smtpd_recipient_restrictions Failure?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd_recipient_restrictions Failure?

Scott Hollenbeck
Lately I've been getting email sent from one persistent spammer that's
somehow getting through my smtpd_recipient_restrictions filters. Here are
the message headers:

Return-Path: <MAILER-DAEMON>
Delivered-To: [hidden email]
Received: by mymailer.net (Postfix, from userid 103)
        id 679C91661E8; Sun, 26 Jul 2020 21:19:15 -0400 (EDT)
Authentication-Results: mymailer.net; dkim=none;
        dkim-atps=neutral
Received-SPF: Softfail (helo) identity=helo; client-ip=138.128.241.193;
helo=klwr.golfgenius.com; envelope-from=<>; receiver=<UNKNOWN>
Authentication-Results: mymailer.net; dmarc=none (p=none dis=none)
header.from=adidanos.xyz
X-Greylist: delayed 1116 seconds by postgrey-1.36 at mymailer.net; Sun, 26
Jul 2020 21:19:12 EDT
Received: from klwr.golfgenius.com (unknown [138.128.241.193])
        by mymailer.net (Postfix) with ESMTP id B182D1660C0
        for <[hidden email]>; Sun, 26 Jul 2020 21:19:07 -0400 (EDT)
MIME-Version: 1.0
Message-Id: <[hidden email]>
From:=?UTF-8?B?RGVybWFDb3JyZWN0?=<[hidden email]>
Subject:=?UTF-8?B?QnJlYWt0aHJvdWdoIFNvbHV0aW9uIFRoYXQgTmF0dXJhbGx5IFJlbW92ZX
MgU2tpbiBUYWdz?=
Reply-To: [hidden email]
Recieved: 2010236, 586
To: [hidden email]
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=UTF-8
Date: Mon, 27 Jul 2020 02:59:18 +0200

Here's what I have in my main.cf configuration file:

smtpd_recipient_restrictions =
        reject_unauth_pipelining,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_sender_access hash:/etc/postfix/blacklist_hash,
        check_sender_access pcre:/etc/postfix/blacklist.pcre,
        check_policy_service unix:private/policyd-spf,
        check_policy_service inet:127.0.0.1:10023,
        permit

Here's what's in my blacklist_hash file:

adidanos.xyz DISCARD

I ran postmap after adding this to the file and restarted postfix. The email
is still getting through. What am I missing?

Thanks,
Scott Hollenbeck

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_recipient_restrictions Failure?

Gerald Galster

> Lately I've been getting email sent from one persistent spammer that's
> somehow getting through my smtpd_recipient_restrictions filters. Here are
> the message headers:
>
> Return-Path: <MAILER-DAEMON>
[...]
> From:=?UTF-8?B?RGVybWFDb3JyZWN0?=<info@....xyz>
[...]
> smtpd_recipient_restrictions =
>       check_sender_access hash:/etc/postfix/blacklist_hash,

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

smtpd_sender_restrictions like check_sender_access check the
envelope_sender (MAIL FROM smtp command / Return Path) which is not
necessarily the same as the From: header.

In your example the null sender ("", <>, MAILER-DAEMON) is searched,
not info@....xyz.

Best regards
Gerald
Reply | Threaded
Open this post in threaded view
|

RE: smtpd_recipient_restrictions Failure?

Scott Hollenbeck
> -----Original Message-----
> From: [hidden email] <[hidden email]>
> On Behalf Of Gerald Galster
> Sent: Monday, July 27, 2020 6:47 AM
> To: Postfix users <[hidden email]>
> Subject: Re: smtpd_recipient_restrictions Failure?
>
>
> > Lately I've been getting email sent from one persistent spammer that's
> > somehow getting through my smtpd_recipient_restrictions filters. Here
are

> > the message headers:
> >
> > Return-Path: <MAILER-DAEMON>
> [...]
> > From:=?UTF-8?B?RGVybWFDb3JyZWN0?=<info@....xyz>
> [...]
> > smtpd_recipient_restrictions =
> >       check_sender_access hash:/etc/postfix/blacklist_hash,
>
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
>
> smtpd_sender_restrictions like check_sender_access check the
> envelope_sender (MAIL FROM smtp command / Return Path) which is not
> necessarily the same as the From: header.
>
> In your example the null sender ("", <>, MAILER-DAEMON) is searched,
> not info@....xyz.
>
> Best regards
> Gerald

Thanks, Gerald. I also have this in my main.cf configuration file:

smtpd_sender_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        check_client_access cidr:/etc/postfix/blacklist_cidr,
        permit

Shouldn't the reject_non_fqdn_sender or reject_unknown_sender_domain
restrictions have caught this?

