[postfix-users] Spam-Relay via gekapertem Useraccount

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[postfix-users] Spam-Relay via gekapertem Useraccount

Matthias Schmidt [c]
Hallo,
ich seh in meinem log viele viele mails, die von irgendwoher kommen und meist an französische yohoo Adressen gehen.

ich hab den Server via http://mxtoolbox.com/ getestet und das Tool sagt kein Open Relay.

Nachdem ich dem noch weiter in den Logs gewühlt habe, sieht es so aus als ob ein User-Account geknackt wurde.
Das entsprechende Passwort hab ich gleich mal geändert.

amavis wirft entsprechend folgende Warnung aus:
Open relay? Nonlocal recips but not originating
Kann ich das irgendwie unterbinden, so dass das senden nur von lokalen Account aus erlaubt ist, trotz geknacktem login?


Im log sieht das so aus:

Aug 21 14:22:52 mcgregor postfix/smtpd[61457]: connect from 248-60-132-95.pool.ukrtel.net[95.132.60.248]
Aug 21 14:22:55 mcgregor postfix/smtpd[61457]: BD714344E77: client=248-60-132-95.pool.ukrtel.net[95.132.60.248], sasl_method=LOGIN, sasl_username=xxxxxxx
Aug 21 14:23:00 mcgregor postfix/cleanup[60895]: BD714344E77: message-id=<[hidden email]>
Aug 21 14:23:00 mcgregor postfix/qmgr[52031]: BD714344E77: from=<[hidden email]>, size=1663, nrcpt=8 (queue active)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-03) process_request: fileno sock=15, STDIN=0, STDOUT=1
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ESMTP::10024 /var/amavis/tmp/amavis-20140821T141253-54462: <[hidden email]> -> <[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]> SIZE=1663 Received: from mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Thu, 21 Aug 2014 14:23:00 +0900 (JST)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3, state: 1
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3 -> disabling
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) body hash: ebb4b50a64e9df85ce48d1c539e100c0
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking: enF3iG7mT0bU [95.132.60.248] <[hidden email]> -> <[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) 2822.From: <[hidden email]>
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Open relay? Nonlocal recips but not originating: [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email]
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p003 1 Content-Type: multipart/alternative
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p001 1/1 Content-Type: text/plain, size: 39 B, name:
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p002 1/2 Content-Type: text/html, size: 148 B, name:
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking for banned types and filenames
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Connecting to socket  /var/amavis/clamd
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n to UNIX socket /var/amavis/clamd
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd): CLEAN
Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd) result: clean


Hier meine postconf-n:
2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file =
canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
check_for_od_forward = yes
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter = smtp-amavis:[127.0.0.1]:10024
cyrus_sasl_config_path =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 5
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 20000
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
destination_concurrency_feedback_debug = no
detect_8bit_encoding_header = yes
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_recipient = MAILER-DAEMON
empty_address_relayhost_maps_lookup_key = <>
enable_original_recipient = yes
enable_server_options = yes
error_notice_recipient = postmaster
error_service_name = error
execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
export_environment = TZ MAIL_CONFIG LANG
fallback_transport =
fallback_transport_maps =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
frozen_delivered_to = yes
hash_queue_depth = 1
hash_queue_names = deferred,defer
header_address_token_limit = 10240
header_checks = pcre:/etc/postfix/custom_header_checks
header_size_limit = 102400
hopcount_limit = 50
html_directory = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
internal_mail_filter_classes =
invalid_hostname_reject_code = 501
ipc_idle = 5s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
lmtp_bind_address =
lmtp_bind_address6 =
lmtp_body_checks =
lmtp_cname_overrides_servername = no
lmtp_connect_timeout = 0s
lmtp_connection_cache_destinations =
lmtp_connection_cache_on_demand = yes
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_time_limit = 300s
lmtp_data_done_timeout = 600s
lmtp_data_init_timeout = 120s
lmtp_data_xfer_timeout = 180s
lmtp_defer_if_no_mx_address_found = no
lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
lmtp_destination_rate_delay = $default_destination_rate_delay
lmtp_destination_recipient_limit = $default_destination_recipient_limit
lmtp_discard_lhlo_keyword_address_maps =
lmtp_discard_lhlo_keywords =
lmtp_enforce_tls = no
lmtp_generic_maps =
lmtp_header_checks =
lmtp_host_lookup = dns
lmtp_initial_destination_concurrency = $initial_destination_concurrency
lmtp_lhlo_name = $myhostname
lmtp_lhlo_timeout = 300s
lmtp_line_length_limit = 990
lmtp_mail_timeout = 300s
lmtp_mime_header_checks =
lmtp_mx_address_limit = 5
lmtp_mx_session_limit = 2
lmtp_nested_header_checks =
lmtp_pix_workaround_delay_time = 10s
lmtp_pix_workaround_maps =
lmtp_pix_workaround_threshold_time = 500s
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
lmtp_quit_timeout = 300s
lmtp_quote_rfc821_envelope = yes
lmtp_randomize_addresses = yes
lmtp_rcpt_timeout = 300s
lmtp_rset_timeout = 20s
lmtp_sasl_auth_cache_name =
lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
lmtp_send_xforward_command = no
lmtp_sender_dependent_authentication = no
lmtp_skip_5xx_greeting = yes
lmtp_starttls_timeout = 300s
lmtp_tcp_port = 24
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
lmtp_xforward_timeout = 300s
local_command_shell =
local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
local_destination_concurrency_limit = 2
local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
local_destination_rate_delay = $default_destination_rate_delay
local_destination_recipient_limit = 1
local_header_rewrite_clients = permit_inet_interfaces
local_initial_destination_concurrency = $initial_destination_concurrency
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = _postfix
mail_release_date = 20080902
mail_spool_directory = /var/mail
mail_version = 2.5.5
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock
mailbox_size_limit = 0
mailbox_transport = dovecot
mailbox_transport_maps =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_reject_characters =
message_size_limit = 41943040
message_strip_characters =
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
milter_protocol = 2
milter_rcpt_macros = i {rcpt_addr}
milter_unknown_command_macros =
mime_boundary_length_limit = 2048
mime_header_checks = $header_checks
mime_nesting_limit = 100
minimal_backoff_time = 300s
multi_recipient_bounce_reject_code = 550
mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
mydomain = admilon.net
mydomain_fallback = localhost
myhostname = mcgregor.admilon.net
mynetworks = 127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
mynetworks_style = host
myorigin = $myhostname
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 504
non_smtpd_milters =
notify_classes = resource, software
owner_request_special = no
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
plaintext_reject_code = 450
prepend_delivered_header = command, file, forward
process_id_directory = pid
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
qmgr_clog_warn_time = 300s
qmgr_fudge_factor = 100
qmgr_message_active_limit = 20000
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
qmqpd_authorized_clients =
qmqpd_client_port_logging = no
qmqpd_error_delay = 1s
qmqpd_timeout = 300s
queue_directory = /private/var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 300s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = /usr/share/doc/postfix
receive_override_options =
recipient_bcc_maps =
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_delimiter = +
reject_code = 554
relay_clientcerts =
relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
relay_destination_rate_delay = $default_destination_rate_delay
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination
relay_domains_reject_code = 554
relay_initial_destination_concurrency = $initial_destination_concurrency
relay_recipient_maps =
relay_transport = relay
relayhost =
relocated_maps =
remote_header_rewrite_domain =
resolve_null_domain = no
resolve_numeric_domain = no
rewrite_service_name = rewrite
sample_directory = /usr/share/doc/postfix/examples
send_cyrus_sasl_authzid = no
sender_bcc_maps =
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =
sender_dependent_relayhost_maps =
sendmail_path = /usr/sbin/sendmail
service_throttle_time = 60s
setgid_group = _postdrop
showq_service_name = showq
smtp_bind_address6 =
smtp_body_checks =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks =
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks =
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps =
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_open_until_valid_rcpt = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_pw_server_security_options = login,gssapi,cram-md5
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_sasl_authenticated                permit_tls_clientcerts          check_sender_access hash:/etc/postfix/whitelist         check_sender_access regexp:/etc/postfix/tag_as_originating.re               check_sender_access regexp:/etc/postfix/tag_as_foreign.re               reject_non_fqdn_hostname            reject_unknown_reverse_client_hostname          reject_unauth_destination               reject_rbl_client cbl.abuseat.org
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.chain.pem
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.cert.pem
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.key.pem
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_pw_server = yes
smtpd_use_tls = yes
stale_lock_time = 500s
stress =
strict_mailbox_ownership = yes
syslog_facility = mail
syslog_name = postfix
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
trace_service_name = trace
transport_maps =
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450
use_getpwnam_ext = yes
use_od_delivery_path = no
verp_delimiter_filter = -=+
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_expansion_limit = 1000
virtual_alias_maps = hash:/etc/postfix/virtual                                  hash:/private/var/mailman/data/virtual-mailman
virtual_alias_recursion_limit = 1000
virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
virtual_destination_rate_delay = $default_destination_rate_delay
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_gid_maps =
virtual_initial_destination_concurrency = $initial_destination_concurrency
virtual_mailbox_base =
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains_dummy
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl, dotlock
virtual_mailbox_maps =
virtual_minimum_uid = 100
virtual_transport = virtual
virtual_uid_maps =

Dank und Gruss
Matthias


_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Robert Schetterer-2
Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:
> client=248-60-132-95.pool.ukrtel.net[95.132.60.248], sasl_method=LOGIN, sasl_username=xxxxxxx

erstmal aendere das Passwort !


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Jakob-Matthias Böttger
In reply to this post by Matthias Schmidt [c]
Hallo,

eine Möglichkeit die mir jetzt einfällt wäre folgendes.

Auf dem smtpd 25 die permit_sasl_authenticated rauszunehmen.
Also in smtpd_recipient_restrictions =
    permit_tls_clientcerts,
    check_sender_access hash:/etc/postfix/whitelist,
    check_sender_access regexp:/etc/postfix/tag_as_originating.re,
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re,
    reject_non_fqdn_hostname,
    reject_unknown_reverse_client_hostname,
    reject_unauth_destination,
    reject_rbl_client cbl.abuseat.org

Dann in der Master.cf Submission einrichten.
Submission mittels -o permit_sasl_authenticated, und den Anderen
recipient_restrictions einstellen und dann mittels der xtables iptables
extension und GeoIP auf dem Submission (tcp 587) z.B. die Ukraine
(95.132.60.248 ist aus der Ukraine) aussperren. Es sei denn du hast
Kunden oder Nutzer welche aus der Ukranine per Submission Mails
versenden müssen. Weiterhin müssen natürlich alle Benutzer deines
Mailsystems Ihre Clients so einrichten, dass sie über den Submission
einliefern.

Somit können aus der ganzen Welt normal Mails über deinen Server
eingeliefert werden (25 tcp).
Authentifizierte Nutzer aus Dialup Netzwerken können aber nur aus den
freigegebenen Regionen einliefern.
Das Problem des gekaperten Passwortes löst das aber leider noch nicht.

VG Jakob

Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:

