how set postfix server as non-functional

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

how set postfix server as non-functional

Poliman - Serwis
Hi. I heard that having a non-functional server as the primary MX is a well-known trick to reduce the amount of incoming spam, as most software used by spammers will only ever try the highest-priority MX. How to do this?

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Viktor Dukhovni
On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:

> Hi. I heard that having a non-functional server as the primary MX is a
> well-known trick to reduce the amount of incoming spam, as most software
> used by spammers will only ever try the highest-priority MX. How to do this?

No.  This is a myth, and reduces the reliability and performance
of legitimate email delivery.  Use a decent RBL, postscreen(8) may
help to reduce the load on the server and keep smtpd(8) more available
for legitimate email.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Poliman - Serwis


2018-10-25 8:33 GMT+02:00 Viktor Dukhovni <[hidden email]>:
On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:

> Hi. I heard that having a non-functional server as the primary MX is a
> well-known trick to reduce the amount of incoming spam, as most software
> used by spammers will only ever try the highest-priority MX. How to do this?

No.  This is a myth, and reduces the reliability and performance
of legitimate email delivery.  Use a decent RBL, postscreen(8) may
help to reduce the load on the server and keep smtpd(8) more available
for legitimate email.

--
        Viktor.

Thanks God I have decided to ask. What does it mean "keep smtpd(8) more available for legitimate email."
and how use decent RBL? I have many domains on the server. Company politics.
I think that it wasn't best idea, because server sends many thousands emails each day.
Of course domains are clear like IP and I set spf, dkim, dmarc for these domains but I although
have deferrals for yahoo domains (currently) like .fr, .com, .pl and also fedex.com.
--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Matus UHLAR - fantomas
In reply to this post by Poliman - Serwis
On 25.10.18 08:11, Poliman - Serwis wrote:
>Hi. I heard that having a non-functional server as the primary MX is a
>well-known trick to reduce the amount of incoming spam, as most software
>used by spammers will only ever try the highest-priority MX. How to do this?

it will also delay the mail delivery, sometimes very much.

btw, many spamers use (or at least used to) connectto lowest-priority MX.
Having unreachable lowest priority MX could help more here.

However, postscreen can do this even better by using
postscreen_whitelist_interfaces, see

http://www.postfix.org/POSTSCREEN_README.html#white_veto
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

allenc
In reply to this post by Viktor Dukhovni


On 25/10/18 07:33, Viktor Dukhovni wrote:

> On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:
>
>> Hi. I heard that having a non-functional server as the primary MX is a
>> well-known trick to reduce the amount of incoming spam, as most software
>> used by spammers will only ever try the highest-priority MX. How to do this?
>
> No.  This is a myth, and reduces the reliability and performance
> of legitimate email delivery.  Use a decent RBL, postscreen(8) may
> help to reduce the load on the server and keep smtpd(8) more available
> for legitimate email.
>
Yesterday, my Postscreen blocked 92 percent of incoming connection attempts:-

POSTSCREEN  ATTRITION  REPORT  FOR  Wed 24 Oct 2018

     Connections to Postscreen - IPv6:              28
                                 IPv4:             395
     Individual hosts:                             105

     Misc disconnections                           392
          Black-listed Locally:                    100
          Black-listed by DNSBL:                   392
          Pre-greets:                               13
          Hang-ups:                                 11
          Command Pipelining:                        1

     White-listed:                                  30
     PASSed by PostScreen:                           1
          New:                                       1

     Refusal Ratio: 92 percent




There are some anti-spam projects which offer MXes for your use.
You set one up with the LOWEST prioity (your "MX of last resort"); If a message reaches it, the MX will collect stats
and then return a TEMPFAIL.

Legitimate mail would not be affected as a retry will be forced, though you may want to find out what the project does
with the stats they collect.

I think Project Honeypot does one, though they are more interested in Web decoys.

Hope this helps

Allen C


Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Viktor Dukhovni
> On Oct 25, 2018, at 5:55 AM, Allen Coates <[hidden email]> wrote:
>
> There are some anti-spam projects which offer MXes for your use.
> You set one up with the LOWEST prioity (your "MX of last resort"); If a message reaches it, the MX will collect stats
> and then return a TEMPFAIL.

I can't recommend this either.  You're directing some fraction of
your email for delivery attempts to a third party.  They may get
to log envelope sender and recipient addresses for any traffic
that comes their way.  The traffic may well be legitimate, if
your primary servers are briefly unreachable or tempfail resolution
of the sending domain.  If you're doing DANE, you now need DANE
support on the honeypots, ...

