Hi. My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
recently started attracting open relay spam. I thought I had done all
the appropriate things in Postfix to block open relay traffic, and I
hadn't seen any such traffic for a very long time, but suddenly I've
gotten three attacks in the last two days (plus another one a couple of
weeks ago).
I'm attaching the output of "postconf -nf".
You'll note that I'm using amavisd-new as a spam filter (which has
worked fine for a very long time). The log info from amavisd-new
identifies the messages in question as probably coming via an open
relay, but it still passes them. What confuses me is that I would
expect Postfix to have identified and rejected these messages during the
initial SMTP dialogue with the sender, and they should never reach
amavisd-new.
Any suggestions gratefully welcome.
Rich Wales
ri...@richw.org
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
compatibility_level = 2
default_destination_concurrency_limit = 1
default_destination_recipient_limit = 1
disable_vrfy_command = yes
enable_long_queue_ids = yes
fast_flush_domains =
hopcount_limit = 150
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_destination_concurrency_limit = 1
local_destination_recipient_limit = 1
local_recipient_maps = $alias_maps
mail_owner = postfix
mailbox_transport = lmtp:[127.0.0.1]
maximal_queue_lifetime = 30d
message_size_limit = 50000000
message_strip_characters = \0
milter_default_action = accept
milter_protocol = 2
mydestination = richw.org, richw.ca, pcre:/etc/postfix/richw_subdomains,
localhost, marywalesloomis.com
mydomain = richw.org
myhostname = memoryalpha.richw.org
mynetworks = 127.0.0.0/8, 10.0.229.0/24, 96.82.71.8/29,
mynetworks_style = subnet
myorigin = $myhostname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = 3h
postscreen_dnsbl_min_ttl = 30m
postscreen_dnsbl_sites = whitelist.richw.org=127.0.0.1*-100,
hostkarma.junkemailfilter.com=127.0.0.1*-30,
score.senderscore.com=127.0.4.[91..100]*-30,
score.senderscore.com=127.0.4.[71..90]*-24,
list.dnswl.org=127.0.[0..255].3*-16, list.dnswl.org=127.0.[0..255].2*-8,
list.dnswl.org=127.0.[0..255].1*-4, list.dnswl.org=127.0.[0..255].0*-2,
blacklist.richw.org=127.0.0.2*100, zen.spamhaus.org=127.0.0.[2..255]*40,
dnsbl.justspam.org=127.0.0.[2..255]*20,
hostkarma.junkemailfilter.com=127.0.0.2*10, dyna.spamrats.com=127.0.0.36*9,
b.barracudacentral.org=127.0.0.2*8, truncate.gbudb.net=127.0.0.[2..255]*6,
rbl.megarbl.net=127.0.0.2*4, hostkarma.junkemailfilter.com=127.0.0.4*3,
psbl.surriel.com=127.0.0.[2..255]*2, dnsbl.sorbs.net=127.0.0.[2..255]*2,
bl.spamcop.net=127.0.0.[2..255]*2, multi.surbl.org=127.0.0.[2..255]*2
postscreen_dnsbl_threshold = 7
postscreen_dnsbl_whitelist_threshold = -16
postscreen_greet_action = enforce
postscreen_greet_banner = $myhostname Please stand by . . .
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
relay_destination_recipient_limit = 1
relay_domains = indigo.richw.org, goldsmurf.randerzo.net
smtp_address_preference = ipv4
smtp_destination_concurrency_limit = 1
smtp_destination_recipient_limit = 1
smtp_reply_filter = pcre:/etc/postfix/reply_filter
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = PLAIN LOGIN
smtp_sasl_password_maps = hash:/etc/postfix/sasl_fallback
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = no
smtp_tls_ciphers = medium
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $smtpd_banner_regular
smtpd_banner_fallback = $smtpd_banner_regular (fallback)
smtpd_banner_regular = $myhostname ESMTP
smtpd_banner_submission = $smtpd_banner_regular (Postfix $mail_version --
submission)
smtpd_client_restrictions = permit_mynetworks, permit_dnswl_client
whitelist.richw.org=127.0.0.1, permit_rhswl_client
whitelist.richw.org=127.0.0.1, reject_rbl_client
blacklist.richw.org=127.0.0.2, reject_rhsbl_client
blacklist.richw.org=127.0.0.2, reject_rhsbl_client
dbl.spamhaus.org=127.0.1.[0..255]
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_discard_ehlo_keywords = dsn etrn size vrfy silent-discard
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_rhswl_client
whitelist.richw.org=127.0.0.1, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
reject_rhsbl_helo blacklist.richw.org=127.0.0.2, reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[0..255]
smtpd_recipient_restrictions = permit_mynetworks, reject_rhsbl_recipient
blacklist.richw.org=127.0.0.2, reject_rhsbl_recipient
dbl.spamhaus.org=127.0.1.[0..255], reject_unknown_recipient_domain,
reject_unlisted_recipient, reject_unauth_destination, permit
smtpd_reject_footer = Please report any delivery problems to richwa...@gmail.com
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, reject_rhsbl_recipient
blacklist.richw.org=127.0.0.2, reject_rhsbl_recipient
dbl.spamhaus.org=127.0.1.[0..255], reject_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_rhswl_client
whitelist.richw.org=127.0.0.1, reject_rhsbl_sender
blacklist.richw.org=127.0.0.2, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[0..255]
smtpd_tls_CAfile = /etc/postfix/ssl/richw-org.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/richw-org.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = /etc/postfix/ssl/richw-org-key.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_use_tls = yes
smtputf8_enable = no
soft_bounce = no
submission_restrictions = reject_sender_login_mismatch,
reject_unlisted_recipient, permit_auth_destination, permit_rhswl_client
whitelist.richw.org=127.0.0.1, reject_rhsbl_recipient
blacklist.richw.org=127.0.0.2, reject_rhsbl_recipient
dbl.spamhaus.org=127.0.1.[0..255], permit_sasl_authenticated, reject
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_map
virtual_destination_recipient_limit = 1