> Hallo,
> ich seh in meinem log viele viele mails, die von irgendwoher kommen und meist an französische yohoo Adressen gehen.
>
> ich hab den Server via http://mxtoolbox.com/ getestet und das Tool sagt kein Open Relay.
>
> Nachdem ich dem noch weiter in den Logs gewühlt habe, sieht es so aus als ob ein User-Account geknackt wurde.
> Das entsprechende Passwort hab ich gleich mal geändert.
>
> amavis wirft entsprechend folgende Warnung aus:
> Open relay? Nonlocal recips but not originating
> Kann ich das irgendwie unterbinden, so dass das senden nur von lokalen Account aus erlaubt ist, trotz geknacktem login?
>
>
> Im log sieht das so aus:
>
> Aug 21 14:22:52 mcgregor postfix/smtpd[61457]: connect from 248-60-132-95.pool.ukrtel.net[95.132.60.248]
> Aug 21 14:22:55 mcgregor postfix/smtpd[61457]: BD714344E77: client=248-60-132-95.pool.ukrtel.net[95.132.60.248], sasl_method=LOGIN, sasl_username=xxxxxxx
> Aug 21 14:23:00 mcgregor postfix/cleanup[60895]: BD714344E77: message-id=<[hidden email]>
> Aug 21 14:23:00 mcgregor postfix/qmgr[52031]: BD714344E77: from=<[hidden email]>, size=1663, nrcpt=8 (queue active)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-03) process_request: fileno sock=15, STDIN=0, STDOUT=1
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ESMTP::10024 /var/amavis/tmp/amavis-20140821T141253-54462: <[hidden email]> -> <[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]> SIZE=1663 Received: from mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Thu, 21 Aug 2014 14:23:00 +0900 (JST)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3, state: 1
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3 -> disabling
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) body hash: ebb4b50a64e9df85ce48d1c539e100c0
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking: enF3iG7mT0bU [95.132.60.248] <[hidden email]> -> <[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>,<[hidden email]>
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) 2822.From: <[hidden email]>
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Open relay? Nonlocal recips but not originating: [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email], [hidden email]
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p003 1 Content-Type: multipart/alternative
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p001 1/1 Content-Type: text/plain, size: 39 B, name:
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p002 1/2 Content-Type: text/html, size: 148 B, name:
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking for banned types and filenames
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: [hidden email], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path [hidden email]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Connecting to socket  /var/amavis/clamd
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n to UNIX socket /var/amavis/clamd
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd): CLEAN
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd) result: clean
>
>
> Hier meine postconf-n:
> 2bounce_notice_recipient = postmaster
> access_map_reject_code = 554
> address_verify_default_transport = $default_transport
> address_verify_local_transport = $local_transport
> address_verify_map =
> address_verify_negative_cache = yes
> address_verify_negative_expire_time = 3d
> address_verify_negative_refresh_time = 3h
> address_verify_poll_count = 3
> address_verify_poll_delay = 3s
> address_verify_positive_expire_time = 31d
> address_verify_positive_refresh_time = 7d
> address_verify_relay_transport = $relay_transport
> address_verify_relayhost = $relayhost
> address_verify_sender = $double_bounce_sender
> address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
> address_verify_service_name = verify
> address_verify_transport_maps = $transport_maps
> address_verify_virtual_transport = $virtual_transport
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
> allow_mail_to_commands = alias, forward
> allow_mail_to_files = alias, forward
> always_bcc =
> anvil_rate_time_unit = 60s
> anvil_status_update_time = 600s
> application_event_drain_time = 100s
> authorized_flush_users = static:anyone
> authorized_mailq_users = static:anyone
> authorized_submit_users = static:anyone
> backwards_bounce_logfile_compatibility = yes
> berkeley_db_create_buffer_size = 16777216
> berkeley_db_read_buffer_size = 131072
> best_mx_transport =
> body_checks_size_limit = 51200
> bounce_notice_recipient = postmaster
> bounce_queue_lifetime = 5d
> bounce_service_name = bounce
> bounce_size_limit = 50000
> bounce_template_file =
> canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
> check_for_od_forward = yes
> cleanup_service_name = cleanup
> command_directory = /usr/sbin
> command_execution_directory =
> command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> command_time_limit = 1000s
> config_directory = /etc/postfix
> connection_cache_protocol_timeout = 5s
> connection_cache_service_name = scache
> connection_cache_status_update_time = 600s
> connection_cache_ttl_limit = 2s
> content_filter = smtp-amavis:[127.0.0.1]:10024
> cyrus_sasl_config_path =
> daemon_directory = /usr/libexec/postfix
> daemon_timeout = 18000s
> data_directory = /var/lib/postfix
> debug_peer_level = 5
> debug_peer_list =
> default_database_type = hash
> default_delivery_slot_cost = 5
> default_delivery_slot_discount = 50
> default_delivery_slot_loan = 3
> default_destination_concurrency_failed_cohort_limit = 1
> default_destination_concurrency_limit = 20
> default_destination_concurrency_negative_feedback = 1
> default_destination_concurrency_positive_feedback = 1
> default_destination_rate_delay = 0s
> default_destination_recipient_limit = 50
> default_extra_recipient_limit = 1000
> default_minimum_delivery_slots = 3
> default_privs = nobody
> default_process_limit = 100
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
> default_recipient_limit = 20000
> default_recipient_refill_delay = 5s
> default_recipient_refill_limit = 100
> default_transport = smtp
> default_verp_delimiters = +=
> defer_code = 450
> defer_service_name = defer
> defer_transports =
> delay_logging_resolution_limit = 2
> delay_notice_recipient = postmaster
> delay_warning_time = 0h
> deliver_lock_attempts = 20
> deliver_lock_delay = 1s
> destination_concurrency_feedback_debug = no
> detect_8bit_encoding_header = yes
> dont_remove = 0
> double_bounce_sender = double-bounce
> duplicate_filter_limit = 1000
> empty_address_recipient = MAILER-DAEMON
> empty_address_relayhost_maps_lookup_key = <>
> enable_original_recipient = yes
> enable_server_options = yes
> error_notice_recipient = postmaster
> error_service_name = error
> execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> export_environment = TZ MAIL_CONFIG LANG
> fallback_transport =
> fallback_transport_maps =
> fast_flush_domains = $relay_domains
> fast_flush_purge_time = 7d
> fast_flush_refresh_time = 12h
> fault_injection_code = 0
> flush_service_name = flush
> fork_attempts = 5
> fork_delay = 1s
> forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
> frozen_delivered_to = yes
> hash_queue_depth = 1
> hash_queue_names = deferred,defer
> header_address_token_limit = 10240
> header_checks = pcre:/etc/postfix/custom_header_checks
> header_size_limit = 102400
> hopcount_limit = 50
> html_directory = no
> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
> in_flow_delay = 1s
> inet_interfaces = all
> inet_protocols = ipv4
> initial_destination_concurrency = 5
> internal_mail_filter_classes =
> invalid_hostname_reject_code = 501
> ipc_idle = 5s
> ipc_timeout = 3600s
> ipc_ttl = 1000s
> line_length_limit = 2048
> lmtp_bind_address =
> lmtp_bind_address6 =
> lmtp_body_checks =
> lmtp_cname_overrides_servername = no
> lmtp_connect_timeout = 0s
> lmtp_connection_cache_destinations =
> lmtp_connection_cache_on_demand = yes
> lmtp_connection_cache_time_limit = 2s
> lmtp_connection_reuse_time_limit = 300s
> lmtp_data_done_timeout = 600s
> lmtp_data_init_timeout = 120s
> lmtp_data_xfer_timeout = 180s
> lmtp_defer_if_no_mx_address_found = no
> lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
> lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> lmtp_destination_rate_delay = $default_destination_rate_delay
> lmtp_destination_recipient_limit = $default_destination_recipient_limit
> lmtp_discard_lhlo_keyword_address_maps =
> lmtp_discard_lhlo_keywords =
> lmtp_enforce_tls = no
> lmtp_generic_maps =
> lmtp_header_checks =
> lmtp_host_lookup = dns
> lmtp_initial_destination_concurrency = $initial_destination_concurrency
> lmtp_lhlo_name = $myhostname
> lmtp_lhlo_timeout = 300s
> lmtp_line_length_limit = 990
> lmtp_mail_timeout = 300s
> lmtp_mime_header_checks =
> lmtp_mx_address_limit = 5
> lmtp_mx_session_limit = 2
> lmtp_nested_header_checks =
> lmtp_pix_workaround_delay_time = 10s
> lmtp_pix_workaround_maps =
> lmtp_pix_workaround_threshold_time = 500s
> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> lmtp_quit_timeout = 300s
> lmtp_quote_rfc821_envelope = yes
> lmtp_randomize_addresses = yes
> lmtp_rcpt_timeout = 300s
> lmtp_rset_timeout = 20s
> lmtp_sasl_auth_cache_name =
> lmtp_sasl_auth_cache_time = 90d
> lmtp_sasl_auth_soft_bounce = yes
> lmtp_sasl_mechanism_filter =
> lmtp_sasl_path =
> lmtp_sasl_security_options = noplaintext, noanonymous
> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
> lmtp_sasl_type = cyrus
> lmtp_send_xforward_command = no
> lmtp_sender_dependent_authentication = no
> lmtp_skip_5xx_greeting = yes
> lmtp_starttls_timeout = 300s
> lmtp_tcp_port = 24
> lmtp_tls_CAfile =
> lmtp_tls_CApath =
> lmtp_tls_cert_file =
> lmtp_tls_dcert_file =
> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
> lmtp_tls_enforce_peername = yes
> lmtp_tls_exclude_ciphers =
> lmtp_tls_fingerprint_cert_match =
> lmtp_tls_fingerprint_digest = md5
> lmtp_tls_key_file = $lmtp_tls_cert_file
> lmtp_tls_loglevel = 0
> lmtp_tls_mandatory_ciphers = medium
> lmtp_tls_mandatory_exclude_ciphers =
> lmtp_tls_mandatory_protocols = SSLv3, TLSv1
> lmtp_tls_note_starttls_offer = no
> lmtp_tls_per_site =
> lmtp_tls_policy_maps =
> lmtp_tls_scert_verifydepth = 9
> lmtp_tls_secure_cert_match = nexthop
> lmtp_tls_security_level =
> lmtp_tls_session_cache_database =
> lmtp_tls_session_cache_timeout = 3600s
> lmtp_tls_verify_cert_match = hostname
> lmtp_use_tls = no
> lmtp_xforward_timeout = 300s
> local_command_shell =
> local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> local_destination_concurrency_limit = 2
> local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> local_destination_rate_delay = $default_destination_rate_delay
> local_destination_recipient_limit = 1
> local_header_rewrite_clients = permit_inet_interfaces
> local_initial_destination_concurrency = $initial_destination_concurrency
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> local_transport = local:$myhostname
> luser_relay =
> mail_name = Postfix
> mail_owner = _postfix
> mail_release_date = 20080902
> mail_spool_directory = /var/mail
> mail_version = 2.5.5
> mailbox_command =
> mailbox_command_maps =
> mailbox_delivery_lock = flock, dotlock
> mailbox_size_limit = 0
> mailbox_transport = dovecot
> mailbox_transport_maps =
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maps_rbl_domains =
> maps_rbl_reject_code = 554
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions =
> max_idle = 100s
> max_use = 100
> maximal_backoff_time = 4000s
> maximal_queue_lifetime = 5d
> message_reject_characters =
> message_size_limit = 41943040
> message_strip_characters =
> milter_command_timeout = 30s
> milter_connect_macros = j {daemon_name} v
> milter_connect_timeout = 30s
> milter_content_timeout = 300s
> milter_data_macros = i
> milter_default_action = tempfail
> milter_end_of_data_macros = i
> milter_end_of_header_macros = i
> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
> milter_macro_daemon_name = $myhostname
> milter_macro_v = $mail_name $mail_version
> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
> milter_protocol = 2
> milter_rcpt_macros = i {rcpt_addr}
> milter_unknown_command_macros =
> mime_boundary_length_limit = 2048
> mime_header_checks = $header_checks
> mime_nesting_limit = 100
> minimal_backoff_time = 300s
> multi_recipient_bounce_reject_code = 550
> mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
> mydomain = admilon.net
> mydomain_fallback = localhost
> myhostname = mcgregor.admilon.net
> mynetworks = 127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
> mynetworks_style = host
> myorigin = $myhostname
> nested_header_checks = $header_checks
> newaliases_path = /usr/bin/newaliases
> non_fqdn_reject_code = 504
> non_smtpd_milters =
> notify_classes = resource, software
> owner_request_special = no
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
> permit_mx_backup_networks =
> pickup_service_name = pickup
> plaintext_reject_code = 450
> prepend_delivered_header = command, file, forward
> process_id_directory = pid
> propagate_unmatched_extensions = canonical, virtual
> proxy_interfaces =
> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
> qmgr_clog_warn_time = 300s
> qmgr_fudge_factor = 100
> qmgr_message_active_limit = 20000
> qmgr_message_recipient_limit = 20000
> qmgr_message_recipient_minimum = 10
> qmqpd_authorized_clients =
> qmqpd_client_port_logging = no
> qmqpd_error_delay = 1s
> qmqpd_timeout = 300s
> queue_directory = /private/var/spool/postfix
> queue_file_attribute_count_limit = 100
> queue_minfree = 0
> queue_run_delay = 300s
> queue_service_name = qmgr
> rbl_reply_maps =
> readme_directory = /usr/share/doc/postfix
> receive_override_options =
> recipient_bcc_maps =
> recipient_canonical_classes = envelope_recipient, header_recipient
> recipient_delimiter = +
> reject_code = 554
> relay_clientcerts =
> relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> relay_destination_concurrency_limit = $default_destination_concurrency_limit
> relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> relay_destination_rate_delay = $default_destination_rate_delay
> relay_destination_recipient_limit = $default_destination_recipient_limit
> relay_domains = $mydestination
> relay_domains_reject_code = 554
> relay_initial_destination_concurrency = $initial_destination_concurrency
> relay_recipient_maps =
> relay_transport = relay
> relayhost =
> relocated_maps =
> remote_header_rewrite_domain =
> resolve_null_domain = no
> resolve_numeric_domain = no
> rewrite_service_name = rewrite
> sample_directory = /usr/share/doc/postfix/examples
> send_cyrus_sasl_authzid = no
> sender_bcc_maps =
> sender_canonical_classes = envelope_sender, header_sender
> sender_canonical_maps =
> sender_dependent_relayhost_maps =
> sendmail_path = /usr/sbin/sendmail
> service_throttle_time = 60s
> setgid_group = _postdrop
> showq_service_name = showq
> smtp_bind_address6 =
> smtp_body_checks =
> smtp_cname_overrides_servername = no
> smtp_connect_timeout = 30s
> smtp_connection_cache_destinations =
> smtp_connection_cache_on_demand = yes
> smtp_connection_cache_time_limit = 2s
> smtp_connection_reuse_time_limit = 300s
> smtp_data_done_timeout = 600s
> smtp_data_init_timeout = 120s
> smtp_data_xfer_timeout = 180s
> smtp_defer_if_no_mx_address_found = no
> smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> smtp_destination_concurrency_limit = $default_destination_concurrency_limit
> smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> smtp_destination_rate_delay = $default_destination_rate_delay
> smtp_destination_recipient_limit = $default_destination_recipient_limit
> smtp_discard_ehlo_keyword_address_maps =
> smtp_discard_ehlo_keywords =
> smtp_fallback_relay = $fallback_relay
> smtp_generic_maps =
> smtp_header_checks =
> smtp_helo_name = $myhostname
> smtp_helo_timeout = 300s
> smtp_host_lookup = dns
> smtp_initial_destination_concurrency = $initial_destination_concurrency
> smtp_line_length_limit = 990
> smtp_mail_timeout = 300s
> smtp_mime_header_checks =
> smtp_mx_address_limit = 5
> smtp_mx_session_limit = 2
> smtp_nested_header_checks =
> smtp_pix_workaround_delay_time = 10s
> smtp_pix_workaround_maps =
> smtp_pix_workaround_threshold_time = 500s
> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> smtp_quit_timeout = 300s
> smtp_quote_rfc821_envelope = yes
> smtp_rcpt_timeout = 300s
> smtp_rset_timeout = 20s
> smtp_sasl_auth_cache_name =
> smtp_sasl_auth_cache_time = 90d
> smtp_sasl_auth_soft_bounce = yes
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps =
> smtp_sasl_path =
> smtp_sasl_security_options = noplaintext, noanonymous
> smtp_sasl_tls_security_options = $smtp_sasl_security_options
> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
> smtp_sasl_type = cyrus
> smtp_send_xforward_command = no
> smtp_sender_dependent_authentication = no
> smtp_starttls_timeout = 300s
> smtp_tls_CAfile =
> smtp_tls_CApath =
> smtp_tls_dcert_file =
> smtp_tls_dkey_file = $smtp_tls_dcert_file
> smtp_tls_enforce_peername = yes
> smtp_tls_exclude_ciphers =
> smtp_tls_fingerprint_cert_match =
> smtp_tls_fingerprint_digest = md5
> smtp_tls_key_file = $smtp_tls_cert_file
> smtp_tls_loglevel = 0
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_exclude_ciphers =
> smtp_tls_mandatory_protocols = SSLv3, TLSv1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_per_site =
> smtp_tls_policy_maps =
> smtp_tls_scert_verifydepth = 9
> smtp_tls_secure_cert_match = nexthop, dot-nexthop
> smtp_tls_session_cache_database =
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_verify_cert_match = hostname
> smtp_use_tls = no
> smtp_xforward_timeout = 300s
> smtpd_authorized_verp_clients = $authorized_verp_clients
> smtpd_authorized_xclient_hosts =
> smtpd_authorized_xforward_hosts =
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_connection_count_limit = 50
> smtpd_client_connection_rate_limit = 0
> smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
> smtpd_client_message_rate_limit = 0
> smtpd_client_new_tls_session_rate_limit = 10
> smtpd_client_port_logging = no
> smtpd_client_recipient_rate_limit = 0
> smtpd_client_restrictions =
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_delay_open_until_valid_rcpt = yes
> smtpd_discard_ehlo_keyword_address_maps =
> smtpd_discard_ehlo_keywords =
> smtpd_end_of_data_restrictions =
> smtpd_enforce_tls = no
> smtpd_error_sleep_time = 1s
> smtpd_etrn_restrictions =
> smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
> smtpd_forbidden_commands = CONNECT GET POST
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
> smtpd_history_flush_threshold = 100
> smtpd_junk_command_limit = 100
> smtpd_milters =
> smtpd_noop_commands =
> smtpd_null_access_lookup_key = <>
> smtpd_peername_lookup = yes
> smtpd_policy_service_max_idle = 300s
> smtpd_policy_service_max_ttl = 1000s
> smtpd_policy_service_timeout = 100s
> smtpd_proxy_ehlo = $myhostname
> smtpd_proxy_filter =
> smtpd_proxy_timeout = 100s
> smtpd_pw_server_security_options = login,gssapi,cram-md5
> smtpd_recipient_limit = 1000
> smtpd_recipient_overshoot_limit = 1000
> smtpd_recipient_restrictions = permit_sasl_authenticated                permit_tls_clientcerts          check_sender_access hash:/etc/postfix/whitelist         check_sender_access regexp:/etc/postfix/tag_as_originating.re               check_sender_access regexp:/etc/postfix/tag_as_foreign.re               reject_non_fqdn_hostname            reject_unknown_reverse_client_hostname          reject_unauth_destination               reject_rbl_client cbl.abuseat.org
> smtpd_reject_unlisted_recipient = yes
> smtpd_reject_unlisted_sender = no
> smtpd_restriction_classes =
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_exceptions_networks =
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_type = cyrus
> smtpd_sender_login_maps =
> smtpd_sender_restrictions =
> smtpd_soft_error_limit = 10
> smtpd_starttls_timeout = 300s
> smtpd_timeout = 300s
> smtpd_tls_CAfile = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.chain.pem
> smtpd_tls_CApath =
> smtpd_tls_always_issue_session_ids = yes
> smtpd_tls_ask_ccert = no
> smtpd_tls_auth_only = no
> smtpd_tls_ccert_verifydepth = 9
> smtpd_tls_cert_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.cert.pem
> smtpd_tls_dcert_file =
> smtpd_tls_dh1024_param_file =
> smtpd_tls_dh512_param_file =
> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
> smtpd_tls_exclude_ciphers =
> smtpd_tls_fingerprint_digest = md5
> smtpd_tls_key_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.key.pem
> smtpd_tls_loglevel = 0
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers =
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_received_header = no
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_wrappermode = no
> smtpd_use_pw_server = yes
> smtpd_use_tls = yes
> stale_lock_time = 500s
> stress =
> strict_mailbox_ownership = yes
> syslog_facility = mail
> syslog_name = postfix
> tls_daemon_random_bytes = 32
> tls_export_cipherlist = ALL:+RC4:@STRENGTH
> tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
> tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
> tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
> tls_null_cipherlist = eNULL:!aNULL
> tls_random_bytes = 32
> tls_random_exchange_name = ${data_directory}/prng_exch
> tls_random_prng_update_period = 3600s
> tls_random_reseed_period = 3600s
> tls_random_source = dev:/dev/urandom
> trace_service_name = trace
> transport_maps =
> transport_retry_time = 60s
> trigger_timeout = 10s
> undisclosed_recipients_header = To: undisclosed-recipients:;
> unknown_address_reject_code = 450
> unknown_client_reject_code = 450
> unknown_hostname_reject_code = 450
> unknown_local_recipient_reject_code = 550
> unknown_relay_recipient_reject_code = 550
> unknown_virtual_alias_reject_code = 550
> unknown_virtual_mailbox_reject_code = 550
> unverified_recipient_reject_code = 450
> unverified_sender_reject_code = 450
> use_getpwnam_ext = yes
> use_od_delivery_path = no
> verp_delimiter_filter = -=+
> virtual_alias_domains = hash:/etc/postfix/virtual_domains
> virtual_alias_expansion_limit = 1000
> virtual_alias_maps = hash:/etc/postfix/virtual                                  hash:/private/var/mailman/data/virtual-mailman
> virtual_alias_recursion_limit = 1000
> virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> virtual_destination_concurrency_limit = $default_destination_concurrency_limit
> virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> virtual_destination_rate_delay = $default_destination_rate_delay
> virtual_destination_recipient_limit = $default_destination_recipient_limit
> virtual_gid_maps =
> virtual_initial_destination_concurrency = $initial_destination_concurrency
> virtual_mailbox_base =
> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains_dummy
> virtual_mailbox_limit = 51200000
> virtual_mailbox_lock = fcntl, dotlock
> virtual_mailbox_maps =
> virtual_minimum_uid = 100
> virtual_transport = virtual
> virtual_uid_maps =
>
> Dank und Gruss
> Matthias
>
>
> _______________________________________________
> postfix-users mailing list
> [hidden email]
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users

Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

postfix-de
In reply to this post by Robert Schetterer-2
Hallo,

das Passwort hatte er schon geändert.

Wirf doch mal einen Blickpunkt auf smtpd_sender_login_maps.

Gruß
Michael Reincke

On 21. August 2014 08:39:47 MESZ, Robert Schetterer <[hidden email]> wrote:
Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:
client=248-60-132-95.pool.ukrtel.net[95.132.60.248], sasl_method=LOGIN, sasl_username=xxxxxxx

erstmal aendere das Passwort !


Best Regards
MfG Robert Schetterer

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Matthias Schmidt [c]
In reply to this post by Jakob-Matthias Böttger
Hallo,

Am 21.08.2014 um 16:11 schrieb Jakob-Matthias Böttger <[hidden email]>:

>
> eine Möglichkeit die mir jetzt einfällt wäre folgendes.
>
> Auf dem smtpd 25 die permit_sasl_authenticated rauszunehmen.
> Also in smtpd_recipient_restrictions =
>    permit_tls_clientcerts,
>    check_sender_access hash:/etc/postfix/whitelist,
>    check_sender_access regexp:/etc/postfix/tag_as_originating.re,
>    check_sender_access regexp:/etc/postfix/tag_as_foreign.re,
>    reject_non_fqdn_hostname,
>    reject_unknown_reverse_client_hostname,
>    reject_unauth_destination,
>    reject_rbl_client cbl.abuseat.org

das klappt leider nicht, da bekomm ich „Relay-Access denied“ als Antwort :(

>
> Dann in der Master.cf Submission einrichten.
> Submission mittels -o permit_sasl_authenticated, und den Anderen

Submission port ist bereits eingestellt und alle meine Freunde versenden auch über 587.
Webmail ist ebenfalls auf 587 eingestellt.

> recipient_restrictions einstellen und dann mittels der xtables iptables
> extension und GeoIP auf dem Submission (tcp 587) z.B. die Ukraine
> (95.132.60.248 ist aus der Ukraine) aussperren. Es sei denn du hast
> Kunden oder Nutzer welche aus der Ukranine per Submission Mails
> versenden müssen. Weiterhin müssen natürlich alle Benutzer deines
> Mailsystems Ihre Clients so einrichten, dass sie über den Submission
> einliefern.

GeoIP hab ich mir mal angeschaut und die kostenlose Version ist auch auf dem Server installiert.
Wie bau ich das in den Postfix wo ein?

>

Hier noch die Master.cf, eventiuell hab ich da was verkorkst:
(postconf-n: is ganz unten im mail)

Dank und Gruss
Matthias


#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# ==== Begin auto-generated section ========================================
# This section of the master.cf file is auto-generated by the Server Admin
#  Mail backend plugin whenever mails settings are modified.
smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sender_restrictions=permit_mynetworks,reject
smtp      unix  -       -       n       -       -       smtp
submission inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  #encrypt
# === End auto-generated section ===========================================
#=====inserted 16.3.2012
#  -o smtpd_enforce_tls=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#enabled 16.3.2012
#smtps     inet  n       -       n       -       -       smtpd
#original mit smtps funzt net also daher mit port ....
465     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#======= finish edit
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache  unix - - n - 1 scache
proxywrite unix -       -       n       -       1       proxymap
#
# ====================================================================
# amavis set up
# ====================================================================
#
smtp-amavis unix -      -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20
     
192.168.2.10:25 inet n    -       n       -       -     smtpd
     -o content_filter=smtp-amavis:[127.0.0.1]:10024
     -o receive_override_options=no_address_mappings
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
#
127.0.0.1:10025 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
#
127.0.0.1:10027 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
cyrus     unix  -       n       n       -       -       pipe
  user=_cyrus argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
#
# Dovecot deliver
#
dovecot   unix  -       n       n       -       25      pipe
  flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/deliver -d ${user}
#
# Greylist policy server
#
policy    unix  -       n       n       -       -       spawn
  user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl

smtp-amavis unix -      -       y       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -       y       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o smtpd_enforce_tls=no
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o receive_override_options=no_header_body_checks