My advice is to run a decent mail plant with no kludges.  Instead
I see a non-trivial fraction of folks creating fake MX hosts with
an address of "1.1.1.1" or other addresses they are "sure" won't
accept email.  This is all a bad idea.  The benefits are marginal
at best.  Don't do it.

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

allenc


On 25/10/18 11:12, Viktor Dukhovni wrote:

>> On Oct 25, 2018, at 5:55 AM, Allen Coates <[hidden email]> wrote:
>>
>> There are some anti-spam projects which offer MXes for your use.
>> You set one up with the LOWEST prioity (your "MX of last resort"); If a message reaches it, the MX will collect stats
>> and then return a TEMPFAIL.
>
> I can't recommend this either.  You're directing some fraction of
> your email for delivery attempts to a third party.  They may get
> to log envelope sender and recipient addresses for any traffic
> that comes their way.  The traffic may well be legitimate, if
> your primary servers are briefly unreachable or tempfail resolution
> of the sending domain.  If you're doing DANE, you now need DANE
> support on the honeypots, ...
>
> My advice is to run a decent mail plant with no kludges.  Instead
> I see a non-trivial fraction of folks creating fake MX hosts with
> an address of "1.1.1.1" or other addresses they are "sure" won't
> accept email.  This is all a bad idea.  The benefits are marginal
> at best.  Don't do it.
>

I will go along with that.  I have no actual experience of these anti-spam schemes, I've only read about them.

Superficially they sound like a good idea, but I seem to be getting along quite well without them :-)

Postscreen is far and away the best "add-on" I have encountered to date.
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Matus UHLAR - fantomas
In reply to this post by allenc
>> On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:
>>> Hi. I heard that having a non-functional server as the primary MX is a
>>> well-known trick to reduce the amount of incoming spam, as most software
>>> used by spammers will only ever try the highest-priority MX. How to do this?

>On 25/10/18 07:33, Viktor Dukhovni wrote:
>> No.  This is a myth, and reduces the reliability and performance
>> of legitimate email delivery.  Use a decent RBL, postscreen(8) may
>> help to reduce the load on the server and keep smtpd(8) more available
>> for legitimate email.

On 25.10.18 10:55, Allen Coates wrote:
>Yesterday, my Postscreen blocked 92 percent of incoming connection attempts:-

this is not related to the subject of discussion, is it?

>There are some anti-spam projects which offer MXes for your use.
>You set one up with the LOWEST prioity (your "MX of last resort"); If a message reaches it, the MX will collect stats
>and then return a TEMPFAIL.

but that is the opposite - you provide the lowest MX, not the primary.

>Legitimate mail would not be affected as a retry will be forced, though you
>may want to find out what the project does with the stats they collect.

I have already encountered case where the mailserver got blacklisted,
because one domain only had two MX-es - primary and the blacklisting one.

Thus, you only should "donate" your MX to such anti-spam projects when you
are 100% sure you have enough of backup MX servers with different uplinks.

yes, such projects should test that, too.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Poliman - Serwis


2018-10-25 15:28 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:
Hi. I heard that having a non-functional server as the primary MX is a
well-known trick to reduce the amount of incoming spam, as most software
used by spammers will only ever try the highest-priority MX. How to do this?

On 25/10/18 07:33, Viktor Dukhovni wrote:
No.  This is a myth, and reduces the reliability and performance
of legitimate email delivery.  Use a decent RBL, postscreen(8) may
help to reduce the load on the server and keep smtpd(8) more available
for legitimate email.

On 25.10.18 10:55, Allen Coates wrote:
Yesterday, my Postscreen blocked 92 percent of incoming connection attempts:-

this is not related to the subject of discussion, is it?

There are some anti-spam projects which offer MXes for your use.
You set one up with the LOWEST prioity (your "MX of last resort"); If a message reaches it, the MX will collect stats
and then return a TEMPFAIL.

but that is the opposite - you provide the lowest MX, not the primary.

Legitimate mail would not be affected as a retry will be forced, though you
may want to find out what the project does with the stats they collect.

I have already encountered case where the mailserver got blacklisted,
because one domain only had two MX-es - primary and the blacklisting one.

Thus, you only should "donate" your MX to such anti-spam projects when you
are 100% sure you have enough of backup MX servers with different uplinks.

yes, such projects should test that, too.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

So generally speaking - I should check postscreen, use a decent RBL and keep smtpd more available for legitimate email. How set decent RBL in Postfix and which are decent? What means/how to do "keep smtpd more available for legitimate email"?
I have one more question which is more less related with main thread. I would like to know can I block port 25 on firewall? I read that this port is used to communication between servers. Honestly, I don't got it. I would open 110, 143, 587, 465, 993, 995 and block 25.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Matus UHLAR - fantomas
On 26.10.18 09:27, Poliman - Serwis wrote:
>So generally speaking - I should check postscreen, use a decent RBL and
>keep smtpd more available for legitimate email. How set decent RBL in
>Postfix and which are decent?

