postfix/smtpd[32092]: connect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:52 mail postfix/smtpd[32092]: A55AB15C065:
> client=119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:54 mail amavis[6768]: (06768-05) Passed CLEAN,
> [119.47.26.185] [119.47.26.185]
> <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <01c8d70e$5ffd2a00$b91a2f77@akstcameublierinteramamnsdgs>, mail_id:
> HX3PRPt0MIEO, Hits: -, size: 910, queued_as: 0D29D15C069, 128 ms
                    ^^^^^
Here's one area for improvement. You are running amavis, but there are
no spam scores, which means SpamAssassin isn't called.  I'm presuming
amavis is also configured with $sa_local_tests_only = 1.  Hard to catch
spam that passes postfix without more assistance to amavis.

MrC

> Jun 25 08:56:54 mail postfix/smtpd[32092]: disconnect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
>
> Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
> client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
> [87.25.215.95] [87.25.215.95] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <[hidden email]>, mail_id:
> J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
> Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>
> Those are two examples of spam that for some reason my rbl checks are
> not rejecting. Any thoughts?
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
On Wed, Jun 25, 2008 at 1:09 PM, MrC <[hidden email]> wrote:
> Here's one area for improvement. You are running amavis, but there are
> no spam scores, which means SpamAssassin isn't called.  I'm presuming
> amavis is also configured with $sa_local_tests_only = 1.  Hard to catch
> spam that passes postfix without more assistance to amavis.
>
> MrC

Thanks for the reply! The U.S. DoD has not approved the usage of SA on
this email server so for now it has been disabled. Right now
Amavisd-new is using Clamav if I am not mistaken but I have disabled
SA.
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:

> On Mon, Jun 23, 2008 at 11:38 AM, Carlos Williams <[hidden email]> wrote:
>  
>> On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:
>>    
>>> Here is an example that is not too far from your config (and not far from
>>> mine):
>>>
>>> smtpd_recipient_restrictions =
>>>        permit_mynetworks
>>>        permit_sasl_authenticated
>>>        reject_unauth_destination
>>>        reject_non_fqdn_sender
>>>        reject_non_fqdn_recipient
>>>        reject_unlisted_recipient       reject_unlisted_sender
>>>        check_recipient_access hash:/etc/postfix/recipient_acl
>>>        check_recipient_access pcre:/etc/postfix/recipient_acl.pcre
>>>        check_client_access cidr:/etc/postfix/client_acl.cidr
>>>        check_sender_access hash:/etc/postfix/sender_acl
>>>        check_sender_access pcre:/etc/postfix/sender_acl.pcre
>>>        #=> to use dnswl, use rsync to download and sync their list
>>>        check_client_access cidr:/etc/postfix/postfix-dnswl-permit
>>>        reject_rbl_client zen.spamhaus.org
>>>        reject_rbl_client bl.spamcop.net
>>>        reject_rbl_client safe.dnsbl.sorbs.net
>>>        #reject_rbl_client korea.services.net
>>>        #reject_rbl_client list.dsbl.org
>>>        reject_invalid_hostname
>>>        reject_non_fqdn_hostname
>>>        check_helo_access hash:/etc/postfix/helo_acl
>>>        check_helo_access pcre:/etc/postfix/helo_acl.pcre
>>>      
>> OK - I went back and read through all your suggestions again and I
>> have a revised main.cf which I hope looks correct in your professional
>> opinion. I removed some of the noise and still see a few things I
>> don't think are being recognized even though listed in main.cf. For
>> example:
>>
>> transport_destination_concurrency_limit = 50
>>
>> I have the above parameter in main.cf however it looks not to be
>> visible in postconf -n and its color value is plain white text in
>> main.cf which tells me it does not recognize this value. I did a
>> search on Postfix site and it said that this is available in v2.5
>> however I am running 2.3 (which is the latest available from my
>> package maintainer).
>>
>> So I have since removed "smtpd_client|helo|sender_restrictions" as you
>> recommended and email is working fine. I had a few junk / spam
>> messages slip through which I found was due to the changes /
>> modifications to my main.cf but nothing too bad or un-manageable.
>>
>>    
>>> If you can give me logs for spam transactions, I can propose checks to block
>>> it.
>>>      
>> I checked my logs and spamhaus is catching 98% of junk so it appears
>> to be working and since "spamhaus" is only listed under
>> "smtpd_recipeint_restrictions", then Postfix appears to be reading
>> everything properly.
>>
>> Now you will notice added to entries in "smtpd_recipient_restrictions"
>> because they looked important and I don't know if they're making any
>> impact at this stage of the check but I will let you decide. I added
>> the 8th and 9th line check below:
>>
>> smtpd_recipient_restrictions =
>>        permit_mynetworks,
>>        permit_sasl_authenticated,
>>        reject_unauth_destination,
>>        reject_non_fqdn_sender,
>>        reject_non_fqdn_recipient,
>>        reject_unlisted_recipient,
>>        reject_unlisted_sender,
>>        reject_invalid_hostname,
>>        reject_non_fqdn_hostname,
>>        reject_rbl_client zen.spamhaus.org,
>>        reject_rbl_client bl.spamcop.net,
>>        reject_rbl_client safe.dnsbl.sorbs.net,
>>        reject_invalid_hostname,
>>        reject_non_fqdn_hostname
>>
>> Here is my postconf -n. Everything look better in your opinion?
>>
>> address_verify_sender = <>
>> alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
>> alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
>> biff = no
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/sbin
>> command_time_limit = 1400
>> config_directory = /etc/postfix
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> daemon_directory = /usr/libexec/postfix
>> default_destination_recipient_limit = 100
>> disable_vrfy_command = yes
>> home_mailbox = Maildir/
>> html_directory = no
>> inet_interfaces = all
>> local_recipient_maps = unix:passwd.byname $alias_maps
>> mail_owner = postfix
>> mailbox_size_limit = 40000000
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> max_idle = 175
>> maximal_backoff_time = 2000s
>> message_size_limit = 10240000
>> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
>> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
>> mydomain = example.org
>> myhostname = mail.example.org
>> mynetworks = $config_directory/mynetworks
>> mynetworks_style = host
>> myorigin = $mydomain
>> newaliases_path = /usr/bin/newaliases.postfix
>> parent_domain_matches_subdomains =
>> queue_directory = /var/spool/postfix
>> queue_run_delay = 500s
>> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
>> relay_domains = /etc/postfix/relay_domains
>> sample_directory = /usr/share/doc/postfix-2.2.10/samples
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> smtp_tls_note_starttls_offer = yes
>> smtp_use_tls = yes
>> smtpd_data_restrictions = reject_unauth_pipelining
>> smtpd_error_sleep_time = 1s
>> smtpd_hard_error_limit = 20
>> smtpd_helo_required = yes
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,        reject_unauth_destination,
>> reject_non_fqdn_sender,        reject_non_fqdn_recipient,
>> reject_unlisted_recipient,
>> reject_unlisted_sender, reject_invalid_hostname,
>> reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,
>>     reject_rbl_client bl.spamcop.net,        reject_rbl_client
>> safe.dnsbl.sorbs.net,        reject_invalid_hostname,
>> reject_non_fqdn_hostname
>> smtpd_reject_unlisted_recipient = yes
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_soft_error_limit = 10
>> smtpd_timeout = 60s
>> smtpd_tls_auth_only = no
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_use_tls = yes
>> strict_rfc821_envelopes = yes
>> tls_random_source = dev:/dev/urandom
>> unknown_address_reject_code = 550
>> unknown_client_reject_code = 550
>> unknown_hostname_reject_code = 501
>> unknown_local_recipient_reject_code = 550
>> unverified_recipient_reject_code = 550
>> unverified_sender_reject_code = 550
>>
>>    
> Mouss - sorry to bother you again. Just wondering if you see any
> problems I have not yet resolved from the data posted above?
>
> I am getting like perhaps 2-3 messages of spam per day:
>
> Jun 25 08:56:35 mail postfix/smtpd[32092]: connect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:52 mail postfix/smtpd[32092]: A55AB15C065:
> client=119-47-26-185.catv296.ne.jp[119.47.26.185]
> Jun 25 08:56:54 mail amavis[6768]: (06768-05) Passed CLEAN,
> [119.47.26.185] [119.47.26.185]
> <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <01c8d70e$5ffd2a00$b91a2f77@akstcameublierinteramamnsdgs>, mail_id:
> HX3PRPt0MIEO, Hits: -, size: 910, queued_as: 0D29D15C069, 128 ms
> Jun 25 08:56:54 mail postfix/smtpd[32092]: disconnect from
> 119-47-26-185.catv296.ne.jp[119.47.26.185]
>
> Jun 24 06:53:16 mail postfix/smtpd[27056]: connect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:32 mail postfix/smtpd[27056]: A7B6C15C02D:
> client=host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
> Jun 24 06:53:33 mail amavis[14540]: (14540-17) Passed CLEAN,
> [87.25.215.95] [87.25.215.95] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <[hidden email]>, mail_id:
> J4Ohx2LylnGI, Hits: -, size: 1227, queued_as: 6B18B15C040, 133 ms
> Jun 24 06:53:33 mail postfix/smtpd[27056]: disconnect from
> host95-215-static.25-87-b.business.telecomitalia.it[87.25.215.95]
>
> Those are two examples of spam that for some reason my rbl checks are
> not rejecting. Any thoughts?
>  

