> Auftrag von Matthias Schmidt > > Hallo, > bei mir sind gestern wieder über rund 45 Minuten mails eingegangen und > teilweise wegen Spam abgelehnt worden. > Als das das erste mal passiert ist, hab ich den Rat von Uwe befolgt und meine > main.cf so geändert:
Ich hatte dir empfohlen alle Restrictionen unter smtpd_recipient_restrictions = Zusammenzufassen. Du fragst immer noch smtpd_sender_restrictions = extra ab > > smtpd_sasl_auth_enable = yes > smtpd_helo_required = yes > smtpd_use_pw_server = yes > #mit Greylisting > #smtpd_recipient_restrictions = permit_sasl_authenticated > permit_mynetworks reject_unauth_destination check_policy_service > unix:private/policy permit > #ohne Greylisting > smtpd_recipient_restrictions = > permit_sasl_authenticated > permit_mynetworks > permit_tls_clientcerts > check_sender_access hash:/etc/postfix/whitelist > reject_non_fqdn_hostname > reject_unknown_reverse_client_hostname > reject_unauth_destination > reject_rbl_client cbl.abuseat.org > reject_rbl_client zen.spamhaus.org > > smtpd_pw_server_security_options = login,gssapi,cram-md5 > data_directory = /var/lib/postfix > smtpd_client_restrictions = > smtpd_sender_restrictions = > check_sender_access regexp:/etc/postfix/tag_as_originating.re > permit_mynetworks > permit_sasl_authenticated > permit_tls_clientcerts > check_sender_access regexp:/etc/postfix/tag_as_foreign.re > > smtpd_data_restrictions = reject_unauth_pipelining > mydestination = $myhostname, localhost.$mydomain, localhost, > mail.$mydomain, liste.$mydomain, $mydomain > virtual_transport = virtual > > > Die Mails kommen mit sasl_username=ftp hier an. Beim (Sytem-Benutzer) > ftp ist Mail nicht aktiviert. Dann Prüfe deine adressmaps ob da evtl. doch ein ftp@ drin steht. Deine Userüberprüfung ist scheinbar nicht korrekt. Wenn da jemand sowas über deinen Server wegschickt und sich angemeldet hat dann ist das ein eigener User dem es erlaubt ist unter falscher Mailadresse zu senden. Ich hatte dir eine Beispielreihenfolge und einiges mehr an Restriktionen gezeigt. Da waren auch welche darunter die verhindern das da jemand unter einer anderen Mailadresse sendet wie er angemeldet ist Es reicht die normale Ausgabe des Logfiles (kein -v -vv usw in der Master.cf) Postconf -n ist eigentlich Pflicht mitzuschicken wenn dir da jemand in die Konfig schauen soll. > > > Das Mail sieht so aus: > Content type: Spam > Internal reference code for the message is 20536-07/3+yiMXOQhcE5 > > First upstream SMTP client IP address: [65.200.13.203] > According to a 'Received:' trace, the message apparently originated at: > [17.45.146.70], nico-lae.qr.32.de [17.45.146.70] > > Return-Path: <[email protected]> > From: > Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs- > cooperative-online.co.uk > Message-ID: > <[email protected]@e-mail-alert- > id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> > X-Mailer: Stylatule-decouvrez 6.4 > Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ] > Not quarantined. > > The message WAS NOT relayed to: > <[email protected]>: > 250 2.7.0 Ok, discarded, id=20536-07 - SPAM > > SpamAssassin report: > Spam detection software, running on the system "mcgregor.admilon.net", > has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > [email protected] for details. > > Content preview: ACCESS TO YOUR ACCOUNT HAS BEEN TEMPORARILY > SUSPENDED. The > reason for this issue: - UNUSUAL NUMBER OF INVALID LOGIN ATTEMPTS > ON YOUR > ACCOUNT To restore your account, please click below: [...] > > Content analysis details: (13.0 points, 25.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 0.0 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters > 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in > DNS > 2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE > -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40% > [score: 0.3950] > 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of > words > 0.3 HTML_MESSAGE BODY: HTML included in message > 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > above 50% > [cf: 100] > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > [cf: 100] > 4.