subject:"Re\: Bombarded With Spam"

Re: Bombarded With Spam

2017-09-29 Thread Kirk Bocek




On 9/27/2017 3:02 AM, Matus UHLAR - fantomas wrote:


Looks like sender address rejection. the error message seems to be
custom, which means you should search for check_sender_access in your 
config

file.



Yes. Custom messages in sender_access

you can't reject sender at HELO stage, because at that stage the 
sender is

not known yet.


Well that answers that.



Second, this server is sitting behind a firewall (10.0.2.1). Is there 
anyway to get the sending IP address instead of the firewall?


configure your firewall to do destination NAT, so you see the real
source. Hiding real source causes big problems to spam detection.


Did some searching and I'm not finding this. I have been doing 
masquerade for outbound connections. I never thought to do it on inbound 
connections. I'm having trouble finding out how to do it on firewalld 
but I'll keep looking

Re: Bombarded With Spam

2017-09-27 Thread Matus UHLAR - fantomas


On 26.09.17 12:02, Kirk Bocek wrote:
Thank you Benny and Wietse. Things are better now. However I have 
lots of log entries like:


Sep 26 11:57:52 amber postfix/smtpd[11213]: NOQUEUE: reject: RCPT 
from unknown[10.0.2.1]:
554 5.7.1 : Sender address rejected: No 
Spam; from=
r...@wysina.com.tw> to= proto=SMTP helo=


Looks like sender address rejection. the error message seems to be
custom, which means you should search for check_sender_access in your config
file.
if this still applies:
https://marc.info/?l=postfix-users=150628487603535=2
then you have:
check_sender_access hash:/etc/postfix/sender_access,

which means the sender is listed in /etc/postfix/sender_access

First off, at what stage is this rejection happening? Obviously, I 
want it to happen during HELO to keep the bandwidth down.


you can't reject sender at HELO stage, because at that stage the sender is
not known yet.

Second, this server is sitting behind a firewall (10.0.2.1). Is there 
anyway to get the sending IP address instead of the firewall?


configure your firewall to do destination NAT, so you see the real
source. Hiding real source causes big problems to spam detection.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Re: Bombarded With Spam

2017-09-26 Thread Kirk Bocek




On 9/25/2017 7:34 AM, Benny Pedersen wrote:

Kirk Bocek skrev den 2017-09-25 16:04:


So I need to receive email from bocek.org and then relay it elsewhere.
That's why I put that there. Is that wrong?


yes each domain must not be listed in both places, sinc postfix need 
to know how to deliver and route it to there destinations


dont fokus on sender access yet, fokus on recipient works before solve 
sender access




Thank you Benny and Wietse. Things are better now. However I have lots 
of log entries like:


Sep 26 11:57:52 amber postfix/smtpd[11213]: NOQUEUE: reject: RCPT from 
unknown[10.0.2.1]:
554 5.7.1 : Sender address rejected: No 
Spam; from=
r...@wysina.com.tw> to= proto=SMTP helo=

First off, at what stage is this rejection happening? Obviously, I want 
it to happen during HELO to keep the bandwidth down.


Second, this server is sitting behind a firewall (10.0.2.1). Is there 
anyway to get the sending IP address instead of the firewall?

Re: Bombarded With Spam

2017-09-25 Thread Kirk Bocek




On 9/25/2017 7:34 AM, Benny Pedersen wrote:


yes each domain must not be listed in both places, sinc postfix need 
to know how to deliver and route it to there destinations


Okay, I set it back to

mydestination = $myhostname, localhost.$mydomain, localhost

The other stuff was me trying to get local delivery working.



dont fokus on sender access yet, fokus on recipient works before solve 
sender access


[snip]


smtpd_recipient_restrictions =


[snip]

with that config you are on your own, since i cant see logs, and thus 
not helping with the problem to be solved


Well, I can but my log files are *huge* due to all the spam traffic 
being denied.




if you like to get postfix stable dont use so many access hash files, 
it hides your real problem




But is it okay to have all the "check" configuration lines in a single 
section?

