My server's been getting slammed all night with requests from
adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been trying to figure out to stop it. I've put the IP address in mx_access with REJECT and ran /usr/local/etc/rc.d/postfix reload and it's still getting slammed. Does anyone have any idea's? I've got a botnet that's been going crazy on the server also, we're not running any open proxy's and it's locked down nice and tight. Here's the output of my postconf -n alias_database = hash:/usr/local/etc/postfix/aliases alias_maps = hash:/usr/local/etc/postfix/aliases, hash:/usr/local/mailman/data/aliases command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no in_flow_delay = 3s inet_interfaces = all local_destination_concurrency_limit = 1 mail_owner = postfix mailbox_command = /usr/local/bin/procmail -Y -a $DOMAIN mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 22528000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mydomain = dontowrryaboutit.org myhostname = flatlined.dontowrryaboutit.org mynetworks = 127.0.0.0/8, 10.2.1.0/24 mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases owner_request_special = no queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/usr/local/etc/postfix/junk, reject_rbl_client zen.spamhaus.org, reject_rbl_client virbl.dnsbl.bit.nl, reject_multi_recipient_bounce, reject_unauth_pipelining, reject_unknown_reverse_client_hostname check_client_access regexp:/usr/local/etc/postfix/spam_ip_regex smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, permit smtpd_sender_restrictions = check_sender_mx_access cidr:/usr/local/etc/postfix/mx_access strict_rfc821_envelopes = yes transport_maps = hash:/usr/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_mailbox_base = /var/mail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains |
audit wrote:
> My server's been getting slammed all night with requests from > adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've > been trying to figure out to stop it. > > I've put the IP address in mx_access with REJECT and ran > /usr/local/etc/rc.d/postfix reload and it's still getting slammed. > Does anyone have any idea's? I've got a botnet that's been going crazy > on the server also, we're not running any open proxy's and it's locked > down nice and tight. Best way: use iptables or equivalent (with TCP reset) to block the connection. This will take the least amount of resources and make your system a lot happier. The Postfix way follows, but is still load on your server. check_sender_mx_access probably isn't the best place for that IP. This checks the domain in the MAIL FROM vs your database and not the IP of the connection. You were probably seeking check_client_access. > Here's the output of my postconf -n > [...] > smtpd_client_restrictions = permit_mynetworks, check_client_access > hash:/usr/local/etc/postfix/junk, reject_rbl_client zen.spamhaus.org, > reject_rbl_client virbl.dnsbl.bit.nl, reject_multi_recipient_bounce, > reject_unauth_pipelining, reject_unknown_reverse_client_hostname > check_client_access regexp:/usr/local/etc/postfix/spam_ip_regex > smtpd_data_restrictions = reject_unauth_pipelining, permit No permit_mynetworks first? This is your choice, but the later config suggests you wanted to. > smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, > permit Remove this and modify smtpd_data_restrictions above. No real point in keeping it here. > smtpd_sender_restrictions = check_sender_mx_access > cidr:/usr/local/etc/postfix/mx_access See comments above Brian |
In reply to this post by audit-3
audit:
> My server's been getting slammed all night with requests from > adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been > trying to figure out to stop it. That's what smtpd_client_connection_rate_limit is for. > I've put the IP address in mx_access with REJECT and ran Postfix has no mx_access parameter. If you mean check_helo/sender/recipient_mx_access, these look up the MX host, not the client. Wietse |
Wietse Venema wrote:
> audit: > >> My server's been getting slammed all night with requests from >> adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been >> trying to figure out to stop it. >> > > That's what smtpd_client_connection_rate_limit is for. > > the router now. Now I'm trying to figure what I'm missing to stop all the from=<> email's that keep hitting. Jul 24 10:27:52 flatlined postfix/smtpd[5121]: connect from unknown[200.81.211.94] Jul 24 10:27:53 flatlined postfix/smtpd[5121]: NOQUEUE: reject: RCPT from unknown[200.81.211.94]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [200.81.211.94]; from=<> to=<[hidden email]> proto=ESMTP helo=<powerb.Plan> Jul 24 10:27:54 flatlined postfix/smtpd[5121]: disconnect from unknown[200.81.211.94] >> I've put the IP address in mx_access with REJECT and ran >> > > Postfix has no mx_access parameter. If you mean > check_helo/sender/recipient_mx_access, these look up the MX host, > not the client. > > I removed the mx_access line. Thanks > Wietse > |
audit:
> I have put the above in and we've blackholed that IP from connecting at > the router now. Now I'm trying to figure what I'm missing to stop all > the from=<> email's that keep hitting. > > Jul 24 10:27:52 flatlined postfix/smtpd[5121]: connect from > unknown[200.81.211.94] > Jul 24 10:27:53 flatlined postfix/smtpd[5121]: NOQUEUE: reject: RCPT > from unknown[200.81.211.94]: 450 4.7.1 Client host rejected: cannot find > your reverse hostname, [200.81.211.94]; from=<> > to=<[hidden email]> proto=ESMTP helo=<powerb.Plan> > Jul 24 10:27:54 flatlined postfix/smtpd[5121]: disconnect from > unknown[200.81.211.94] http://www.postfix.org/BACKSCATTER_README.html may have some usable suggestions. Wietse |
Free forum by Nabble | Edit this page |