It really depends on you. I personally don't care for such networks. so
it's:

.ne.jp      REJECT blah blah
.telecomitalia.it      REJECT blah blah

with a recent postfix, use check_reverse_client_hostname_access. with an
old postfix, check_client_access.

and before you ask, I don't care for legitimate mail coming out of
there. they can buy another domain or use a freemail provider. my
quarantine is full.


Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

MrC-7
In reply to this post by Carlwill
Carlos Williams wrote:

> On Wed, Jun 25, 2008 at 1:09 PM, MrC <[hidden email]> wrote:
>> Here's one area for improvement. You are running amavis, but there are
>> no spam scores, which means SpamAssassin isn't called.  I'm presuming
>> amavis is also configured with $sa_local_tests_only = 1.  Hard to catch
>> spam that passes postfix without more assistance to amavis.
>>
>> MrC
>
> Thanks for the reply! The U.S. DoD has not approved the usage of SA on
> this email server so for now it has been disabled. Right now
> Amavisd-new is using Clamav if I am not mistaken but I have disabled
> SA.

Are the sanesecurity sigs out of the question also?

  http://www.sanesecurity.com/clamav/

They are very effective.

MrC
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Carlwill
In reply to this post by mouss-2
On Thu, Jun 19, 2008 at 4:14 PM, mouss <[hidden email]> wrote:

>>> BTW. you can put all your restrictions under smtpd_recipient_restrictions
>>> (it's about STAGE, not about parameter. at RCPT stage, postfix has all
>>> infos
>>> it needs, so you can check client, helo, sender or recipient). this may
>>> be
>>> easier to read and will avoid repeating the permit_mumble things. if you
>>> rewrite this and have a doubt, just post the new config here.

I noticed that since I removed the
"smtpd_helo|client|sender_restrictions" from my main.cf, I am getting
a bit more spam than I was before.