Re: Bombarded With Spam

2017-09-25 Thread Benny Pedersen


Kirk Bocek skrev den 2017-09-25 16:04:


So I need to receive email from bocek.org and then relay it elsewhere.
That's why I put that there. Is that wrong?


yes each domain must not be listed in both places, sinc postfix need to 
know how to deliver and route it to there destinations


dont fokus on sender access yet, fokus on recipient works before solve 
sender access


[snip]


smtpd_recipient_restrictions =


[snip]

with that config you are on your own, since i cant see logs, and thus 
not helping with the problem to be solved


if you like to get postfix stable dont use so many access hash files, it 
hides your real problem



by adding the sender_access lines. This seems to help. I realize I
have two check_recipient_access lines. Is this an issue.


sadly it helps you get more questions on faults aswell

Re: Bombarded With Spam

2017-09-25 Thread Kirk Bocek




On 9/25/2017 3:28 AM, Benny Pedersen wrote:


grep bocek.org main.cf | wc -l

simple rule is that domain names is final destination for postfix, so if 
you have bocek.org in mydestination AND in virtual_domain it does not 
work as you want


So I need to receive email from bocek.org and then relay it elsewhere. 
That's why I put that there. Is that wrong?




keep mydestination as minimal as possible, and then all public domains 
as virtual you get more control of what happens, aswell for system 
accouns that basicly should be in mydestination (tip here is that 
domains in this lists cant be used in public)


to make system accounts works in public use virtual alias mapping


This part always confuses me in Postfix.


how ?

have you edit relay as suggested ?, if yes what error is there now ?


So I modified my recipient restrictions:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/access,
check_helo_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/sender_access,
check_sender_access hash:/etc/postfix/sender_access,
permit_mynetworks,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_helo_hostname
check_policy_service unix:postgrey/socket,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
#reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client dnsbl-2.uceprotect.net,
reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client b.barracudacentral.org,
reject_unlisted_recipient,
reject_unverified_recipient,
permit

by adding the sender_access lines. This seems to help. I realize I have 
two check_recipient_access lines. Is this an issue.

Re: Bombarded With Spam

2017-09-25 Thread Benny Pedersen


Kirk Bocek skrev den 2017-09-25 00:21:


Several complex things are happening. I need to accept mail from
localhost for messages from an array controller. This host needs to
relay mail from workstations on the LAN. This host is also accepting
mail from several listed domains via the router.


grep bocek.org main.cf | wc -l

simple rule is that domain names is final destination for postfix, so if 
you have bocek.org in mydestination AND in virtual_domain it does not 
work as you want


keep mydestination as minimal as possible, and then all public domains 
as virtual you get more control of what happens, aswell for system 
accouns that basicly should be in mydestination (tip here is that 
domains in this lists cant be used in public)


to make system accounts works in public use virtual alias mapping


This part always confuses me in Postfix.


how ?

have you edit relay as suggested ?, if yes what error is there now ?

Re: Bombarded With Spam

2017-09-24 Thread Wietse Venema

Wietse Venema:
> Kirk Bocek:
> > Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497 
> > from=
> 
> They are spamming through some local aplication, perhaps a web
> service. What process is running as UID=497?
> 
> $ grep '497:' /etc/passwd

In other words the SPAM does not come in via SMTP.

Wietse

Re: Bombarded With Spam

2017-09-24 Thread Wietse Venema

Kirk Bocek:
> Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497 
> from=

They are spamming through some local aplication, perhaps a web
service. What process is running as UID=497?

$ grep '497:' /etc/passwd

Wietse

Re: Bombarded With Spam

2017-09-24 Thread Kirk Bocek




On 9/24/2017 1:50 PM, Wietse Venema wrote:

Kirk Bocek:

I inadvertently set open relay on my server sometime ago. I've fixed it
but I am now bombarded with spam messages. I'm seeing messages like:

6C5C41FCB3   5940 Sun Sep 24 11:10:12  bdnqkqhakis...@sfilc.com
(delivery temporarily suspended: lost connection with
mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)


Why did your server ACCEPT this email? Seach the logs for 6C5C41FCB3,
then find out why it was accepted.

Wierse



That's a good question.

Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497 
from=
Sep 24 11:10:12 amber postfix/cleanup[10504]: 6C5C41FCB3: 
message-id=
Sep 24 11:10:12 amber postfix/qmgr[10597]: 6C5C41FCB3: 
from=, size=5940, nrcpt=16 (queue active)


Blocking receipt from sfilc.com would help. I have it in my 
sender_access file but it's still coming through. I also have com.tw 
entered. Should I add that hash to smtpd_helo_restrictions? Would that help?

