postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Fighting Backscatter

Re: Fighting Backscatter

From: Jeroen Geilman <jeroen_at_nospam>
Date: Wed Oct 20 2010 - 01:09:41 GMT
To: postfix-users@postfix.org

On 10/20/2010 02:52 AM, Steve Jenkins wrote:
> I will gladly solve the RIGHT problem. The fact that I'm here looking for
> guidance should demonstrate that I'm looking to do exactly that.
> Unfortunately, I can't simply put "DO NOT forward SPAM" in my main.cf and
> have it work. ;) After reading through all the docs and various blog and
> forum posts, and making my best efforts at incorporating what I've learned
> into my configuration, it seems I'm still causing backscatter.

Don't accept mail you cannot deliver. Really, that's Numero Uno.
Proper sender and recipient verification - insofar as is feasible for
your site - goes a long way to prevent that from happening.

> That's exactly why I'm posting on Postfix-users - because I need a little more
> guidance than just "RTFM." :) So if anyone can help me with some SPECIFIC
> steps to take, I'd be very appreciative.
>
> I posted it initially, but here again is my postconf -n output:
>
>
<snippety>
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> reject_unauth_destination, reject_unknown_recipient_domain,
> reject_unknown_sender_domain, reject_non_fqdn_recipient,
> reject_non_fqdn_sender, reject_invalid_hostname, permit_mynetworks, permit
>

You're missing some of the better spam prevention methods here, such as
decent HELO checks, and an RBL or two.

I'd suggest at least adding reject_unknown_reverse_client_hostname in
there, as well as (testing out)
reject_[invalid|unknown|non_fqdn]_helo_hostname.

My personal server uses:

<http://www.postfix.org/SASL_README.html#client_sasl>smtpd_recipient_restrictions
= permit_mynetworks,
                                                         
permit_sasl_authenticated,
                                                         
reject_unauth_destination,
                                                         
reject_unknown_reverse_client_hostname,
                                                         warn_if_reject
reject_non_fqdn_helo_hostname,
                                                         warn_if_reject
reject_invalid_helo_hostname,
                                                         warn_if_reject
reject_unknown_helo_hostname,
                                                         
reject_unauth_pipelining,
                                                         
reject_non_fqdn_sender,
                                                         
reject_unknown_sender_domain,
                                                         
reject_non_fqdn_recipient,
                                                         
reject_unknown_recipient_domain,
                                                         
check_helo_access hash:/etc/postfix/helo_access,
                                                         permit

helo_access contains permutations of my own IP and hostname(s), which I
REJECT.

My zen RBL check is moved to postscreen, since I run a pre-2.8 build.

> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
> reject_unknown_sender_domain
>

Instead of specifying each restriction set by itself, put them all
together under recipient_restrictions so you can follow along what happens.
It will also log more information.

> virtual_alias_domains = familyname.com
> virtual_alias_maps = hash:/etc/postfix/virtual
>

It would be mildly interesting to see what is in those files, since a
virtual_alias_domain is potentially a wildcard recipient domain.

> -----Original Message-----
> From: Wietse Venema [mailto:wietse@porcupine.org]
> Sent: Tuesday, October 19, 2010 5:16 AM
> To: Steve Jenkins
> Cc: Postfix users
> Subject: Re: Fighting Backscatter
>
> Steve Jenkins:
>

Oh, and please don't top-post.

-- J.