postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Fighting Backscatter

RE: Fighting Backscatter

From: Steve Jenkins <steve_at_nospam>
Date: Wed Oct 20 2010 - 01:38:11 GMT
To: "'Jeroen Geilman'" <jeroen@adaptr.nl>, <postfix-users@postfix.org>

THANK YOU Jeroen. J I really appreciate you taking the time to help me with
some specific steps I can try.

 

Here's the updated output of my postconf -n:

 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

home_mailbox = Maildir/

html_directory = no

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

milter_default_action = accept

milter_protocol = 2

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, www.$mydomain

mynetworks = 127.0.0.0/8

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases.postfix

non_smtpd_milters = inet:localhost:20209

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_tls_note_starttls_offer = yes

smtp_use_tls = yes

smtpd_data_restrictions = reject_unauth_pipelining, permit

smtpd_milters = inet:localhost:20209

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_unknown_reverse_client_hostname,
warn_if_reject reject_non_fqdn_helo_hostname, warn_if_reject
reject_invalid_helo_hostname, warn_if_reject reject_unknown_helo_hostname,
reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_invalid_hostname,
permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_auth_only = no

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_domains = familyname.com

virtual_alias_maps = hash:/etc/postfix/virtual

 

The /etc/postfix/virtual is set up as follows. Every line in there is either
a local POP account or the destination forwarding address. I don't use any
catch-alls, and prefer that my server reject unknown local recipients (or in
this case, I should probably say "local").

 

Familyname.com #Family Domain for Mail

steve@familyname.com steve

sister@familyname.com sister

aunt@familyname.com auntsaddress@cox.net

dad@familyname.com dadsaddress@gmail.com

 

Like you, I'm also running a pre-2.8 build (2.6.5). I hadn't heard of
postscreen until just now, but I'll check it out.

 

Would you mind sharing (anonymized if you wish) some examples of
permutations of your IP and hostname(s) to reject from your helo_access
file? What types of permutations are classically used by spammers that I can
safely block without rejecting legitimate mail?

 

Thanks again,

 

Steve

 

 

From: owner-postfix-users@postfix.org
[mailto:owner-postfix-users@postfix.org] On Behalf Of Jeroen Geilman
Sent: Tuesday, October 19, 2010 7:10 PM
To: postfix-users@postfix.org
Subject: Re: Fighting Backscatter

 

On 10/20/2010 02:52 AM, Steve Jenkins wrote:

I will gladly solve the RIGHT problem. The fact that I'm here looking for
guidance should demonstrate that I'm looking to do exactly that.
Unfortunately, I can't simply put "DO NOT forward SPAM" in my main.cf and
have it work. ;) After reading through all the docs and various blog and
forum posts, and making my best efforts at incorporating what I've learned
into my configuration, it seems I'm still causing backscatter.

Don't accept mail you cannot deliver. Really, that's Numero Uno.
Proper sender and recipient verification - insofar as is feasible for your
site - goes a long way to prevent that from happening.

 That's exactly why I'm posting on Postfix-users - because I need a little
more
guidance than just "RTFM." :) So if anyone can help me with some SPECIFIC
steps to take, I'd be very appreciative.
 
I posted it initially, but here again is my postconf -n output:
 
  

<snippety>

smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination, reject_unknown_recipient_domain,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_invalid_hostname, permit_mynetworks, permit
  

You're missing some of the better spam prevention methods here, such as
decent HELO checks, and an RBL or two.

I'd suggest at least adding reject_unknown_reverse_client_hostname in there,
as well as (testing out) reject_[invalid|unknown|non_fqdn]_helo_hostname.

My personal server uses:

smtpd_recipient_restrictions = permit_mynetworks,
 
permit_sasl_authenticated,
 
reject_unauth_destination,
 
reject_unknown_reverse_client_hostname,
                                                        warn_if_reject
reject_non_fqdn_helo_hostname,
                                                        warn_if_reject
reject_invalid_helo_hostname,
                                                        warn_if_reject
reject_unknown_helo_hostname,
 
reject_unauth_pipelining,
 
reject_non_fqdn_sender,
 
reject_unknown_sender_domain,
 
reject_non_fqdn_recipient,
 
reject_unknown_recipient_domain,
                                                        check_helo_access
hash:/etc/postfix/helo_access,
                                                        permit

helo_access contains permutations of my own IP and hostname(s), which I
REJECT.

My zen RBL check is moved to postscreen, since I run a pre-2.8 build.

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unknown_sender_domain
  

Instead of specifying each restriction set by itself, put them all together
under recipient_restrictions so you can follow along what happens.
It will also log more information.

virtual_alias_domains = familyname.com
virtual_alias_maps = hash:/etc/postfix/virtual
  

It would be mildly interesting to see what is in those files, since a
virtual_alias_domain is potentially a wildcard recipient domain.

-----Original Message-----
From: Wietse Venema [mailto:wietse@porcupine.org]
Sent: Tuesday, October 19, 2010 5:16 AM
To: Steve Jenkins
Cc: Postfix users
Subject: Re: Fighting Backscatter
 
Steve Jenkins:
  

Oh, and please don't top-post.

-- J.