Re: Bombarded With Spam

2017-09-24 Thread Kirk Bocek




On 9/24/2017 2:05 PM, Benny Pedersen wrote:

Kirk Bocek skrev den 2017-09-24 22:27:


Here is postconf -n:



mydestination = $myhostname, localhost.$mydomain, localhost,    pvt,
bocek.org,  bocekrealty.com



relay_domains = $mydestination, localhost, $myhostname
relay_recipient_maps = hash:/etc/postfix/relay_recipients


do not list $mydestination, @myhostname, localhost as relay_domains

this is only need maps if you are active backup mx

to solve it:

relay_domains=
relay_recipient_maps=


Several complex things are happening. I need to accept mail from 
localhost for messages from an array controller. This host needs to 
relay mail from workstations on the LAN. This host is also accepting 
mail from several listed domains via the router.


This part always confuses me in Postfix.

Re: Bombarded With Spam

2017-09-24 Thread Wietse Venema

Kirk Bocek:
> I inadvertently set open relay on my server sometime ago. I've fixed it 
> but I am now bombarded with spam messages. I'm seeing messages like:
> 
> 6C5C41FCB3   5940 Sun Sep 24 11:10:12  bdnqkqhakis...@sfilc.com
> (delivery temporarily suspended: lost connection with 
> mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)

Why did your server ACCEPT this email? Seach the logs for 6C5C41FCB3,
then find out why it was accepted.

Wierse

Re: Bombarded With Spam

2017-09-24 Thread Kirk Bocek




On 9/24/2017 11:34 AM, Benny Pedersen wrote:

Kirk Bocek skrev den 2017-09-24 20:25:


That fill up my mailq. I've since blocked sflic.com but I get others
with a gmail.com domain.

How do I block or reject these messages?


google loopback-only is the most simple one :)

more help post postconf -n


Thanks Benny.

I was unaware of loopback-only. A quick search shows it's used in 
send-only configurations. I, however, am receiving a few domains on this 
server.


Here is postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,pvt, 
bocek.org,  bocekrealty.com

mydomain = pvt
myhostname = amber.pvt
mynetworks = 10.0.0.0/21, localhost, 127.0.0.0/8
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 173.8.164.189
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, localhost, $myhostname
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks,  permit_inet_interfaces, 
permit_tls_all_clientcerts, reject_unknown_client_hostname, reject

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, 
reject_unknown_sender_domain,reject_non_fqdn_hostname, 
reject_invalid_hostname,reject_unknown_helo_hostname,   permit
smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/sender_access, permit_mynetworks, 
reject_unauth_pipelining,   reject_non_fqdn_recipient, 
reject_unknown_recipient_domain,reject_unauth_destination, 
check_policy_service unix:postgrey/socket,  permit_sasl_authenticated, 
   reject_non_fqdn_hostname,   reject_non_fqdn_sender, 
reject_non_fqdn_recipient,  reject_rbl_client zen.spamhaus.org, 
reject_rbl_client cbl.abuseat.org,  reject_rbl_client 
dnsbl.sorbs.net,  reject_rbl_client dnsbl-1.uceprotect.net, 
reject_rbl_client dnsbl-2.uceprotect.net,  reject_rbl_client 
dnsbl-3.uceprotect.net,reject_rbl_client b.barracudacentral.org, 
  check_recipient_access hash:/etc/postfix/access, 
reject_unlisted_recipient,  reject_unverified_recipient,permit 
smtpd_tls_key_file = /etc/postfix/sslcert-20151019.pem 
smtpd_tls_cert_file = /etc/postfix/sslcert-20151019.pem 
smtpd_tls_security_level = may 
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 
smtpd_tls_protocols=!SSLv2,!SSLv3  smtp_tls_protocols=!SSLv2,!SSLv3

smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access,permit_mynetworks, 
reject_non_fqdn_sender,   reject_unknown_sender_domain, 
reject_unverified_sender,   warn_if_reject, permit

unknown_local_recipient_reject_code = 550
virtual_alias_domains = bocek.org, bocekrealty.com
virtual_alias_maps = hash:/etc/postfix/virtual, 
hash:/etc/postfix/stonealias,   hash:/etc/postfix/testalias



I am constantly battling getting smtpd_sender_restrictions, 
smtpd_helo_restrictions, smtpd_client_restrictions and the others 
correct. I've used the check_sender_access hash through several of them 
and I'm not sure that's correct.

Re: Bombarded With Spam

2017-09-24 Thread Benny Pedersen


Kirk Bocek skrev den 2017-09-24 20:25:


That fill up my mailq. I've since blocked sflic.com but I get others
with a gmail.com domain.

How do I block or reject these messages?


google loopback-only is the most simple one :)

more help post postconf -n

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

Re: Bombarded With Spam

14 matches

Site Navigation

Mail list logo

Footer information