Re: [Dbmail-dev] protecting against a DDOS with Postfix->DBMail

Thu, 01 Feb 2007 08:51:05 -0800 

Brian Neu wrote:
One fo the domains that I host is receiving an insane distributed brute force denial of service attack. 


The gist is that Postfix accepts mail for ANY users (after sqlgrey) and 
then passes it through Amavis to Spamassassin, before it reaches dbmail. 

Does anyone have a suggestion on denying these emails to invalid users 
"help" "test" "terms" "etc" "iraqcnn" before Amavis and Spamassassin 
start chewing up all available resources?


Hi!


Make sure postfix has support for mysql or pgsql (whichever you are 
using for dbmail).



With SLES10 I had to download the source rpm and just rpmbuild it, I got 
a postfix-mysql package. With SLES9 I had to add the mysql flags into 
the specfile to get a postfix rpm with built in mysql support. With 
Fedora Core 6 I had to get the source rpm and in the spec file 
enable/define mysql support and rebuild it with rpmbuild to get a 
postifix rpm with mysql support. Debian should have a postfix-mysql package.


Install it.

Make a file like this,

/etc/postfix/sql-recipients.cf:

user = YOURREADONLYUSERNAME
password = YOURPASSWORD
hosts = 127.0.0.1
dbname = dbmail
table = dbmail_aliases
select_field = alias
where_field = alias


Add to the main config:

/etc/postfix/main.cf:
local_recipient_maps = mysql:/etc/postfix/sql-recipients.cf

It's basically the same for postgresql, use "pgsql:" instead of "mysql:".

And then:

postmap /etc/postfix/sql-recipients.cf
postfix reload


This will check the SMTP RCTP TO: part, and give back:

550 <[EMAIL PROTECTED]>: Recipient address rejected: User unknown in local 
recipient table



You can test it with telnet. Connect to you server with telnet to port 
25. And then issue:


HELO yourdomain
MAIL FROM:<[EMAIL PROTECTED]>
RCPT TO:<[EMAIL PROTECTED]>

The answer to RCPT TO should be:


550 <[EMAIL PROTECTED]>: Recipient address rejected: User unknown 
in local recipient table




Also note, postfix will accept mail for [EMAIL PROTECTED] 
and [EMAIL PROTECTED] This is per RFC. So make sure you 
have these accounts. There might be more of them, don't remember.



Also make sure you don't have a catch all alias in the dbmail_aliases 
table, like "deliver_to -> @mydomain". Get rid of it.



HTH,

Alex
_______________________________________________
Dbmail-dev mailing list
[email protected]
http://twister.fastxs.net/mailman/listinfo/dbmail-dev






















					Reply via email to