I believe googling for RBLs, especially mailing lists' archives may help to
find out. I use spamhaus, sorbs and spamcop, plus dnswl with postscreen.

> What means/how to do "keep smtpd more available for legitimate email"?

It means that postscreen will take care of blocking spambots, so smtpd
doesn't have to.

>I have one more question which is more less related with main thread. I
>would like to know can I block port 25 on firewall?

not if you want to send and receive mail.

blocking port 25 is common at service providers, where customers aren't able
to spam throiugh port 25 (outgoing SMTP) or run mail server (incoming SMTP).

While the latter is usually a businness issue - if you want to run
mailserver, you must pay for static IP (static IP is technically good
requirement) and for potential handling of spam reports
- the former is simple and logical prevention of spam from end-users.
end-users are not supposed to contact mail servers

However, if you are not a service provider, don't simply block 25, if you
want to send/receive mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Poliman - Serwis


2018-10-26 10:01 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On 26.10.18 09:27, Poliman - Serwis wrote:
So generally speaking - I should check postscreen, use a decent RBL and
keep smtpd more available for legitimate email. How set decent RBL in
Postfix and which are decent?

I believe googling for RBLs, especially mailing lists' archives may help to
find out. I use spamhaus, sorbs and spamcop, plus dnswl with postscreen.

What means/how to do "keep smtpd more available for legitimate email"?

It means that postscreen will take care of blocking spambots, so smtpd
doesn't have to.

I have one more question which is more less related with main thread. I
would like to know can I block port 25 on firewall?

not if you want to send and receive mail.

blocking port 25 is common at service providers, where customers aren't able
to spam throiugh port 25 (outgoing SMTP) or run mail server (incoming SMTP).

While the latter is usually a businness issue - if you want to run
mailserver, you must pay for static IP (static IP is technically good
requirement) and for potential handling of spam reports - the former is simple and logical prevention of spam from end-users.
end-users are not supposed to contact mail servers

However, if you are not a service provider, don't simply block 25, if you
want to send/receive mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

Thank you for answer. I have static IP - I bought VPS from OVH. I have there configured few domains with mailboxes. On the server are services like www, ftp, mail. So, if I understood well, I should block port 25.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

B. Reino
On 2018-10-26 14:36, Poliman - Serwis wrote:

> Thank you for answer. I have static IP - I bought VPS from OVH. I have
> there
> configured few domains with mailboxes. On the server are services like
> www,
> ftp, mail. So, if I understood well, I should block port 25.

Maybe you can go back one step and explain why you think you need to
block port 25?

I mean, if you want to be able to receive e-mails you need to allow
incoming connections on port 25. If you want to send e-mails from your
server then you need outgoing connections on port 25.

Or did I misunderstand you?
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Durga Prasad Malyala
Hi,
Advertising a primary mx and blocking port 25 for it under the assumption that spammers won't try the secondary mx is wrong. 
In fact spammers target secondary mx more than primary mx since it is a fact that everyone spends more time on securing and tuning the primary server. 
We maintain many servers and the fact is we get more spam attempts on all the secondary mx servers. 

Rgds
DP 

On Fri, Oct 26, 2018, 18:33 B. Reino <[hidden email] wrote:
On 2018-10-26 14:36, Poliman - Serwis wrote:

> Thank you for answer. I have static IP - I bought VPS from OVH. I have
> there
> configured few domains with mailboxes. On the server are services like
> www,
> ftp, mail. So, if I understood well, I should block port 25.

Maybe you can go back one step and explain why you think you need to
block port 25?

I mean, if you want to be able to receive e-mails you need to allow
incoming connections on port 25. If you want to send e-mails from your
server then you need outgoing connections on port 25.

Or did I misunderstand you?
Reply | Threaded
Open this post in threaded view
|

Re: how set postfix server as non-functional

Matus UHLAR - fantomas
In reply to this post by Poliman - Serwis
>> On 26.10.18 09:27, Poliman - Serwis wrote:
>>> I have one more question which is more less related with main thread. I
>>> would like to know can I block port 25 on firewall?

>2018-10-26 10:01 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
>> not if you want to send and receive mail.
[...]
>> However, if you are not a service provider, don't simply block 25, if you
>> want to send/receive mail.

On 26.10.18 14:36, Poliman - Serwis wrote:
> So, if I understood well, I should block port 25.

So, if I understood well, you don't want to send/receive mail.

but I don't understand, why are you in postfix mailing list then?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.