Scott

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_recipient_restrictions Failure?

Gerald Galster
> Thanks, Gerald. I also have this in my main.cf configuration file:
>
> smtpd_sender_restrictions =
>        permit_mynetworks,
>        reject_non_fqdn_sender,
>        reject_unknown_sender_domain,
>        check_client_access cidr:/etc/postfix/blacklist_cidr,
>        permit
>
> Shouldn't the reject_non_fqdn_sender or reject_unknown_sender_domain
> restrictions have caught this?

It would be a bad idea to generally block "<>"/null sender/bounces,
because these are (mostly) error mails that inform you something unusual
happend. Besides "<>" is a valid return path (defined by rfc).

In your case you could try smtpd_client_restrictions:
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

Received: from klwr.golfgenius.com (unknown [138.128.241.193])

This IP does not seem to have a valid DNS PTR record, which nowadays
is a requirement for mailservers.

Best regards
Gerald
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_recipient_restrictions Failure?

Benny Pedersen-2
Gerald Galster skrev den 2020-07-27 14:40:

>> Thanks, Gerald. I also have this in my main.cf configuration file:
>>
>> smtpd_sender_restrictions =
>>        permit_mynetworks,
>>        reject_non_fqdn_sender,
>>        reject_unknown_sender_domain,
>>        check_client_access cidr:/etc/postfix/blacklist_cidr,
>>        permit
>>
>> Shouldn't the reject_non_fqdn_sender or reject_unknown_sender_domain
>> restrictions have caught this?
>
> It would be a bad idea to generally block "<>"/null sender/bounces,
> because these are (mostly) error mails that inform you something
> unusual
> happend. Besides "<>" is a valid return path (defined by rfc).
>
> In your case you could try smtpd_client_restrictions:
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>
> Received: from klwr.golfgenius.com (unknown [138.128.241.193])
>
> This IP does not seem to have a valid DNS PTR record, which nowadays
> is a requirement for mailservers.

add milter-reqex to postfix can solve all the above with regex rules,
and <> is only valid for mynetwork servers, most others is spam bounces
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_recipient_restrictions Failure?

Gerald Galster
>>> Thanks, Gerald. I also have this in my main.cf configuration file:
>>> smtpd_sender_restrictions =
>>>       permit_mynetworks,
>>>       reject_non_fqdn_sender,
>>>       reject_unknown_sender_domain,
>>>       check_client_access cidr:/etc/postfix/blacklist_cidr,
>>>       permit
>>> Shouldn't the reject_non_fqdn_sender or reject_unknown_sender_domain
>>> restrictions have caught this?
>> It would be a bad idea to generally block "<>"/null sender/bounces,
>> because these are (mostly) error mails that inform you something unusual
>> happend. Besides "<>" is a valid return path (defined by rfc).
>> In your case you could try smtpd_client_restrictions:
>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>> Received: from klwr.golfgenius.com (unknown [138.128.241.193])
>> This IP does not seem to have a valid DNS PTR record, which nowadays
>> is a requirement for mailservers.
>
> add milter-reqex to postfix can solve all the above with regex rules,

as an alternative without milter:

header_checks = pcre:/etc/postfix/header_checks

Then add the following to /etc/postfix/header_checks and reload postfix:

/baddomain.xyz/    REJECT

> and <> is only valid for mynetwork servers, most others is spam bounces


<> is valid by definition and does not depend on mynetworks, besides you're
right that most external bounces are spam. The initial question was why
reject_non_fqdn_sender did not apply.

Best regards
Gerald
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_recipient_restrictions Failure?

Wietse Venema
Gerald Galster:
> <> is valid by definition and does not depend on mynetworks, besides you're
> right that most external bounces are spam. The initial question was why
> reject_non_fqdn_sender did not apply.

The envelope sender address <> must not be blocked by
reject_non_fqdn_sender.

It would be a mistake similar to blocking all ICMP on a firewall.

        Wietse