Re: Bombarded With Spam
On 9/27/2017 3:02 AM, Matus UHLAR - fantomas wrote: Looks like sender address rejection. the error message seems to be custom, which means you should search for check_sender_access in your config file. Yes. Custom messages in sender_access you can't reject sender at HELO stage, because at that stage the sender is not known yet. Well that answers that. Second, this server is sitting behind a firewall (10.0.2.1). Is there anyway to get the sending IP address instead of the firewall? configure your firewall to do destination NAT, so you see the real source. Hiding real source causes big problems to spam detection. Did some searching and I'm not finding this. I have been doing masquerade for outbound connections. I never thought to do it on inbound connections. I'm having trouble finding out how to do it on firewalld but I'll keep looking
Re: Bombarded With Spam
On 9/25/2017 7:34 AM, Benny Pedersen wrote: Kirk Bocek skrev den 2017-09-25 16:04: So I need to receive email from bocek.org and then relay it elsewhere. That's why I put that there. Is that wrong? yes each domain must not be listed in both places, sinc postfix need to know how to deliver and route it to there destinations dont fokus on sender access yet, fokus on recipient works before solve sender access Thank you Benny and Wietse. Things are better now. However I have lots of log entries like: Sep 26 11:57:52 amber postfix/smtpd[11213]: NOQUEUE: reject: RCPT from unknown[10.0.2.1]: 554 5.7.1 <bjzudixre...@wysina.com.tw>: Sender address rejected: No Spam; from= r...@wysina.com.tw> to=<bc...@yahoo.com.tw> proto=SMTP helo= First off, at what stage is this rejection happening? Obviously, I want it to happen during HELO to keep the bandwidth down. Second, this server is sitting behind a firewall (10.0.2.1). Is there anyway to get the sending IP address instead of the firewall?
Re: Bombarded With Spam
On 9/25/2017 7:34 AM, Benny Pedersen wrote: yes each domain must not be listed in both places, sinc postfix need to know how to deliver and route it to there destinations Okay, I set it back to mydestination = $myhostname, localhost.$mydomain, localhost The other stuff was me trying to get local delivery working. dont fokus on sender access yet, fokus on recipient works before solve sender access [snip] smtpd_recipient_restrictions = [snip] with that config you are on your own, since i cant see logs, and thus not helping with the problem to be solved Well, I can but my log files are *huge* due to all the spam traffic being denied. if you like to get postfix stable dont use so many access hash files, it hides your real problem But is it okay to have all the "check" configuration lines in a single section?
Re: Bombarded With Spam
On 9/25/2017 3:28 AM, Benny Pedersen wrote: grep bocek.org main.cf | wc -l simple rule is that domain names is final destination for postfix, so if you have bocek.org in mydestination AND in virtual_domain it does not work as you want So I need to receive email from bocek.org and then relay it elsewhere. That's why I put that there. Is that wrong? keep mydestination as minimal as possible, and then all public domains as virtual you get more control of what happens, aswell for system accouns that basicly should be in mydestination (tip here is that domains in this lists cant be used in public) to make system accounts works in public use virtual alias mapping This part always confuses me in Postfix. how ? have you edit relay as suggested ?, if yes what error is there now ? So I modified my recipient restrictions: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, check_helo_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/sender_access, check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_helo_hostname check_policy_service unix:postgrey/socket, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, #reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, reject_rbl_client b.barracudacentral.org, reject_unlisted_recipient, reject_unverified_recipient, permit by adding the sender_access lines. This seems to help. I realize I have two check_recipient_access lines. Is this an issue.
Re: Bombarded With Spam
On 9/24/2017 1:50 PM, Wietse Venema wrote: Kirk Bocek: I inadvertently set open relay on my server sometime ago. I've fixed it but I am now bombarded with spam messages. I'm seeing messages like: 6C5C41FCB3 5940 Sun Sep 24 11:10:12 bdnqkqhakis...@sfilc.com (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO) Why did your server ACCEPT this email? Seach the logs for 6C5C41FCB3, then find out why it was accepted. Wierse That's a good question. Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497 from=<bdnqkqhakis...@sfilc.com> Sep 24 11:10:12 amber postfix/cleanup[10504]: 6C5C41FCB3: message-id=<yqizmhwzzttgyqxqg...@ethome.com.tw> Sep 24 11:10:12 amber postfix/qmgr[10597]: 6C5C41FCB3: from=<bdnqkqhakis...@sfilc.com>, size=5940, nrcpt=16 (queue active) Blocking receipt from sfilc.com would help. I have it in my sender_access file but it's still coming through. I also have com.tw entered. Should I add that hash to smtpd_helo_restrictions? Would that help?
Re: Bombarded With Spam
On 9/24/2017 2:05 PM, Benny Pedersen wrote: Kirk Bocek skrev den 2017-09-24 22:27: Here is postconf -n: mydestination = $myhostname, localhost.$mydomain, localhost, pvt, bocek.org, bocekrealty.com relay_domains = $mydestination, localhost, $myhostname relay_recipient_maps = hash:/etc/postfix/relay_recipients do not list $mydestination, @myhostname, localhost as relay_domains this is only need maps if you are active backup mx to solve it: relay_domains= relay_recipient_maps= Several complex things are happening. I need to accept mail from localhost for messages from an array controller. This host needs to relay mail from workstations on the LAN. This host is also accepting mail from several listed domains via the router. This part always confuses me in Postfix.
Re: Bombarded With Spam
On 9/24/2017 11:34 AM, Benny Pedersen wrote: Kirk Bocek skrev den 2017-09-24 20:25: That fill up my mailq. I've since blocked sflic.com but I get others with a gmail.com domain. How do I block or reject these messages? google loopback-only is the most simple one :) more help post postconf -n Thanks Benny. I was unaware of loopback-only. A quick search shows it's used in send-only configurations. I, however, am receiving a few domains on this server. Here is postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost,pvt, bocek.org, bocekrealty.com mydomain = pvt myhostname = amber.pvt mynetworks = 10.0.0.0/21, localhost, 127.0.0.0/8 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases.postfix proxy_interfaces = 173.8.164.189 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = $mydestination, localhost, $myhostname relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces, permit_tls_all_clientcerts, reject_unknown_client_hostname, reject smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unknown_sender_domain,reject_non_fqdn_hostname, reject_invalid_hostname,reject_unknown_helo_hostname, permit smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service unix:postgrey/socket, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,reject_rbl_client b.barracudacentral.org, check_recipient_access hash:/etc/postfix/access, reject_unlisted_recipient, reject_unverified_recipient,permit smtpd_tls_key_file = /etc/postfix/sslcert-20151019.pem smtpd_tls_cert_file = /etc/postfix/sslcert-20151019.pem smtpd_tls_security_level = may smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access,permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_sender, warn_if_reject, permit unknown_local_recipient_reject_code = 550 virtual_alias_domains = bocek.org, bocekrealty.com virtual_alias_maps = hash:/etc/postfix/virtual, hash:/etc/postfix/stonealias, hash:/etc/postfix/testalias I am constantly battling getting smtpd_sender_restrictions, smtpd_helo_restrictions, smtpd_client_restrictions and the others correct. I've used the check_sender_access hash through several of them and I'm not sure that's correct.
Bombarded With Spam
I inadvertently set open relay on my server sometime ago. I've fixed it but I am now bombarded with spam messages. I'm seeing messages like: 6C5C41FCB3 5940 Sun Sep 24 11:10:12 bdnqkqhakis...@sfilc.com (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO) That fill up my mailq. I've since blocked sflic.com but I get others with a gmail.com domain. How do I block or reject these messages?