>

> Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:
>> Hallo,
>> ich seh in meinem log viele viele mails, die von irgendwoher kommen und meist an französische yohoo Adressen gehen.
>>
>> ich hab den Server via http://mxtoolbox.com/ getestet und das Tool sagt kein Open Relay.
>>
>> Nachdem ich dem noch weiter in den Logs gewühlt habe, sieht es so aus als ob ein User-Account geknackt wurde.
>> Das entsprechende Passwort hab ich gleich mal geändert.
>>
>> amavis wirft entsprechend folgende Warnung aus:
>> Open relay? Nonlocal recips but not originating
>> Kann ich das irgendwie unterbinden, so dass das senden nur von lokalen Account aus erlaubt ist, trotz geknacktem login?
>>
>>
>> Hier meine postconf-n:
>> 2bounce_notice_recipient = postmaster
>> access_map_reject_code = 554
>> address_verify_default_transport = $default_transport
>> address_verify_local_transport = $local_transport
>> address_verify_map =
>> address_verify_negative_cache = yes
>> address_verify_negative_expire_time = 3d
>> address_verify_negative_refresh_time = 3h
>> address_verify_poll_count = 3
>> address_verify_poll_delay = 3s
>> address_verify_positive_expire_time = 31d
>> address_verify_positive_refresh_time = 7d
>> address_verify_relay_transport = $relay_transport
>> address_verify_relayhost = $relayhost
>> address_verify_sender = $double_bounce_sender
>> address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
>> address_verify_service_name = verify
>> address_verify_transport_maps = $transport_maps
>> address_verify_virtual_transport = $virtual_transport
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
>> allow_mail_to_commands = alias, forward
>> allow_mail_to_files = alias, forward
>> always_bcc =
>> anvil_rate_time_unit = 60s
>> anvil_status_update_time = 600s
>> application_event_drain_time = 100s
>> authorized_flush_users = static:anyone
>> authorized_mailq_users = static:anyone
>> authorized_submit_users = static:anyone
>> backwards_bounce_logfile_compatibility = yes
>> berkeley_db_create_buffer_size = 16777216
>> berkeley_db_read_buffer_size = 131072
>> best_mx_transport =
>> body_checks_size_limit = 51200
>> bounce_notice_recipient = postmaster
>> bounce_queue_lifetime = 5d
>> bounce_service_name = bounce
>> bounce_size_limit = 50000
>> bounce_template_file =
>> canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
>> check_for_od_forward = yes
>> cleanup_service_name = cleanup
>> command_directory = /usr/sbin
>> command_execution_directory =
>> command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>> command_time_limit = 1000s
>> config_directory = /etc/postfix
>> connection_cache_protocol_timeout = 5s
>> connection_cache_service_name = scache
>> connection_cache_status_update_time = 600s
>> connection_cache_ttl_limit = 2s
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> cyrus_sasl_config_path =
>> daemon_directory = /usr/libexec/postfix
>> daemon_timeout = 18000s
>> data_directory = /var/lib/postfix
>> debug_peer_level = 5
>> debug_peer_list =
>> default_database_type = hash
>> default_delivery_slot_cost = 5
>> default_delivery_slot_discount = 50
>> default_delivery_slot_loan = 3
>> default_destination_concurrency_failed_cohort_limit = 1
>> default_destination_concurrency_limit = 20
>> default_destination_concurrency_negative_feedback = 1
>> default_destination_concurrency_positive_feedback = 1
>> default_destination_rate_delay = 0s
>> default_destination_recipient_limit = 50
>> default_extra_recipient_limit = 1000
>> default_minimum_delivery_slots = 3
>> default_privs = nobody
>> default_process_limit = 100
>> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
>> default_recipient_limit = 20000
>> default_recipient_refill_delay = 5s
>> default_recipient_refill_limit = 100
>> default_transport = smtp
>> default_verp_delimiters = +=
>> defer_code = 450
>> defer_service_name = defer
>> defer_transports =
>> delay_logging_resolution_limit = 2
>> delay_notice_recipient = postmaster
>> delay_warning_time = 0h
>> deliver_lock_attempts = 20
>> deliver_lock_delay = 1s
>> destination_concurrency_feedback_debug = no
>> detect_8bit_encoding_header = yes
>> dont_remove = 0
>> double_bounce_sender = double-bounce
>> duplicate_filter_limit = 1000
>> empty_address_recipient = MAILER-DAEMON
>> empty_address_relayhost_maps_lookup_key = <>
>> enable_original_recipient = yes
>> enable_server_options = yes
>> error_notice_recipient = postmaster
>> error_service_name = error
>> execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>> export_environment = TZ MAIL_CONFIG LANG
>> fallback_transport =
>> fallback_transport_maps =
>> fast_flush_domains = $relay_domains
>> fast_flush_purge_time = 7d
>> fast_flush_refresh_time = 12h
>> fault_injection_code = 0
>> flush_service_name = flush
>> fork_attempts = 5
>> fork_delay = 1s
>> forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>> forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
>> frozen_delivered_to = yes
>> hash_queue_depth = 1
>> hash_queue_names = deferred,defer
>> header_address_token_limit = 10240
>> header_checks = pcre:/etc/postfix/custom_header_checks
>> header_size_limit = 102400
>> hopcount_limit = 50
>> html_directory = no
>> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
>> in_flow_delay = 1s
>> inet_interfaces = all
>> inet_protocols = ipv4
>> initial_destination_concurrency = 5
>> internal_mail_filter_classes =
>> invalid_hostname_reject_code = 501
>> ipc_idle = 5s
>> ipc_timeout = 3600s
>> ipc_ttl = 1000s
>> line_length_limit = 2048
>> lmtp_bind_address =
>> lmtp_bind_address6 =
>> lmtp_body_checks =
>> lmtp_cname_overrides_servername = no
>> lmtp_connect_timeout = 0s
>> lmtp_connection_cache_destinations =
>> lmtp_connection_cache_on_demand = yes
>> lmtp_connection_cache_time_limit = 2s
>> lmtp_connection_reuse_time_limit = 300s
>> lmtp_data_done_timeout = 600s
>> lmtp_data_init_timeout = 120s
>> lmtp_data_xfer_timeout = 180s
>> lmtp_defer_if_no_mx_address_found = no
>> lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>> lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
>> lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>> lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>> lmtp_destination_rate_delay = $default_destination_rate_delay
>> lmtp_destination_recipient_limit = $default_destination_recipient_limit
>> lmtp_discard_lhlo_keyword_address_maps =
>> lmtp_discard_lhlo_keywords =
>> lmtp_enforce_tls = no
>> lmtp_generic_maps =
>> lmtp_header_checks =
>> lmtp_host_lookup = dns
>> lmtp_initial_destination_concurrency = $initial_destination_concurrency
>> lmtp_lhlo_name = $myhostname
>> lmtp_lhlo_timeout = 300s
>> lmtp_line_length_limit = 990
>> lmtp_mail_timeout = 300s
>> lmtp_mime_header_checks =
>> lmtp_mx_address_limit = 5
>> lmtp_mx_session_limit = 2
>> lmtp_nested_header_checks =
>> lmtp_pix_workaround_delay_time = 10s
>> lmtp_pix_workaround_maps =
>> lmtp_pix_workaround_threshold_time = 500s
>> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
>> lmtp_quit_timeout = 300s
>> lmtp_quote_rfc821_envelope = yes
>> lmtp_randomize_addresses = yes
>> lmtp_rcpt_timeout = 300s
>> lmtp_rset_timeout = 20s
>> lmtp_sasl_auth_cache_name =
>> lmtp_sasl_auth_cache_time = 90d
>> lmtp_sasl_auth_soft_bounce = yes
>> lmtp_sasl_mechanism_filter =
>> lmtp_sasl_path =
>> lmtp_sasl_security_options = noplaintext, noanonymous
>> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
>> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
>> lmtp_sasl_type = cyrus
>> lmtp_send_xforward_command = no
>> lmtp_sender_dependent_authentication = no
>> lmtp_skip_5xx_greeting = yes
>> lmtp_starttls_timeout = 300s
>> lmtp_tcp_port = 24
>> lmtp_tls_CAfile =
>> lmtp_tls_CApath =
>> lmtp_tls_cert_file =
>> lmtp_tls_dcert_file =
>> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
>> lmtp_tls_enforce_peername = yes
>> lmtp_tls_exclude_ciphers =
>> lmtp_tls_fingerprint_cert_match =
>> lmtp_tls_fingerprint_digest = md5
>> lmtp_tls_key_file = $lmtp_tls_cert_file
>> lmtp_tls_loglevel = 0
>> lmtp_tls_mandatory_ciphers = medium
>> lmtp_tls_mandatory_exclude_ciphers =
>> lmtp_tls_mandatory_protocols = SSLv3, TLSv1
>> lmtp_tls_note_starttls_offer = no
>> lmtp_tls_per_site =
>> lmtp_tls_policy_maps =
>> lmtp_tls_scert_verifydepth = 9
>> lmtp_tls_secure_cert_match = nexthop
>> lmtp_tls_security_level =
>> lmtp_tls_session_cache_database =
>> lmtp_tls_session_cache_timeout = 3600s
>> lmtp_tls_verify_cert_match = hostname
>> lmtp_use_tls = no
>> lmtp_xforward_timeout = 300s
>> local_command_shell =
>> local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>> local_destination_concurrency_limit = 2
>> local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>> local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>> local_destination_rate_delay = $default_destination_rate_delay
>> local_destination_recipient_limit = 1
>> local_header_rewrite_clients = permit_inet_interfaces
>> local_initial_destination_concurrency = $initial_destination_concurrency
>> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>> local_transport = local:$myhostname
>> luser_relay =
>> mail_name = Postfix
>> mail_owner = _postfix
>> mail_release_date = 20080902
>> mail_spool_directory = /var/mail
>> mail_version = 2.5.5
>> mailbox_command =
>> mailbox_command_maps =
>> mailbox_delivery_lock = flock, dotlock
>> mailbox_size_limit = 0
>> mailbox_transport = dovecot
>> mailbox_transport_maps =
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> maps_rbl_domains =
>> maps_rbl_reject_code = 554
>> masquerade_classes = envelope_sender, header_sender, header_recipient
>> masquerade_domains =
>> masquerade_exceptions =
>> max_idle = 100s
>> max_use = 100
>> maximal_backoff_time = 4000s
>> maximal_queue_lifetime = 5d
>> message_reject_characters =
>> message_size_limit = 41943040
>> message_strip_characters =
>> milter_command_timeout = 30s
>> milter_connect_macros = j {daemon_name} v
>> milter_connect_timeout = 30s
>> milter_content_timeout = 300s
>> milter_data_macros = i
>> milter_default_action = tempfail
>> milter_end_of_data_macros = i
>> milter_end_of_header_macros = i
>> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
>> milter_macro_daemon_name = $myhostname
>> milter_macro_v = $mail_name $mail_version
>> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
>> milter_protocol = 2
>> milter_rcpt_macros = i {rcpt_addr}
>> milter_unknown_command_macros =
>> mime_boundary_length_limit = 2048
>> mime_header_checks = $header_checks
>> mime_nesting_limit = 100
>> minimal_backoff_time = 300s
>> multi_recipient_bounce_reject_code = 550
>> mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
>> mydomain = admilon.net
>> mydomain_fallback = localhost
>> myhostname = mcgregor.admilon.net
>> mynetworks = 127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
>> mynetworks_style = host
>> myorigin = $myhostname
>> nested_header_checks = $header_checks
>> newaliases_path = /usr/bin/newaliases
>> non_fqdn_reject_code = 504
>> non_smtpd_milters =
>> notify_classes = resource, software
>> owner_request_special = no
>> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
>> permit_mx_backup_networks =
>> pickup_service_name = pickup
>> plaintext_reject_code = 450
>> prepend_delivered_header = command, file, forward
>> process_id_directory = pid
>> propagate_unmatched_extensions = canonical, virtual
>> proxy_interfaces =
>> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
>> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
>> qmgr_clog_warn_time = 300s
>> qmgr_fudge_factor = 100
>> qmgr_message_active_limit = 20000
>> qmgr_message_recipient_limit = 20000
>> qmgr_message_recipient_minimum = 10
>> qmqpd_authorized_clients =
>> qmqpd_client_port_logging = no
>> qmqpd_error_delay = 1s
>> qmqpd_timeout = 300s
>> queue_directory = /private/var/spool/postfix
>> queue_file_attribute_count_limit = 100
>> queue_minfree = 0
>> queue_run_delay = 300s
>> queue_service_name = qmgr
>> rbl_reply_maps =
>> readme_directory = /usr/share/doc/postfix
>> receive_override_options =
>> recipient_bcc_maps =
>> recipient_canonical_classes = envelope_recipient, header_recipient
>> recipient_delimiter = +
>> reject_code = 554
>> relay_clientcerts =
>> relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>> relay_destination_concurrency_limit = $default_destination_concurrency_limit
>> relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>> relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>> relay_destination_rate_delay = $default_destination_rate_delay
>> relay_destination_recipient_limit = $default_destination_recipient_limit
>> relay_domains = $mydestination
>> relay_domains_reject_code = 554
>> relay_initial_destination_concurrency = $initial_destination_concurrency
>> relay_recipient_maps =
>> relay_transport = relay
>> relayhost =
>> relocated_maps =
>> remote_header_rewrite_domain =
>> resolve_null_domain = no
>> resolve_numeric_domain = no
>> rewrite_service_name = rewrite
>> sample_directory = /usr/share/doc/postfix/examples
>> send_cyrus_sasl_authzid = no
>> sender_bcc_maps =
>> sender_canonical_classes = envelope_sender, header_sender
>> sender_canonical_maps =
>> sender_dependent_relayhost_maps =
>> sendmail_path = /usr/sbin/sendmail
>> service_throttle_time = 60s
>> setgid_group = _postdrop
>> showq_service_name = showq
>> smtp_bind_address6 =
>> smtp_body_checks =
>> smtp_cname_overrides_servername = no
>> smtp_connect_timeout = 30s
>> smtp_connection_cache_destinations =
>> smtp_connection_cache_on_demand = yes
>> smtp_connection_cache_time_limit = 2s
>> smtp_connection_reuse_time_limit = 300s
>> smtp_data_done_timeout = 600s
>> smtp_data_init_timeout = 120s
>> smtp_data_xfer_timeout = 180s
>> smtp_defer_if_no_mx_address_found = no
>> smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>> smtp_destination_concurrency_limit = $default_destination_concurrency_limit
>> smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>> smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>> smtp_destination_rate_delay = $default_destination_rate_delay
>> smtp_destination_recipient_limit = $default_destination_recipient_limit
>> smtp_discard_ehlo_keyword_address_maps =
>> smtp_discard_ehlo_keywords =
>> smtp_fallback_relay = $fallback_relay
>> smtp_generic_maps =
>> smtp_header_checks =
>> smtp_helo_name = $myhostname
>> smtp_helo_timeout = 300s
>> smtp_host_lookup = dns
>> smtp_initial_destination_concurrency = $initial_destination_concurrency
>> smtp_line_length_limit = 990
>> smtp_mail_timeout = 300s
>> smtp_mime_header_checks =
>> smtp_mx_address_limit = 5
>> smtp_mx_session_limit = 2
>> smtp_nested_header_checks =
>> smtp_pix_workaround_delay_time = 10s
>> smtp_pix_workaround_maps =
>> smtp_pix_workaround_threshold_time = 500s
>> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
>> smtp_quit_timeout = 300s
>> smtp_quote_rfc821_envelope = yes
>> smtp_rcpt_timeout = 300s
>> smtp_rset_timeout = 20s
>> smtp_sasl_auth_cache_name =
>> smtp_sasl_auth_cache_time = 90d
>> smtp_sasl_auth_soft_bounce = yes
>> smtp_sasl_mechanism_filter =
>> smtp_sasl_password_maps =
>> smtp_sasl_path =
>> smtp_sasl_security_options = noplaintext, noanonymous
>> smtp_sasl_tls_security_options = $smtp_sasl_security_options
>> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
>> smtp_sasl_type = cyrus
>> smtp_send_xforward_command = no
>> smtp_sender_dependent_authentication = no
>> smtp_starttls_timeout = 300s
>> smtp_tls_CAfile =
>> smtp_tls_CApath =
>> smtp_tls_dcert_file =
>> smtp_tls_dkey_file = $smtp_tls_dcert_file
>> smtp_tls_enforce_peername = yes
>> smtp_tls_exclude_ciphers =
>> smtp_tls_fingerprint_cert_match =
>> smtp_tls_fingerprint_digest = md5
>> smtp_tls_key_file = $smtp_tls_cert_file
>> smtp_tls_loglevel = 0
>> smtp_tls_mandatory_ciphers = high
>> smtp_tls_mandatory_exclude_ciphers =
>> smtp_tls_mandatory_protocols = SSLv3, TLSv1
>> smtp_tls_note_starttls_offer = yes
>> smtp_tls_per_site =
>> smtp_tls_policy_maps =
>> smtp_tls_scert_verifydepth = 9
>> smtp_tls_secure_cert_match = nexthop, dot-nexthop
>> smtp_tls_session_cache_database =
>> smtp_tls_session_cache_timeout = 3600s
>> smtp_tls_verify_cert_match = hostname
>> smtp_use_tls = no
>> smtp_xforward_timeout = 300s
>> smtpd_authorized_verp_clients = $authorized_verp_clients
>> smtpd_authorized_xclient_hosts =
>> smtpd_authorized_xforward_hosts =
>> smtpd_banner = $myhostname ESMTP $mail_name
>> smtpd_client_connection_count_limit = 50
>> smtpd_client_connection_rate_limit = 0
>> smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
>> smtpd_client_message_rate_limit = 0
>> smtpd_client_new_tls_session_rate_limit = 10
>> smtpd_client_port_logging = no
>> smtpd_client_recipient_rate_limit = 0
>> smtpd_client_restrictions =
>> smtpd_data_restrictions = reject_unauth_pipelining
>> smtpd_delay_open_until_valid_rcpt = yes
>> smtpd_discard_ehlo_keyword_address_maps =
>> smtpd_discard_ehlo_keywords =
>> smtpd_end_of_data_restrictions =
>> smtpd_enforce_tls = no
>> smtpd_error_sleep_time = 1s
>> smtpd_etrn_restrictions =
>> smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
>> smtpd_forbidden_commands = CONNECT GET POST
>> smtpd_hard_error_limit = 20
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
>> smtpd_history_flush_threshold = 100
>> smtpd_junk_command_limit = 100
>> smtpd_milters =
>> smtpd_noop_commands =
>> smtpd_null_access_lookup_key = <>
>> smtpd_peername_lookup = yes
>> smtpd_policy_service_max_idle = 300s
>> smtpd_policy_service_max_ttl = 1000s
>> smtpd_policy_service_timeout = 100s
>> smtpd_proxy_ehlo = $myhostname
>> smtpd_proxy_filter =
>> smtpd_proxy_timeout = 100s
>> smtpd_pw_server_security_options = login,gssapi,cram-md5
>> smtpd_recipient_limit = 1000
>> smtpd_recipient_overshoot_limit = 1000
>> smtpd_recipient_restrictions = permit_sasl_authenticated                permit_tls_clientcerts          check_sender_access hash:/etc/postfix/whitelist         check_sender_access regexp:/etc/postfix/tag_as_originating.re               check_sender_access regexp:/etc/postfix/tag_as_foreign.re               reject_non_fqdn_hostname            reject_unknown_reverse_client_hostname          reject_unauth_destination               reject_rbl_client cbl.abuseat.org
>> smtpd_reject_unlisted_recipient = yes
>> smtpd_reject_unlisted_sender = no
>> smtpd_restriction_classes =
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = no
>> smtpd_sasl_exceptions_networks =
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>> smtpd_sasl_type = cyrus
>> smtpd_sender_login_maps =
>> smtpd_sender_restrictions =
>> smtpd_soft_error_limit = 10
>> smtpd_starttls_timeout = 300s
>> smtpd_timeout = 300s
>> smtpd_tls_CAfile = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.chain.pem
>> smtpd_tls_CApath =
>> smtpd_tls_always_issue_session_ids = yes
>> smtpd_tls_ask_ccert = no
>> smtpd_tls_auth_only = no
>> smtpd_tls_ccert_verifydepth = 9
>> smtpd_tls_cert_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.cert.pem
>> smtpd_tls_dcert_file =
>> smtpd_tls_dh1024_param_file =
>> smtpd_tls_dh512_param_file =
>> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
>> smtpd_tls_exclude_ciphers =
>> smtpd_tls_fingerprint_digest = md5
>> smtpd_tls_key_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.key.pem
>> smtpd_tls_loglevel = 0
>> smtpd_tls_mandatory_ciphers = medium
>> smtpd_tls_mandatory_exclude_ciphers =
>> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>> smtpd_tls_received_header = no
>> smtpd_tls_req_ccert = no
>> smtpd_tls_security_level = may
>> smtpd_tls_session_cache_database =
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_tls_wrappermode = no
>> smtpd_use_pw_server = yes
>> smtpd_use_tls = yes
>> stale_lock_time = 500s
>> stress =
>> strict_mailbox_ownership = yes
>> syslog_facility = mail
>> syslog_name = postfix
>> tls_daemon_random_bytes = 32
>> tls_export_cipherlist = ALL:+RC4:@STRENGTH
>> tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>> tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
>> tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
>> tls_null_cipherlist = eNULL:!aNULL
>> tls_random_bytes = 32
>> tls_random_exchange_name = ${data_directory}/prng_exch
>> tls_random_prng_update_period = 3600s
>> tls_random_reseed_period = 3600s
>> tls_random_source = dev:/dev/urandom
>> trace_service_name = trace
>> transport_maps =
>> transport_retry_time = 60s
>> trigger_timeout = 10s
>> undisclosed_recipients_header = To: undisclosed-recipients:;
>> unknown_address_reject_code = 450
>> unknown_client_reject_code = 450
>> unknown_hostname_reject_code = 450
>> unknown_local_recipient_reject_code = 550
>> unknown_relay_recipient_reject_code = 550
>> unknown_virtual_alias_reject_code = 550
>> unknown_virtual_mailbox_reject_code = 550
>> unverified_recipient_reject_code = 450
>> unverified_sender_reject_code = 450
>> use_getpwnam_ext = yes
>> use_od_delivery_path = no
>> verp_delimiter_filter = -=+
>> virtual_alias_domains = hash:/etc/postfix/virtual_domains
>> virtual_alias_expansion_limit = 1000
>> virtual_alias_maps = hash:/etc/postfix/virtual                                  hash:/private/var/mailman/data/virtual-mailman
>> virtual_alias_recursion_limit = 1000
>> virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>> virtual_destination_concurrency_limit = $default_destination_concurrency_limit
>> virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>> virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>> virtual_destination_rate_delay = $default_destination_rate_delay
>> virtual_destination_recipient_limit = $default_destination_recipient_limit
>> virtual_gid_maps =
>> virtual_initial_destination_concurrency = $initial_destination_concurrency
>> virtual_mailbox_base =
>> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains_dummy
>> virtual_mailbox_limit = 51200000
>> virtual_mailbox_lock = fcntl, dotlock
>> virtual_mailbox_maps =
>> virtual_minimum_uid = 100
>> virtual_transport = virtual
>> virtual_uid_maps =
>>
>> Dank und Gruss
>> Matthias
>>
>>
>> _______________________________________________
>> postfix-users mailing list
>> [hidden email]
>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>
> _______________________________________________
> postfix-users mailing list
> [hidden email]
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users