For example here is something that just popped in as I was composing
this message:

Jul  2 08:48:03 mail postfix/smtpd[7486]: warning: 189.6.53.164:
hostname bd0635a4.virtua.com.br verification failed: Name or service
not known
Jul  2 08:48:03 mail postfix/smtpd[7486]: connect from unknown[189.6.53.164]
Jul  2 08:48:19 mail postfix/smtpd[7486]: 1A08415C03B:
client=unknown[189.6.53.164]
Jul  2 08:48:20 mail amavis[7642]: (07642-08) Passed CLEAN,
[189.6.53.164] [189.6.53.164] <[hidden email]> ->
<[hidden email]>, Message-ID:
<[hidden email]>, mail_id:
DUh2SLzyrBVP, Hits: -, size: 1185, queued_as: E877915C065, 153 ms
Jul  2 08:48:20 mail postfix/smtpd[7486]: disconnect from unknown[189.6.53.164]
Jun 30 00:02:20 mail postfix/smtpd[17357]: warning: 67.132.245.146:
hostname dsl-146.api-digital.com verification failed: Name or service
not known
Jun 30 00:02:20 mail postfix/smtpd[17357]: connect from unknown[67.132.245.146]
Jun 30 00:02:20 mail postfix/smtpd[17357]: NOQUEUE: reject: RCPT from
unknown[67.132.245.146]: 550 <[hidden email]>: Recipient address
rejected: User unknown in local recipient table;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<dsl-146.api-digital.com>
Jun 30 00:02:20 mail postfix/smtpd[17357]: disconnect from
unknown[67.132.245.146]
Jul  1 16:49:12 mail postfix/smtpd[8505]: warning: 67.132.245.146:
hostname dsl-146.api-digital.com verification failed: Name or service
not known
Jul  1 16:49:12 mail postfix/smtpd[8505]: connect from unknown[67.132.245.146]
Jul  1 16:49:27 mail postfix/smtpd[8505]: 6A99A15C03B:
client=unknown[67.132.245.146]
Jul  1 16:49:27 mail postfix/smtpd[8505]: disconnect from
unknown[67.132.245.146]
Jul  1 16:49:27 mail amavis[14667]: (14667-05) Passed CLEAN,
[67.132.245.146] [67.132.245.146]
<[hidden email]> -> <[hidden email]>,
Message-ID: <001201c8dbbb$e936f740$92f58443@brock0vmixh1b9>, mail_id:
fXaU8LKm2NlT, Hits: -, size: 1645, queued_as: B279215C040, 140 ms


Now I don't understand why this message was able to pass through my
main.cf checks since I have the following:

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,        reject_unauth_destination,
reject_non_fqdn_sender,        reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unlisted_sender, reject_invalid_hostname,
reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,
     reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net,        reject_invalid_hostname,
reject_non_fqdn_hostname

Is there something I am over-looking in this case as to why these
messages (spam) are flowing through with more ease. If there is
anymore info I can provide to assist you in helping me tighten this
down without adding useless noise to my main.cf, please let me know.
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

Charles Marcus
On 7/2/2008, Carlos Williams ([hidden email]) wrote:
> Now I don't understand why this message was able to pass through my
> main.cf checks since I have the following:

postconf -n output?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Siteoverride & Sender Restrictions

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:
> [snip]
>
> Now I don't understand why this message was able to pass through my
> main.cf checks since I have the following:
>  

what makes you belieb it should have been stopped?

> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,        reject_unauth_destination,
> reject_non_fqdn_sender,        reject_non_fqdn_recipient,
> reject_unlisted_recipient,
> reject_unlisted_sender, reject_invalid_hostname,
> reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,
>      reject_rbl_client bl.spamcop.net,        reject_rbl_client
> safe.dnsbl.sorbs.net,        reject_invalid_hostname,
> reject_non_fqdn_hostname
>
> Is there something I am over-looking in this case as to why these
> messages (spam) are flowing through with more ease. If there is
> anymore info I can provide to assist you in helping me tighten this
> down without adding useless noise to my main.cf, please let me know.
>  

Unless you take it the vigialante way, some spamp will pass your postifx
restrictions. then it's time to use your content filter.

12