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS > 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only > 0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML > Return-Path: <[email protected]> > Received: from [128.2.1.64] (unknown [65.200.13.203]) > by mcgregor.admilon.net (Postfix) with ESMTPA id 25AF01DBA536 > for <[email protected]>; Mon, 17 Sep 2012 22:22:07 +0900 (JST) > X-TM-AS-Result: No--7.291-5.0-31-1 > X-Recommended-Action: accept > X-IronPort-AV: E=Sophos;i="4.80,368,1344186000"; > X-Envelope-From: hsbc-uk-mintea-nji-iasti-ebay-de.fr-dultzii@nico- > lae.qr.32.de > Content-type: text/html > X-Proofpoint-Spam-Details: rule=notspam policy=default score=11 > spamscore=11 suspectscore=3 > X-SpamExpertAristo-Outgoing-Evidence: Combined (0.24) > X-SpamExpertAristo-Username: 61.8.92.97 > X-Mailer: Stylatule-decouvrez 6.4 > To: [email protected] > Date: Mon, 17 Sep 2012 13:22:08 GMT > X-Barracuda-Start-Time: 135755806806600 > Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ] > X-Copfilter-Virus-Scanned: ClamAV 0.684.2 > Received: from nico-lae.qr.32.de ([17.45.146.70]) by ghs-fw (Copfilter > 0.84beta4) > X-IronPort-Anti-Spam-Filtered: true > From: Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs- > cooperative-online.co.uk > X-Filter-ID: > XtLePq6GTMn8G68F0comdleehesxkccwnpq66380849601991cmBIW/8OODKS > 1A/6t51a7Dur > X-Filtered-With: Copfilter Version 0.84beta4 (ProxSMTP 1.8) > X-Proofpoint-Virus-Version: vendor=fsecure > engine=2.50.10432:5.7.7855,1.0.431,0.0.000 > X-OriginalArrivalTime: 04 Sep 2012 16:53:23.0515 (UTC) > FILETIME=[CBBBD8B0:01CD8ABD] > X-SpamExpertAristo-Domain: joomlabouwer.nl > Message-ID: <[email protected]@e-mail- > alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> > X-Originating-IP: 61.8.92.97 > X-imss-scan-details: No--7.291-5.0-31-1 > X-Copfilter-Originating-IP: 89.105.199.76 > X-SpamExpertAristo-Outgoing-Class: ham > X-TM-IMSS-Message-ID: <[email protected]> > X-IronPort-Anti-Spam-Result: tc597710475692009648zbf1847zhfdijebku$ > X-TM-AS-Product-Ver: IMSS-7.0.0.6126-6.8.0.1017-19162.000 > Authentication-Results: aristo-internet.nl;auth=pass () smtp.auth=61.8.92.97 > Content-Transfer-Encoding: 7bit > > > Im Protokoll sieht das so aus: > > Sep 17 22:22:05 mcgregor postfix/smtpd[20603]: connect from > unknown[65.200.13.203] > Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: NOQUEUE: filter: RCPT from > unknown[65.200.13.203]: <[email protected]>: Sender address > triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dagata@ma- > pu.plm.com> to=<[email protected]> proto=ESMTP > helo=<[128.2.1.64]> > Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: 25AF01DBA536: > client=unknown[65.200.13.203], sasl_method=CRAM-MD5, > sasl_username=ftp > Sep 17 22:22:17 mcgregor postfix/cleanup[20650]: 25AF01DBA536: message- > id=<[email protected]@e-mail-alert- > id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> > Sep 17 22:22:17 mcgregor postfix/qmgr[505]: 25AF01DBA536: > from=<[email protected]>, size=3817, nrcpt=1 (queue active) > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) loaded policy bank > "ORIGINATING" > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) process_request: fileno > sock=12, STDIN=0, STDOUT=1 > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ESMTP::10026 > /var/amavis/tmp/amavis-20120917T221431-20536: <dagata@ma- > pu.plm.com> -> <[email protected]> Received: from > mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net > [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for > <[email protected]>; Mon, 17 Sep 2012 22:22:17 +0900 (JST) > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) smtp connection cache, > dt: 85.1, state: 0 > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) body hash: > b55bb74e4d5c950db7ed42aa282aa202 > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking: > 3+yiMXOQhcE5 ORIGINATING [65.200.13.203] <[email protected]> -> > <[email protected]> > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) 2822.From: <Co- > [email protected] > cooperative-online.co.uk>, 2821.Mail_From: <[email protected]> > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p001 1 Content-Type: > text/html, size: 1755 B, name: > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking for banned > types and filenames > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) INFO: unknown banned > table name ALT-RULES, [email protected] > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) collect banned table[0]: > [email protected], tables: > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p.path > [email protected]: "P=p001,L=1,M=text/html,T=html" > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ask_av Using (ClamAV- > clamd): CONTSCAN /var/amavis/tmp/amavis-20120917T221431- > 20536/parts\n > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: > Connecting to socket /var/amavis/clamd > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Sending > CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n to > UNIX socket /var/amavis/clamd > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd): > CLEAN > Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd) > result: clean > Sep 17 22:22:18 mcgregor postfix/smtpd[20603]: disconnect from > unknown[65.200.13.203] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) spam_scan: > score=13.043 autolearn=no tests=[BAYES_40=- > 0.001,DKIM_ADSP_NXDOMAIN=0.9,HTML_IMAGE_ONLY_20=1.546,HTML_ > MESSAGE=0.3,MIME_HTML_ONLY=0.723,MSGID_MULTIPLE_AT=0.001,RAZO > R2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_ > CHECK=4,RDNS_NONE=0.793,TO_EQ_FM_HTML_ONLY=0.001,TO_NO_BRKT > S_NORDNS_HTML=0.001,TVD_PH_BODY_ACCOUNTS_PRE=2.393] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) blocking contents > category is (6) for [email protected] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) do_notify_and_quar: > ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, > "0":CatchAll) ccat_block=(6), qar_mth= > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) skip local delivery(3): <> > -> <spam-quarantine> > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) SPAM, <dagata@ma- > pu.plm.com> -> <[email protected]>, Yes, score=13.043 tag=-999 > tag2=7 kill=12 tests=[BAYES_40=-0.001, DKIM_ADSP_NXDOMAIN=0.9, > HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.3, > MIME_HTML_ONLY=0.723, MSGID_MULTIPLE_AT=0.001, > RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, > RAZOR2_CHECK=4, RDNS_NONE=0.793, TO_EQ_FM_HTML_ONLY=0.001, > TO_NO_BRKTS_NORDNS_HTML=0.001, > TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no, quarantine > 3+yiMXOQhcE5 (spam-quarantine) > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: candidate > originators: 2822.From:<[email protected]>, > 2821.mail_from:<[email protected]> > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: signing (author), > From: <[email protected]>, KEY.key_ind=>0, a=>rsa-sha256, > c=>relaxed/simple, d=>admilon.net, s=>default, ttl=>1814400, > x=>1349702537.86839 > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp session: setting up > a new session > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp creating socket by > IO::Socket::INET to [127.0.0.1]:10027 > Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: connect from > localhost[127.0.0.1] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to greeting: > 220 mcgregor.admilon.net ESMTP Postfix > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> EHLO > localhost > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to EHLO: 250 > mcgregor.admilon.net\nPIPELINING\nSIZE 41943040\nVRFY\nETRN\nAUTH > LOGIN CRAM-MD5 > GSSAPI\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) AUTH not needed, > user='', MTA offers 'LOGIN CRAM-MD5 GSSAPI' > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> MAIL > FROM:<[email protected]> > [email protected] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> RCPT > TO:<[email protected]> > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> DATA > Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: E8B861DBA541: > client=localhost[127.0.0.1] > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to MAIL (pip): > 250 2.1.0 Ok > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to RCPT (pip) > (<[email protected]>): 250 2.1.5 Ok > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to DATA: 354 > End data with <CR><LF>.<CR><LF> > Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> QUIT > > irgendwo ist da also noch ein Loch, an welche Schraube muss ich denn > drehen um dem einen Riegel vorzuschieben? > Danke und Gruss > Matthias Mit freundlichen Grüßen Uwe Drießen -- Software & Computer Uwe Drießen Lembergstraße 33 67824 Feilbingert Tel.: 06708660045 _______________________________________________ postfix-users mailing list [email protected] http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