_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users

Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Jakob-Matthias Böttger
mit deiner Option

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sender_restrictions=permit_mynetworks,reject

aus der Master.cf überschreibst du alle smtpd_sender_restrictions aus
deiner main.cf. Da du dort aber keine definiert hast
(smtpd_sender_restrictions=) macht das hier nichts.

Dein Submission sollte ungefähr so aussehen.

submission inet n       -       -       -       25       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o
smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=
 
Da du in einem Submission keine expliziten Regeln für die
smtpd_recipient_restrictions eingerichtet hast, werden hier die aus der
main.cf angewendet. Dort hast du ja aber gerade das
permit_sasl_authenticated herrausgenommen. Also musst du es in der
master.cf für submission extra einrichten.
Dein Webmail wird i.d.R. über den pickup einliefern. Weiterhin sollte
127.0.0.1 in mynetworks vorhanden sein, das dein Webmail auch von dort
über smtpd_permit_mynetworks einliefern kann.

GeoIP kannst du nicht für Postfix einrichten. Du kannst IPtables aber
mit xtables und GeoIP so einrichten, dass bestimmte Subnetze bereits in
der Firewall gesperrt werden. Schau mal bei Google. Dort gibt es einige
Howtos zu dem Thema.

Am 21.08.2014 um 09:54 schrieb Matthias Schmidt:

> Hallo,
>
> Am 21.08.2014 um 16:11 schrieb Jakob-Matthias Böttger <[hidden email]>:
>> eine Möglichkeit die mir jetzt einfällt wäre folgendes.
>>
>> Auf dem smtpd 25 die permit_sasl_authenticated rauszunehmen.
>> Also in smtpd_recipient_restrictions =
>>    permit_tls_clientcerts,
>>    check_sender_access hash:/etc/postfix/whitelist,
>>    check_sender_access regexp:/etc/postfix/tag_as_originating.re,
>>    check_sender_access regexp:/etc/postfix/tag_as_foreign.re,
>>    reject_non_fqdn_hostname,
>>    reject_unknown_reverse_client_hostname,
>>    reject_unauth_destination,
>>    reject_rbl_client cbl.abuseat.org
> das klappt leider nicht, da bekomm ich „Relay-Access denied“ als Antwort :(
>
>> Dann in der Master.cf Submission einrichten.
>> Submission mittels -o permit_sasl_authenticated, und den Anderen
> Submission port ist bereits eingestellt und alle meine Freunde versenden auch über 587.
> Webmail ist ebenfalls auf 587 eingestellt.
>
>> recipient_restrictions einstellen und dann mittels der xtables iptables
>> extension und GeoIP auf dem Submission (tcp 587) z.B. die Ukraine
>> (95.132.60.248 ist aus der Ukraine) aussperren. Es sei denn du hast
>> Kunden oder Nutzer welche aus der Ukranine per Submission Mails
>> versenden müssen. Weiterhin müssen natürlich alle Benutzer deines
>> Mailsystems Ihre Clients so einrichten, dass sie über den Submission
>> einliefern.
> GeoIP hab ich mir mal angeschaut und die kostenlose Version ist auch auf dem Server installiert.
> Wie bau ich das in den Postfix wo ein?
>
> Hier noch die Master.cf, eventiuell hab ich da was verkorkst:
> (postconf-n: is ganz unten im mail)
>
> Dank und Gruss
> Matthias
>
>
> #
> # Postfix master process configuration file.  For details on the format
> # of the file, see the master(5) manual page (command: "man 5 master").
> #
> # ==========================================================================
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> # ==========================================================================
> # ==== Begin auto-generated section ========================================
> # This section of the master.cf file is auto-generated by the Server Admin
> #  Mail backend plugin whenever mails settings are modified.
> smtp      inet  n       -       n       -       -       smtpd
>   -o smtpd_sender_restrictions=permit_mynetworks,reject
> smtp      unix  -       -       n       -       -       smtp
> submission inet  n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   #encrypt
> # === End auto-generated section ===========================================
> #=====inserted 16.3.2012
> #  -o smtpd_enforce_tls=may
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> #enabled 16.3.2012
> #smtps     inet  n       -       n       -       -       smtpd
> #original mit smtps funzt net also daher mit port ....
> 465     inet  n       -       n       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> #======= finish edit
> #628      inet  n       -       n       -       -       qmqpd
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> #qmgr     fifo  n       -       n       300     1       oqmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
> relay     unix  -       -       n       -       -       smtp
> -o fallback_relay=
> #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache  unix - - n - 1 scache
> proxywrite unix -       -       n       -       1       proxymap
> #
> # ====================================================================
> # amavis set up
> # ====================================================================
> #
> smtp-amavis unix -      -       n       -       2       smtp
>    -o smtp_data_done_timeout=1200
>    -o smtp_send_xforward_command=yes
>    -o disable_dns_lookups=yes
>    -o max_use=20
>      
> 192.168.2.10:25 inet n    -       n       -       -     smtpd
>      -o content_filter=smtp-amavis:[127.0.0.1]:10024
>      -o receive_override_options=no_address_mappings
>      -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
> #
> 127.0.0.1:10025 inet n    -       n       -       -     smtpd
>      -o content_filter=
>      -o smtpd_delay_reject=no
>      -o smtpd_client_restrictions=
>      -o smtpd_helo_restrictions=
>      -o smtpd_sender_restrictions=
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>      -o smtpd_data_restrictions=reject_unauth_pipelining
>      -o smtpd_end_of_data_restrictions=
>      -o smtpd_restriction_classes=
>      -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
>      -o smtpd_error_sleep_time=0
>      -o smtpd_soft_error_limit=1001
>      -o smtpd_hard_error_limit=1000
>      -o smtpd_client_connection_count_limit=0
>      -o smtpd_client_connection_rate_limit=0
>      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> #
> 127.0.0.1:10027 inet n    -       n       -       -     smtpd
>      -o content_filter=
>      -o smtpd_delay_reject=no
>      -o smtpd_client_restrictions=
>      -o smtpd_helo_restrictions=
>      -o smtpd_sender_restrictions=
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>      -o smtpd_data_restrictions=reject_unauth_pipelining
>      -o smtpd_end_of_data_restrictions=
>      -o smtpd_restriction_classes=
>      -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
>      -o smtpd_error_sleep_time=0
>      -o smtpd_soft_error_limit=1001
>      -o smtpd_hard_error_limit=1000
>      -o smtpd_client_connection_count_limit=0
>      -o smtpd_client_connection_rate_limit=0
>      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent.  See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> #maildrop  unix  -       n       n       -       -       pipe
> #  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> #
> # ====================================================================
> #
> # The Cyrus deliver program has changed incompatibly, multiple times.
> #
> #old-cyrus unix  -       n       n       -       -       pipe
> #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> #
> # ====================================================================
> #
> # Cyrus 2.1.5 (Amos Gouaux)
> # Also specify in main.cf: cyrus_destination_recipient_limit=1
> #
> cyrus     unix  -       n       n       -       -       pipe
>   user=_cyrus argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> #
> # ====================================================================
> #
> # See the Postfix UUCP_README file for configuration details.
> #
> #uucp      unix  -       n       n       -       -       pipe
> #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> #
> # ====================================================================
> #
> # Other external delivery methods.
> #
> #ifmail    unix  -       n       n       -       -       pipe
> #  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> #
> #bsmtp     unix  -       n       n       -       -       pipe
> #  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
> #
> #scalemail-backend unix -       n       n       -       2       pipe
> #  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> #  ${nexthop} ${user} ${extension}
> #
> mailman   unix  -       n       n       -       -       pipe
>   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>   ${nexthop} ${user}
> #
> # Dovecot deliver
> #
> dovecot   unix  -       n       n       -       25      pipe
>   flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/deliver -d ${user}
> #
> # Greylist policy server
> #
> policy    unix  -       n       n       -       -       spawn
>   user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
>
> smtp-amavis unix -      -       y       -       2       smtp
>    -o smtp_data_done_timeout=1200
>    -o smtp_send_xforward_command=yes
>    -o disable_dns_lookups=yes
>
> 127.0.0.1:10025 inet n  -       y       -       -       smtpd
>    -o content_filter=
>    -o local_recipient_maps=
>    -o relay_recipient_maps=
>    -o smtpd_restriction_classes=
>    -o smtpd_client_restrictions=
>    -o smtpd_helo_restrictions=
>    -o smtpd_sender_restrictions=
>    -o smtpd_recipient_restrictions=permit_mynetworks,reject
>    -o mynetworks=127.0.0.0/8
>    -o smtpd_enforce_tls=no
>    -o strict_rfc821_envelopes=yes
>    -o smtpd_error_sleep_time=0
>    -o smtpd_soft_error_limit=1001
>    -o smtpd_hard_error_limit=1000
>    -o receive_override_options=no_header_body_checks
>
>> Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:
>>> Hallo,
>>> ich seh in meinem log viele viele mails, die von irgendwoher kommen und meist an französische yohoo Adressen gehen.
>>>
>>> ich hab den Server via http://mxtoolbox.com/ getestet und das Tool sagt kein Open Relay.
>>>
>>> Nachdem ich dem noch weiter in den Logs gewühlt habe, sieht es so aus als ob ein User-Account geknackt wurde.
>>> Das entsprechende Passwort hab ich gleich mal geändert.
>>>
>>> amavis wirft entsprechend folgende Warnung aus:
>>> Open relay? Nonlocal recips but not originating
>>> Kann ich das irgendwie unterbinden, so dass das senden nur von lokalen Account aus erlaubt ist, trotz geknacktem login?
>>>
>>>
>>> Hier meine postconf-n:
>>> 2bounce_notice_recipient = postmaster
>>> access_map_reject_code = 554
>>> address_verify_default_transport = $default_transport
>>> address_verify_local_transport = $local_transport
>>> address_verify_map =
>>> address_verify_negative_cache = yes
>>> address_verify_negative_expire_time = 3d
>>> address_verify_negative_refresh_time = 3h
>>> address_verify_poll_count = 3
>>> address_verify_poll_delay = 3s
>>> address_verify_positive_expire_time = 31d
>>> address_verify_positive_refresh_time = 7d
>>> address_verify_relay_transport = $relay_transport
>>> address_verify_relayhost = $relayhost
>>> address_verify_sender = $double_bounce_sender
>>> address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
>>> address_verify_service_name = verify
>>> address_verify_transport_maps = $transport_maps
>>> address_verify_virtual_transport = $virtual_transport
>>> alias_database = hash:/etc/aliases
>>> alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
>>> allow_mail_to_commands = alias, forward
>>> allow_mail_to_files = alias, forward
>>> always_bcc =
>>> anvil_rate_time_unit = 60s
>>> anvil_status_update_time = 600s
>>> application_event_drain_time = 100s
>>> authorized_flush_users = static:anyone
>>> authorized_mailq_users = static:anyone
>>> authorized_submit_users = static:anyone
>>> backwards_bounce_logfile_compatibility = yes
>>> berkeley_db_create_buffer_size = 16777216
>>> berkeley_db_read_buffer_size = 131072
>>> best_mx_transport =
>>> body_checks_size_limit = 51200
>>> bounce_notice_recipient = postmaster
>>> bounce_queue_lifetime = 5d
>>> bounce_service_name = bounce
>>> bounce_size_limit = 50000
>>> bounce_template_file =
>>> canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
>>> check_for_od_forward = yes
>>> cleanup_service_name = cleanup
>>> command_directory = /usr/sbin
>>> command_execution_directory =
>>> command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>>> command_time_limit = 1000s
>>> config_directory = /etc/postfix
>>> connection_cache_protocol_timeout = 5s
>>> connection_cache_service_name = scache
>>> connection_cache_status_update_time = 600s
>>> connection_cache_ttl_limit = 2s
>>> content_filter = smtp-amavis:[127.0.0.1]:10024
>>> cyrus_sasl_config_path =
>>> daemon_directory = /usr/libexec/postfix
>>> daemon_timeout = 18000s
>>> data_directory = /var/lib/postfix
>>> debug_peer_level = 5
>>> debug_peer_list =
>>> default_database_type = hash
>>> default_delivery_slot_cost = 5
>>> default_delivery_slot_discount = 50
>>> default_delivery_slot_loan = 3
>>> default_destination_concurrency_failed_cohort_limit = 1
>>> default_destination_concurrency_limit = 20
>>> default_destination_concurrency_negative_feedback = 1
>>> default_destination_concurrency_positive_feedback = 1
>>> default_destination_rate_delay = 0s
>>> default_destination_recipient_limit = 50
>>> default_extra_recipient_limit = 1000
>>> default_minimum_delivery_slots = 3
>>> default_privs = nobody
>>> default_process_limit = 100
>>> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
>>> default_recipient_limit = 20000
>>> default_recipient_refill_delay = 5s
>>> default_recipient_refill_limit = 100
>>> default_transport = smtp
>>> default_verp_delimiters = +=
>>> defer_code = 450
>>> defer_service_name = defer
>>> defer_transports =
>>> delay_logging_resolution_limit = 2
>>> delay_notice_recipient = postmaster
>>> delay_warning_time = 0h
>>> deliver_lock_attempts = 20
>>> deliver_lock_delay = 1s
>>> destination_concurrency_feedback_debug = no
>>> detect_8bit_encoding_header = yes
>>> dont_remove = 0
>>> double_bounce_sender = double-bounce
>>> duplicate_filter_limit = 1000
>>> empty_address_recipient = MAILER-DAEMON
>>> empty_address_relayhost_maps_lookup_key = <>
>>> enable_original_recipient = yes
>>> enable_server_options = yes
>>> error_notice_recipient = postmaster
>>> error_service_name = error
>>> execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>>> export_environment = TZ MAIL_CONFIG LANG
>>> fallback_transport =
>>> fallback_transport_maps =
>>> fast_flush_domains = $relay_domains
>>> fast_flush_purge_time = 7d
>>> fast_flush_refresh_time = 12h
>>> fault_injection_code = 0
>>> flush_service_name = flush
>>> fork_attempts = 5
>>> fork_delay = 1s
>>> forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
>>> forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
>>> frozen_delivered_to = yes
>>> hash_queue_depth = 1
>>> hash_queue_names = deferred,defer
>>> header_address_token_limit = 10240
>>> header_checks = pcre:/etc/postfix/custom_header_checks
>>> header_size_limit = 102400
>>> hopcount_limit = 50
>>> html_directory = no
>>> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
>>> in_flow_delay = 1s
>>> inet_interfaces = all
>>> inet_protocols = ipv4
>>> initial_destination_concurrency = 5
>>> internal_mail_filter_classes =
>>> invalid_hostname_reject_code = 501
>>> ipc_idle = 5s
>>> ipc_timeout = 3600s
>>> ipc_ttl = 1000s
>>> line_length_limit = 2048
>>> lmtp_bind_address =
>>> lmtp_bind_address6 =
>>> lmtp_body_checks =
>>> lmtp_cname_overrides_servername = no
>>> lmtp_connect_timeout = 0s
>>> lmtp_connection_cache_destinations =
>>> lmtp_connection_cache_on_demand = yes
>>> lmtp_connection_cache_time_limit = 2s
>>> lmtp_connection_reuse_time_limit = 300s
>>> lmtp_data_done_timeout = 600s
>>> lmtp_data_init_timeout = 120s
>>> lmtp_data_xfer_timeout = 180s
>>> lmtp_defer_if_no_mx_address_found = no
>>> lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>>> lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
>>> lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>>> lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>>> lmtp_destination_rate_delay = $default_destination_rate_delay
>>> lmtp_destination_recipient_limit = $default_destination_recipient_limit
>>> lmtp_discard_lhlo_keyword_address_maps =
>>> lmtp_discard_lhlo_keywords =
>>> lmtp_enforce_tls = no
>>> lmtp_generic_maps =
>>> lmtp_header_checks =
>>> lmtp_host_lookup = dns
>>> lmtp_initial_destination_concurrency = $initial_destination_concurrency
>>> lmtp_lhlo_name = $myhostname
>>> lmtp_lhlo_timeout = 300s
>>> lmtp_line_length_limit = 990
>>> lmtp_mail_timeout = 300s
>>> lmtp_mime_header_checks =
>>> lmtp_mx_address_limit = 5
>>> lmtp_mx_session_limit = 2
>>> lmtp_nested_header_checks =
>>> lmtp_pix_workaround_delay_time = 10s
>>> lmtp_pix_workaround_maps =
>>> lmtp_pix_workaround_threshold_time = 500s
>>> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
>>> lmtp_quit_timeout = 300s
>>> lmtp_quote_rfc821_envelope = yes
>>> lmtp_randomize_addresses = yes
>>> lmtp_rcpt_timeout = 300s
>>> lmtp_rset_timeout = 20s
>>> lmtp_sasl_auth_cache_name =
>>> lmtp_sasl_auth_cache_time = 90d
>>> lmtp_sasl_auth_soft_bounce = yes
>>> lmtp_sasl_mechanism_filter =
>>> lmtp_sasl_path =
>>> lmtp_sasl_security_options = noplaintext, noanonymous
>>> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
>>> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
>>> lmtp_sasl_type = cyrus
>>> lmtp_send_xforward_command = no
>>> lmtp_sender_dependent_authentication = no
>>> lmtp_skip_5xx_greeting = yes
>>> lmtp_starttls_timeout = 300s
>>> lmtp_tcp_port = 24
>>> lmtp_tls_CAfile =
>>> lmtp_tls_CApath =
>>> lmtp_tls_cert_file =
>>> lmtp_tls_dcert_file =
>>> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
>>> lmtp_tls_enforce_peername = yes
>>> lmtp_tls_exclude_ciphers =
>>> lmtp_tls_fingerprint_cert_match =
>>> lmtp_tls_fingerprint_digest = md5
>>> lmtp_tls_key_file = $lmtp_tls_cert_file
>>> lmtp_tls_loglevel = 0
>>> lmtp_tls_mandatory_ciphers = medium
>>> lmtp_tls_mandatory_exclude_ciphers =
>>> lmtp_tls_mandatory_protocols = SSLv3, TLSv1
>>> lmtp_tls_note_starttls_offer = no
>>> lmtp_tls_per_site =
>>> lmtp_tls_policy_maps =
>>> lmtp_tls_scert_verifydepth = 9
>>> lmtp_tls_secure_cert_match = nexthop
>>> lmtp_tls_security_level =
>>> lmtp_tls_session_cache_database =
>>> lmtp_tls_session_cache_timeout = 3600s
>>> lmtp_tls_verify_cert_match = hostname
>>> lmtp_use_tls = no
>>> lmtp_xforward_timeout = 300s
>>> local_command_shell =
>>> local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>>> local_destination_concurrency_limit = 2
>>> local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>>> local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>>> local_destination_rate_delay = $default_destination_rate_delay
>>> local_destination_recipient_limit = 1
>>> local_header_rewrite_clients = permit_inet_interfaces
>>> local_initial_destination_concurrency = $initial_destination_concurrency
>>> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>>> local_transport = local:$myhostname
>>> luser_relay =
>>> mail_name = Postfix
>>> mail_owner = _postfix
>>> mail_release_date = 20080902
>>> mail_spool_directory = /var/mail
>>> mail_version = 2.5.5
>>> mailbox_command =
>>> mailbox_command_maps =
>>> mailbox_delivery_lock = flock, dotlock
>>> mailbox_size_limit = 0
>>> mailbox_transport = dovecot
>>> mailbox_transport_maps =
>>> mailq_path = /usr/bin/mailq
>>> manpage_directory = /usr/share/man
>>> maps_rbl_domains =
>>> maps_rbl_reject_code = 554
>>> masquerade_classes = envelope_sender, header_sender, header_recipient
>>> masquerade_domains =
>>> masquerade_exceptions =
>>> max_idle = 100s
>>> max_use = 100
>>> maximal_backoff_time = 4000s
>>> maximal_queue_lifetime = 5d
>>> message_reject_characters =
>>> message_size_limit = 41943040
>>> message_strip_characters =
>>> milter_command_timeout = 30s
>>> milter_connect_macros = j {daemon_name} v
>>> milter_connect_timeout = 30s
>>> milter_content_timeout = 300s
>>> milter_data_macros = i
>>> milter_default_action = tempfail
>>> milter_end_of_data_macros = i
>>> milter_end_of_header_macros = i
>>> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
>>> milter_macro_daemon_name = $myhostname
>>> milter_macro_v = $mail_name $mail_version
>>> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
>>> milter_protocol = 2
>>> milter_rcpt_macros = i {rcpt_addr}
>>> milter_unknown_command_macros =
>>> mime_boundary_length_limit = 2048
>>> mime_header_checks = $header_checks
>>> mime_nesting_limit = 100
>>> minimal_backoff_time = 300s
>>> multi_recipient_bounce_reject_code = 550
>>> mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
>>> mydomain = admilon.net
>>> mydomain_fallback = localhost
>>> myhostname = mcgregor.admilon.net
>>> mynetworks = 127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
>>> mynetworks_style = host
>>> myorigin = $myhostname
>>> nested_header_checks = $header_checks
>>> newaliases_path = /usr/bin/newaliases
>>> non_fqdn_reject_code = 504
>>> non_smtpd_milters =
>>> notify_classes = resource, software
>>> owner_request_special = no
>>> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
>>> permit_mx_backup_networks =
>>> pickup_service_name = pickup
>>> plaintext_reject_code = 450
>>> prepend_delivered_header = command, file, forward
>>> process_id_directory = pid
>>> propagate_unmatched_extensions = canonical, virtual
>>> proxy_interfaces =
>>> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
>>> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
>>> qmgr_clog_warn_time = 300s
>>> qmgr_fudge_factor = 100
>>> qmgr_message_active_limit = 20000
>>> qmgr_message_recipient_limit = 20000
>>> qmgr_message_recipient_minimum = 10
>>> qmqpd_authorized_clients =
>>> qmqpd_client_port_logging = no
>>> qmqpd_error_delay = 1s
>>> qmqpd_timeout = 300s
>>> queue_directory = /private/var/spool/postfix
>>> queue_file_attribute_count_limit = 100
>>> queue_minfree = 0
>>> queue_run_delay = 300s
>>> queue_service_name = qmgr
>>> rbl_reply_maps =
>>> readme_directory = /usr/share/doc/postfix
>>> receive_override_options =
>>> recipient_bcc_maps =
>>> recipient_canonical_classes = envelope_recipient, header_recipient
>>> recipient_delimiter = +
>>> reject_code = 554
>>> relay_clientcerts =
>>> relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>>> relay_destination_concurrency_limit = $default_destination_concurrency_limit
>>> relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>>> relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>>> relay_destination_rate_delay = $default_destination_rate_delay
>>> relay_destination_recipient_limit = $default_destination_recipient_limit
>>> relay_domains = $mydestination
>>> relay_domains_reject_code = 554
>>> relay_initial_destination_concurrency = $initial_destination_concurrency
>>> relay_recipient_maps =
>>> relay_transport = relay
>>> relayhost =
>>> relocated_maps =
>>> remote_header_rewrite_domain =
>>> resolve_null_domain = no
>>> resolve_numeric_domain = no
>>> rewrite_service_name = rewrite
>>> sample_directory = /usr/share/doc/postfix/examples
>>> send_cyrus_sasl_authzid = no
>>> sender_bcc_maps =
>>> sender_canonical_classes = envelope_sender, header_sender
>>> sender_canonical_maps =
>>> sender_dependent_relayhost_maps =
>>> sendmail_path = /usr/sbin/sendmail
>>> service_throttle_time = 60s
>>> setgid_group = _postdrop
>>> showq_service_name = showq
>>> smtp_bind_address6 =
>>> smtp_body_checks =
>>> smtp_cname_overrides_servername = no
>>> smtp_connect_timeout = 30s
>>> smtp_connection_cache_destinations =
>>> smtp_connection_cache_on_demand = yes
>>> smtp_connection_cache_time_limit = 2s
>>> smtp_connection_reuse_time_limit = 300s
>>> smtp_data_done_timeout = 600s
>>> smtp_data_init_timeout = 120s
>>> smtp_data_xfer_timeout = 180s
>>> smtp_defer_if_no_mx_address_found = no
>>> smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>>> smtp_destination_concurrency_limit = $default_destination_concurrency_limit
>>> smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>>> smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>>> smtp_destination_rate_delay = $default_destination_rate_delay
>>> smtp_destination_recipient_limit = $default_destination_recipient_limit
>>> smtp_discard_ehlo_keyword_address_maps =
>>> smtp_discard_ehlo_keywords =
>>> smtp_fallback_relay = $fallback_relay
>>> smtp_generic_maps =
>>> smtp_header_checks =
>>> smtp_helo_name = $myhostname
>>> smtp_helo_timeout = 300s
>>> smtp_host_lookup = dns
>>> smtp_initial_destination_concurrency = $initial_destination_concurrency
>>> smtp_line_length_limit = 990
>>> smtp_mail_timeout = 300s
>>> smtp_mime_header_checks =
>>> smtp_mx_address_limit = 5
>>> smtp_mx_session_limit = 2
>>> smtp_nested_header_checks =
>>> smtp_pix_workaround_delay_time = 10s
>>> smtp_pix_workaround_maps =
>>> smtp_pix_workaround_threshold_time = 500s
>>> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
>>> smtp_quit_timeout = 300s
>>> smtp_quote_rfc821_envelope = yes
>>> smtp_rcpt_timeout = 300s
>>> smtp_rset_timeout = 20s
>>> smtp_sasl_auth_cache_name =
>>> smtp_sasl_auth_cache_time = 90d
>>> smtp_sasl_auth_soft_bounce = yes
>>> smtp_sasl_mechanism_filter =
>>> smtp_sasl_password_maps =
>>> smtp_sasl_path =
>>> smtp_sasl_security_options = noplaintext, noanonymous
>>> smtp_sasl_tls_security_options = $smtp_sasl_security_options
>>> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
>>> smtp_sasl_type = cyrus
>>> smtp_send_xforward_command = no
>>> smtp_sender_dependent_authentication = no
>>> smtp_starttls_timeout = 300s
>>> smtp_tls_CAfile =
>>> smtp_tls_CApath =
>>> smtp_tls_dcert_file =
>>> smtp_tls_dkey_file = $smtp_tls_dcert_file
>>> smtp_tls_enforce_peername = yes
>>> smtp_tls_exclude_ciphers =
>>> smtp_tls_fingerprint_cert_match =
>>> smtp_tls_fingerprint_digest = md5
>>> smtp_tls_key_file = $smtp_tls_cert_file
>>> smtp_tls_loglevel = 0
>>> smtp_tls_mandatory_ciphers = high
>>> smtp_tls_mandatory_exclude_ciphers =
>>> smtp_tls_mandatory_protocols = SSLv3, TLSv1
>>> smtp_tls_note_starttls_offer = yes
>>> smtp_tls_per_site =
>>> smtp_tls_policy_maps =
>>> smtp_tls_scert_verifydepth = 9
>>> smtp_tls_secure_cert_match = nexthop, dot-nexthop
>>> smtp_tls_session_cache_database =
>>> smtp_tls_session_cache_timeout = 3600s
>>> smtp_tls_verify_cert_match = hostname
>>> smtp_use_tls = no
>>> smtp_xforward_timeout = 300s
>>> smtpd_authorized_verp_clients = $authorized_verp_clients
>>> smtpd_authorized_xclient_hosts =
>>> smtpd_authorized_xforward_hosts =
>>> smtpd_banner = $myhostname ESMTP $mail_name
>>> smtpd_client_connection_count_limit = 50
>>> smtpd_client_connection_rate_limit = 0
>>> smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
>>> smtpd_client_message_rate_limit = 0
>>> smtpd_client_new_tls_session_rate_limit = 10
>>> smtpd_client_port_logging = no
>>> smtpd_client_recipient_rate_limit = 0
>>> smtpd_client_restrictions =
>>> smtpd_data_restrictions = reject_unauth_pipelining
>>> smtpd_delay_open_until_valid_rcpt = yes
>>> smtpd_discard_ehlo_keyword_address_maps =
>>> smtpd_discard_ehlo_keywords =
>>> smtpd_end_of_data_restrictions =
>>> smtpd_enforce_tls = no
>>> smtpd_error_sleep_time = 1s
>>> smtpd_etrn_restrictions =
>>> smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
>>> smtpd_forbidden_commands = CONNECT GET POST
>>> smtpd_hard_error_limit = 20
>>> smtpd_helo_required = yes
>>> smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
>>> smtpd_history_flush_threshold = 100
>>> smtpd_junk_command_limit = 100
>>> smtpd_milters =
>>> smtpd_noop_commands =
>>> smtpd_null_access_lookup_key = <>
>>> smtpd_peername_lookup = yes
>>> smtpd_policy_service_max_idle = 300s
>>> smtpd_policy_service_max_ttl = 1000s
>>> smtpd_policy_service_timeout = 100s
>>> smtpd_proxy_ehlo = $myhostname
>>> smtpd_proxy_filter =
>>> smtpd_proxy_timeout = 100s
>>> smtpd_pw_server_security_options = login,gssapi,cram-md5
>>> smtpd_recipient_limit = 1000
>>> smtpd_recipient_overshoot_limit = 1000
>>> smtpd_recipient_restrictions = permit_sasl_authenticated                permit_tls_clientcerts          check_sender_access hash:/etc/postfix/whitelist         check_sender_access regexp:/etc/postfix/tag_as_originating.re               check_sender_access regexp:/etc/postfix/tag_as_foreign.re               reject_non_fqdn_hostname            reject_unknown_reverse_client_hostname          reject_unauth_destination               reject_rbl_client cbl.abuseat.org
>>> smtpd_reject_unlisted_recipient = yes
>>> smtpd_reject_unlisted_sender = no
>>> smtpd_restriction_classes =
>>> smtpd_sasl_auth_enable = yes
>>> smtpd_sasl_authenticated_header = no
>>> smtpd_sasl_exceptions_networks =
>>> smtpd_sasl_path = smtpd
>>> smtpd_sasl_security_options = noanonymous
>>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>>> smtpd_sasl_type = cyrus
>>> smtpd_sender_login_maps =
>>> smtpd_sender_restrictions =
>>> smtpd_soft_error_limit = 10
>>> smtpd_starttls_timeout = 300s
>>> smtpd_timeout = 300s
>>> smtpd_tls_CAfile = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.chain.pem
>>> smtpd_tls_CApath =
>>> smtpd_tls_always_issue_session_ids = yes
>>> smtpd_tls_ask_ccert = no
>>> smtpd_tls_auth_only = no
>>> smtpd_tls_ccert_verifydepth = 9
>>> smtpd_tls_cert_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.cert.pem
>>> smtpd_tls_dcert_file =
>>> smtpd_tls_dh1024_param_file =
>>> smtpd_tls_dh512_param_file =
>>> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
>>> smtpd_tls_exclude_ciphers =
>>> smtpd_tls_fingerprint_digest = md5
>>> smtpd_tls_key_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.key.pem
>>> smtpd_tls_loglevel = 0
>>> smtpd_tls_mandatory_ciphers = medium
>>> smtpd_tls_mandatory_exclude_ciphers =
>>> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>>> smtpd_tls_received_header = no
>>> smtpd_tls_req_ccert = no
>>> smtpd_tls_security_level = may
>>> smtpd_tls_session_cache_database =
>>> smtpd_tls_session_cache_timeout = 3600s
>>> smtpd_tls_wrappermode = no
>>> smtpd_use_pw_server = yes
>>> smtpd_use_tls = yes
>>> stale_lock_time = 500s
>>> stress =
>>> strict_mailbox_ownership = yes
>>> syslog_facility = mail
>>> syslog_name = postfix
>>> tls_daemon_random_bytes = 32
>>> tls_export_cipherlist = ALL:+RC4:@STRENGTH
>>> tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>>> tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
>>> tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
>>> tls_null_cipherlist = eNULL:!aNULL
>>> tls_random_bytes = 32
>>> tls_random_exchange_name = ${data_directory}/prng_exch
>>> tls_random_prng_update_period = 3600s
>>> tls_random_reseed_period = 3600s
>>> tls_random_source = dev:/dev/urandom
>>> trace_service_name = trace
>>> transport_maps =
>>> transport_retry_time = 60s
>>> trigger_timeout = 10s
>>> undisclosed_recipients_header = To: undisclosed-recipients:;
>>> unknown_address_reject_code = 450
>>> unknown_client_reject_code = 450
>>> unknown_hostname_reject_code = 450
>>> unknown_local_recipient_reject_code = 550
>>> unknown_relay_recipient_reject_code = 550
>>> unknown_virtual_alias_reject_code = 550
>>> unknown_virtual_mailbox_reject_code = 550
>>> unverified_recipient_reject_code = 450
>>> unverified_sender_reject_code = 450
>>> use_getpwnam_ext = yes
>>> use_od_delivery_path = no
>>> verp_delimiter_filter = -=+
>>> virtual_alias_domains = hash:/etc/postfix/virtual_domains
>>> virtual_alias_expansion_limit = 1000
>>> virtual_alias_maps = hash:/etc/postfix/virtual                                  hash:/private/var/mailman/data/virtual-mailman
>>> virtual_alias_recursion_limit = 1000
>>> virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
>>> virtual_destination_concurrency_limit = $default_destination_concurrency_limit
>>> virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
>>> virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
>>> virtual_destination_rate_delay = $default_destination_rate_delay
>>> virtual_destination_recipient_limit = $default_destination_recipient_limit
>>> virtual_gid_maps =
>>> virtual_initial_destination_concurrency = $initial_destination_concurrency
>>> virtual_mailbox_base =
>>> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains_dummy
>>> virtual_mailbox_limit = 51200000
>>> virtual_mailbox_lock = fcntl, dotlock
>>> virtual_mailbox_maps =
>>> virtual_minimum_uid = 100
>>> virtual_transport = virtual
>>> virtual_uid_maps =
>>>
>>> Dank und Gruss
>>> Matthias
>>>
>>>
>>> _______________________________________________
>>> postfix-users mailing list
>>> [hidden email]
>>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>> _______________________________________________
>> postfix-users mailing list
>> [hidden email]
>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>
> _______________________________________________
> postfix-users mailing list
> [hidden email]
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>
>



_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users

Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Peter Heitzer
Wäre es nicht einfacher, das mit Access Policy Delegation zu erledigen und
z.B.
in main.cf unter  "smtpd_recipient_restrictions"  check_policy_service xxx
einzutragen?
So ein policy server ist recht einfach zu implementieren. Ausserdem könnte man
eine Verifizierung
einbauen, ob die "From:" Adresse überhaupt dem Benutzer zugeordnet ist.
Desweiteren könnte man auch die Anzahl der Empfänger/Zeiteinheit in
Abhängigkeit von der
Herkunft (IP-Bereich) reglementieren.

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Robert Schetterer-2
Am 21.08.2014 um 10:27 schrieb Peter Heitzer:
> Wäre es nicht einfacher, das mit Access Policy Delegation zu erledigen und
> z.B.
> in main.cf unter  "smtpd_recipient_restrictions"  check_policy_service xxx
> einzutragen?
> So ein policy server ist recht einfach zu implementieren. Ausserdem könnte man
> eine Verifizierung
> einbauen, ob die "From:" Adresse überhaupt dem Benutzer zugeordnet ist.


> Desweiteren könnte man auch die Anzahl der Empfänger/Zeiteinheit in
> Abhängigkeit von der
> Herkunft (IP-Bereich) reglementieren.
>
> _______________________________________________
> postfix-users mailing list
> [hidden email]
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>

das hier koennte helfen

http://milter-greylist.wikidot.com/geoip

implementieren nur fuer Submission ohne greylist, nur geoip ( wenn das
geht )

totally untested, iptables geoip sollte auch funktionieren , ich bitte
aber zu bedenken das Kunden auch mal beruflich und/oder privat im Urlaub
im Ausland sein konnten, diese Loesung ist also sicher nicht in jedem
Setup zu gebrauchen, grundsaetzlich wuerde ich eher darauf setzen
"Anomalien" aus den Logs erkennen zu koennen und daraus einen Alarm zu
triggern und dann daraus gegebenfalls eine "Auto Action" loszutreten


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Matthias Schmidt [c]

Am 21.08.2014 um 18:12 schrieb Robert Schetterer <[hidden email]>:

> Am 21.08.2014 um 10:27 schrieb Peter Heitzer:
>> Wäre es nicht einfacher, das mit Access Policy Delegation zu erledigen und
>> z.B.
>> in main.cf unter  "smtpd_recipient_restrictions"  check_policy_service xxx
>> einzutragen?
>> So ein policy server ist recht einfach zu implementieren. Ausserdem könnte man
>> eine Verifizierung
>> einbauen, ob die "From:" Adresse überhaupt dem Benutzer zugeordnet ist.
>
>
>> Desweiteren könnte man auch die Anzahl der Empfänger/Zeiteinheit in
>> Abhängigkeit von der
>> Herkunft (IP-Bereich) reglementieren.
>>
>> _______________________________________________
>> postfix-users mailing list
>> [hidden email]
>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>>
>
> das hier koennte helfen
>
> http://milter-greylist.wikidot.com/geoip
>
> implementieren nur fuer Submission ohne greylist, nur geoip ( wenn das
> geht )
>
> totally untested, iptables geoip sollte auch funktionieren , ich bitte
> aber zu bedenken das Kunden auch mal beruflich und/oder privat im Urlaub
> im Ausland sein konnten, diese Loesung ist also sicher nicht in jedem
> Setup zu gebrauchen, grundsaetzlich wuerde ich eher darauf setzen
> "Anomalien" aus den Logs erkennen zu koennen und daraus einen Alarm zu
> triggern und dann daraus gegebenfalls eine „Auto Action“ loszutreten
>


Das mit dem Submission port funktioniert jetzt wie vorgeschlagen.
Danke :-)

wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.
Ich nehm mal an mit php und regex oder vergleichbares.
Das ist nun leider nicht so ganz mein Gebiet :(

Danke jedenfalls für die Hilfe hier auf der Liste
Grüsse
Matthias

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Robert Schetterer-2
Am 21.08.2014 um 11:26 schrieb Matthias Schmidt:

>
> Am 21.08.2014 um 18:12 schrieb Robert Schetterer <[hidden email]>:
>
>> Am 21.08.2014 um 10:27 schrieb Peter Heitzer:
>>> Wäre es nicht einfacher, das mit Access Policy Delegation zu erledigen und
>>> z.B.
>>> in main.cf unter  "smtpd_recipient_restrictions"  check_policy_service xxx
>>> einzutragen?
>>> So ein policy server ist recht einfach zu implementieren. Ausserdem könnte man
>>> eine Verifizierung
>>> einbauen, ob die "From:" Adresse überhaupt dem Benutzer zugeordnet ist.
>>
>>
>>> Desweiteren könnte man auch die Anzahl der Empfänger/Zeiteinheit in
>>> Abhängigkeit von der
>>> Herkunft (IP-Bereich) reglementieren.
>>>
>>> _______________________________________________
>>> postfix-users mailing list
>>> [hidden email]
>>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>>>
>>
>> das hier koennte helfen
>>
>> http://milter-greylist.wikidot.com/geoip
>>
>> implementieren nur fuer Submission ohne greylist, nur geoip ( wenn das
>> geht )
>>
>> totally untested, iptables geoip sollte auch funktionieren , ich bitte
>> aber zu bedenken das Kunden auch mal beruflich und/oder privat im Urlaub
>> im Ausland sein konnten, diese Loesung ist also sicher nicht in jedem
>> Setup zu gebrauchen, grundsaetzlich wuerde ich eher darauf setzen
>> "Anomalien" aus den Logs erkennen zu koennen und daraus einen Alarm zu
>> triggern und dann daraus gegebenfalls eine „Auto Action“ loszutreten
>>
>
>
> Das mit dem Submission port funktioniert jetzt wie vorgeschlagen.
> Danke :-)
>
> wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.
> Ich nehm mal an mit php und regex oder vergleichbares.
> Das ist nun leider nicht so ganz mein Gebiet :(

das ist nicht ganz trivial, und meines wissens gibt es dafuer auch
nichts "out of the box"

vorfiltern im syslog ist schon mal nicht schlecht
zb nach sasl

nur so als Ideengeber

https://sys4.de/de/blog/2013/04/17/monitoren-und-alarmierung-von-brute-force-attacken-auf-smtp-sasl-mit-xymon/

wenn man geschickt ist kann man die filterung auch gleich von zb rsyslog
erledigen lassen und auch von dort aus auch gleich eine action
ausfuehren lassen zb passwort aendern oder account deaktivieren usw


auch nur fuer Ideen Sammlung

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/


https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

ich hab mich schon an sowas versucht bin aber aus Zeitmangel noch nicht
sehr weit, technisch geht da auf jeden Fall einiges , nur "einfach" ist
es eben nicht

Einige Intruder Detection Systeme sollten auch aehnliche Moeglichkeiten
haben

>
> Danke jedenfalls für die Hilfe hier auf der Liste
> Grüsse
> Matthias
>
> _______________________________________________
> postfix-users mailing list
> [hidden email]
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>



Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Jakob-Matthias Böttger
mit dem milter-greylist ist sicherlich eine Option. In diesem Fall
müssten die Restrictions dann aber so konfiguriert werden, dass auch
erfolgreiche SASL logins durch den milter laufen, was meiner Meinung
nach Ressourcen verschwendung ist. Sollte sich einer der User in der
Ukraine aufhalten, könnte man noch das Webmail oder ein VPN nutzen. Aber
es stimmt, das ein GeoIP basiertes SASL filtering problem Potential mit
sich bringt. Gerade in einem großen Setup.
Je nach Setup könnte man noch reject_unlisted_sender in die
smtpd_sender_restrictions aufnehmen. Damit würde man dann die
Senderadressen gegen die im System vorhandenen Mailadressen
verifizieren. Aber ACHTUNG das geht nur bei richtig konfigurierten
Lookups der Adressen. Z.B. über die Virtual umgebung.

VG Jakob

Am 21.08.2014 um 11:48 schrieb Robert Schetterer:

> Am 21.08.2014 um 11:26 schrieb Matthias Schmidt:
>> Am 21.08.2014 um 18:12 schrieb Robert Schetterer <[hidden email]>:
>>
>>> Am 21.08.2014 um 10:27 schrieb Peter Heitzer:
>>>> Wäre es nicht einfacher, das mit Access Policy Delegation zu erledigen und
>>>> z.B.
>>>> in main.cf unter  "smtpd_recipient_restrictions"  check_policy_service xxx
>>>> einzutragen?
>>>> So ein policy server ist recht einfach zu implementieren. Ausserdem könnte man
>>>> eine Verifizierung
>>>> einbauen, ob die "From:" Adresse überhaupt dem Benutzer zugeordnet ist.
>>>
>>>> Desweiteren könnte man auch die Anzahl der Empfänger/Zeiteinheit in
>>>> Abhängigkeit von der
>>>> Herkunft (IP-Bereich) reglementieren.
>>>>
>>>> _______________________________________________
>>>> postfix-users mailing list
>>>> [hidden email]
>>>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>>>>
>>> das hier koennte helfen
>>>
>>> http://milter-greylist.wikidot.com/geoip
>>>
>>> implementieren nur fuer Submission ohne greylist, nur geoip ( wenn das
>>> geht )
>>>
>>> totally untested, iptables geoip sollte auch funktionieren , ich bitte
>>> aber zu bedenken das Kunden auch mal beruflich und/oder privat im Urlaub
>>> im Ausland sein konnten, diese Loesung ist also sicher nicht in jedem
>>> Setup zu gebrauchen, grundsaetzlich wuerde ich eher darauf setzen
>>> "Anomalien" aus den Logs erkennen zu koennen und daraus einen Alarm zu
>>> triggern und dann daraus gegebenfalls eine „Auto Action“ loszutreten
>>>
>>
>> Das mit dem Submission port funktioniert jetzt wie vorgeschlagen.
>> Danke :-)
>>
>> wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.
>> Ich nehm mal an mit php und regex oder vergleichbares.
>> Das ist nun leider nicht so ganz mein Gebiet :(
> das ist nicht ganz trivial, und meines wissens gibt es dafuer auch
> nichts "out of the box"
>
> vorfiltern im syslog ist schon mal nicht schlecht
> zb nach sasl
>
> nur so als Ideengeber
>
> https://sys4.de/de/blog/2013/04/17/monitoren-und-alarmierung-von-brute-force-attacken-auf-smtp-sasl-mit-xymon/
>
> wenn man geschickt ist kann man die filterung auch gleich von zb rsyslog
> erledigen lassen und auch von dort aus auch gleich eine action
> ausfuehren lassen zb passwort aendern oder account deaktivieren usw
>
>
> auch nur fuer Ideen Sammlung
>
> https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
>
>
> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
>
> ich hab mich schon an sowas versucht bin aber aus Zeitmangel noch nicht
> sehr weit, technisch geht da auf jeden Fall einiges , nur "einfach" ist
> es eben nicht
>
> Einige Intruder Detection Systeme sollten auch aehnliche Moeglichkeiten
> haben
>
>> Danke jedenfalls für die Hilfe hier auf der Liste
>> Grüsse
>> Matthias
>>
>> _______________________________________________
>> postfix-users mailing list
>> [hidden email]
>> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
>>
>
>
> Best Regards
> MfG Robert Schetterer
>

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Florian Pritz
In reply to this post by Matthias Schmidt [c]
On 21.08.2014 11:26, Matthias Schmidt wrote:
> wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.

http://www.inversepath.com/tenshi.html

Tenshi braucht anfangs etwas viel Liebe (erstmal alles was uninteressant
ist rausfiltern und dabei nach Möglichkeit sehr genaue Filter bauen die
wirklich nur das uninteressant treffen), dann ist es aber sehr praktisch.

Außerdem willst du reject_authenticated_sender_login_mismatch in deine
restrictions einbauen damit jeder user nur noch mit seinen Adressen
schicken darf. Das verlässt sich allerdings auf ein ordentlich gesetztes
smtpd_sender_login_maps.

Dann willst du noch *alle* Mails (auch die von deinen Usern und auch
lokal erstellte (pickup)) durch einen Spamfilter schicken. Das machst du
wenn ich das richtig sehe für submission momentan nicht. Einfach überall
den content_filter setzen.

Und zum Schluss willst du noch limitieren wie viele Mails ein user pro
Zeit schicken darf damit gestohlene Accounts nicht ganz so schlimm sind.
Da machst du postfwd in postfix als policy service an den passenden
Stellen rein. Am besten in smtpd_end_of_data_restrictions.

Meine postfwd config:

> &&SASL_WHITELIST {
>         sasl_username=devnull;
> };
>
> # skip lower rate limiting for certain users
> id=SaslWhitelist;
>         protocol_state==END-OF-MESSAGE;
>         &&SASL_WHITELIST;
>         action=rcpt(sasl_username/300/21600/REJECT You can only send to 300 recipients per 6h per user)
>
> # skip lower rate limiting for certain users
> id=SaslWhitelist2;
>         protocol_state==END-OF-MESSAGE;
>         &&SASL_WHITELIST;
>         action=dunno;
>
> # sasl_username != doesn't work for whatever reason
> id=RcptRate;
>         protocol_state==END-OF-MESSAGE;
>         sasl_username!~/^$/;
>         action=rcpt(sasl_username/100/21600/REJECT You can only send to 100 recipients per 6h per user)
>
> # this causes postfwd to log something for every mail
> id=logging;
>         protocol_state==END-OF-MESSAGE;
>         action=dunno;



_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Matthias Schmidt [c]

Am 21.08.2014 um 22:54 schrieb Florian Pritz <[hidden email]>:

> On 21.08.2014 11:26, Matthias Schmidt wrote:
>> wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.
>
> http://www.inversepath.com/tenshi.html
>
> Tenshi braucht anfangs etwas viel Liebe (erstmal alles was uninteressant
> ist rausfiltern und dabei nach Möglichkeit sehr genaue Filter bauen die
> wirklich nur das uninteressant treffen), dann ist es aber sehr praktisch.
>
> Außerdem willst du reject_authenticated_sender_login_mismatch in deine
> restrictions einbauen damit jeder user nur noch mit seinen Adressen
> schicken darf. Das verlässt sich allerdings auf ein ordentlich gesetztes
> smtpd_sender_login_maps.

Danke, werd ich einbauen, wenn der mailman wieder geht (s.u.) ;-)

>
> Dann willst du noch *alle* Mails (auch die von deinen Usern und auch
> lokal erstellte (pickup)) durch einen Spamfilter schicken. Das machst du
> wenn ich das richtig sehe für submission momentan nicht. Einfach überall
> den content_filter setzen.
>



mit einer dieser Einstellungen hab ich jetzt meinen mailman ausgesperrt …


Irgendeine Idee?

in der main.cf steht zwar das hier:
virtual_alias_maps = hash:/etc/postfix/virtual
                                        hash:/private/var/mailman/data/virtual-mailman

aber das wird nun wohl ignoriert mit:
Aug 24 18:10:11 mcgregor postfix/smtpd[41880]: 84E8B34E830: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mcgregor.admilon.net>

es kann nicht an virtual domain liegen, da die anderen virtuellen domains mit persönlichen Adressen funktionieren. Die Login-Namen stimmen auch nicht mit den e-mail-addressen überein, werden aber in virtual gemappt, anscheinend wird nur die virtual-mailman ignoriert.

Danke und Gruss
Matthias

die aktuelle master.cf die, die den mailman irgendwo aussperrt grummel
Kommentare hab ich weitestgehend rausgeworfen.


smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sender_restrictions=permit_mynetworks,reject
smtp      unix  -       -       n       -       -       smtp

submission inet  n       -       n       -       25       smtpd
   -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_security_level=encrypt
#  -o smtpd_enforce_tls=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_proxy_filter=
  -o milter_macro_daemon_name=ORIGINATING

#original mit smtps funzt net also daher mit port ....
465     inet  n       -       n       -       -       smtpd
  -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=smtp-amavis:[127.0.0.1]:10024
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache  unix - - n - 1 scache
proxywrite unix -       -       n       -       1       proxymap
#
# ====================================================================
# amavis set up
# ====================================================================
#
smtp-amavis unix -      -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20
     
192.168.2.10:25 inet n    -       n       -       -     smtpd
     -o content_filter=smtp-amavis:[127.0.0.1]:10024
     -o receive_override_options=no_address_mappings
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
#
127.0.0.1:10025 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
#
127.0.0.1:10027 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

cyrus     unix  -       n       n       -       -       pipe
  user=_cyrus argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

dovecot   unix  -       n       n       -       25      pipe
  flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/deliver -d ${user}
#
# Greylist policy server
#
policy    unix  -       n       n       -       -       spawn
  user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
smtp-amavis unix -      -       y       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
127.0.0.1:10025 inet n  -       y       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o smtpd_enforce_tls=no
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o receive_override_options=no_header_body_checks

_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Reply | Threaded
Open this post in threaded view
|

Re: [postfix-users] Spam-Relay via gekapertem Useraccount

Matthias Schmidt [c]

Am 24.08.2014 um 18:34 schrieb Matthias Schmidt <[hidden email]>:

>
> Am 21.08.2014 um 22:54 schrieb Florian Pritz <[hidden email]>:
>
>> On 21.08.2014 11:26, Matthias Schmidt wrote:
>>> wie stell ich denn sowas an, Anomalien im Log zu erkennen um mir dann z.Bsp. eine Alarm-Mail zu schicken.
>>
>> http://www.inversepath.com/tenshi.html
>>
>> Tenshi braucht anfangs etwas viel Liebe (erstmal alles was uninteressant
>> ist rausfiltern und dabei nach Möglichkeit sehr genaue Filter bauen die
>> wirklich nur das uninteressant treffen), dann ist es aber sehr praktisch.
>>
>> Außerdem willst du reject_authenticated_sender_login_mismatch in deine
>> restrictions einbauen damit jeder user nur noch mit seinen Adressen
>> schicken darf. Das verlässt sich allerdings auf ein ordentlich gesetztes
>> smtpd_sender_login_maps.
>
> Danke, werd ich einbauen, wenn der mailman wieder geht (s.u.) ;-)
>
>>
>> Dann willst du noch *alle* Mails (auch die von deinen Usern und auch
>> lokal erstellte (pickup)) durch einen Spamfilter schicken. Das machst du
>> wenn ich das richtig sehe für submission momentan nicht. Einfach überall
>> den content_filter setzen.
>>
>
>
>
> mit einer dieser Einstellungen hab ich jetzt meinen mailman ausgesperrt …

und zwar indem ich in der main.cf unter:
smtpd_recipient_restrictions =
                permit_mynetworks

nachdem ich es wieder reingenommen habe, geht’s wieder.

Gruss
Matthias


_______________________________________________
postfix-users mailing list
[hidden email]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users