Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sender non-delivery notification

598 views
Skip to first unread message

jean-michel bain-cornu

unread,
Dec 28, 2007, 3:53:08 PM12/28/07
to
Hi,
I have some troubles with my postfix 2.3.8 on an up to date debian. It
looks used as a relay for spam.
See the sample below : nobody on the server really tried to send a mail
to jra...@apu.edu, but I got a sent status after a strange 'sender
non-delivery notification'
I'm not successful to find info about that on the web, neither in the
documentation.
If somebody have some hint or explanation, it would be great.
jm

Dec 28 21:31:22 ns36023 postfix/cleanup[28504]: A1052229FE:
message-id=<20071228203122.
Dec 28 21:31:22 ns36023 postfix/qmgr[24536]: A1052229FE: from=<>,
size=6925, nrcpt=1 (queue active)
Dec 28 21:31:22 ns36023 postfix/bounce[21572]: E8E66229FC: sender
non-delivery notification: A1052229FE
Dec 28 21:31:22 ns36023 postfix/qmgr[24536]: E8E66229FC: removed
Dec 28 21:31:22 ns36023 postfix/smtp[13506]: 94D78229FF:
to=<jra...@apu.edu>, relay=mx.apu.edu[199.184.238.25]:25, delay=1.3,
delays=0/0/0.45/0.82, dsn=2.6.0, status=sent (250 2.6.0
<200712282031...@xxxxxx.xxxx.xx> Queued mail for delivery)
Dec 28 21:31:22 ns36023 postfix/qmgr[24536]: 94D78229FF: removed
Dec 28 21:31:23 ns36023 postfix/smtpd[27054]: disconnect from
ppp91-122-162-209.pppoe.avangard-dsl.ru[91.122.162.209]
Dec 28 21:31:24 ns36023 postfix/smtp[4933]: A1052229FE:
to=<jra...@apu.edu>, relay=mx.apu.edu[199.184.238.25]:25, delay=1.4,
delays=0/0/0.45/0.94, dsn=2.6.0, status=sent (250 2.6.0
<200712282031...@xxxxxx.xxxx.xx> Queued mail for delivery)
Dec 28 21:31:24 ns36023 postfix/qmgr[24536]: A1052229FE: removed

Martin Gregorie

unread,
Dec 30, 2007, 5:49:54 PM12/30/07
to
jean-michel bain-cornu wrote:
> Hi,
> I have some troubles with my postfix 2.3.8 on an up to date debian. It
> looks used as a relay for spam.
>
Just to make sure you are not a relay, tell us what have you set in
main.cf to stop your Postfix from being used as an open relay and/or
post the "postconf -n" output.

> See the sample below : nobody on the server really tried to send a mail
> to jra...@apu.edu, but I got a sent status after a strange 'sender
> non-delivery notification'
>

The usual reason for unexpected "non-deliverable" reports is that
somebody on the Internet has forged your address as the sender of spam
that got bounced. This is known as back-scatter - search for that term
to get a full explanation.

The best defense is to set up an SPF record for your domain - look at
these sites for explanation of SPF and how to set up and test an SPF record:

http://www.openspf.org/
http://www.kitterman.com/spf/validate.html


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

Jean-Michel Bain-Cornu

unread,
Dec 31, 2007, 12:39:38 PM12/31/07
to
>> I have some troubles with my postfix 2.3.8 on an up to date debian. It
>> looks used as a relay for spam.
> >
> Just to make sure you are not a relay, tell us what have you set in
> main.cf to stop your Postfix from being used as an open relay and/or
> post the "postconf -n" output.
The only case of spending unsollicited email I saw from the logs are
those I asked about.
Anyway I give you what you ask (see below).

>> See the sample below : nobody on the server really tried to send a
>> mail to jra...@apu.edu, but I got a sent status after a strange
>> 'sender non-delivery notification'
> >
> The usual reason for unexpected "non-deliverable" reports is that
> somebody on the Internet has forged your address as the sender of spam
> that got bounced. This is known as back-scatter - search for that term
> to get a full explanation.
>
> The best defense is to set up an SPF record for your domain - look at
> these sites for explanation of SPF and how to set up and test an SPF
> record:
>
> http://www.openspf.org/
> http://www.kitterman.com/spf/validate.html

Thanks. I'm going to read it asap.

bounce_queue_lifetime = 0
smtpd_banner = $myhostname ESMTP $mail_name (xxxxxx)
biff = no
append_dot_mydomain = no
myhostname = xxxxxx.xxxx.xx
mydomain = xxxx.xx
mynetworks_style = host
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
smtp_generic_maps = hash:/etc/postfix/generic
transport_maps = hash:/etc/postfix/transport
myorigin = $mydomain
mydestination = $myhostname $mydomain
relay_domains = $mydomain
mynetworks = 127.0.0.1 xxx.xxx.xxx.xxx
recipient_delimiter = +
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
local_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
mailbox_size_limit = 0
message_size_limit = 50000000
smtpd_reject_unlisted_recipient = no
smtpd_tls_key_file = /etc/ssl/mailAC/private/server_tls.pem
smtpd_tls_cert_file = /etc/ssl/mailAC/certs/server_signed.pem
smtpd_tls_CAfile = /etc/ssl/mailAC/private/mailAC.crt
smtpd_tls_loglevel = 1
smtp_recipient_restrictions = permit_mynetworks reject
smtp_tls_key_file = /etc/ssl/mailAC/private/server_tls.pem
smtp_tls_cert_file = /etc/ssl/mailAC/certs/server_signed.pem
smtp_tls_CAfile = /etc/ssl/mailAC/private/mailAC.crt
smtp_tls_loglevel = 1

Martin Gregorie

unread,
Dec 31, 2007, 3:30:51 PM12/31/07
to
Jean-Michel Bain-Cornu wrote:
> Anyway I give you what you ask (see below).
>
Thanks (comment below).

> Thanks. I'm going to read it asap.
>

Earlier this year I was getting quite a bit of backscatter, so I set up
an SPF record. The backscatter gradually got less and now I see almost none.

The descriptions of exactly what details should go in the SPF record are
not all that clear, so I'd strongly advise you to use the wizard in the
second reference to create the record and then use the other tools to
test it.

> myorigin = $mydomain
> relay_domains = $mydomain
>
Good.

> mynetworks = 127.0.0.1 xxx.xxx.xxx.xxx
>
What does xxx.xxx.xxx.xxx represent? Is it your ISP's MTA or your
domain's MX server(s)?

mynetworks should not permit anything that is not under your control or
trusted by you to send mail through Postfix. Are your users trusted or
are you running a spam filter on outbound mail?

About all I can tell is that you're using TLS keys to secure SMTP
connections to other MTAs and restricting originating MUAs to
$mynetworks, so that should be OK though its hard to be certain without
knowing what xxx.xxx.xxx.xxx represents.

Jean-Michel Bain-Cornu

unread,
Jan 1, 2008, 4:36:13 AM1/1/08
to
>> mynetworks = 127.0.0.1 xxx.xxx.xxx.xxx
> >
> What does xxx.xxx.xxx.xxx represent? Is it your ISP's MTA or your
> domain's MX server(s)?
>
> mynetworks should not permit anything that is not under your control or
> trusted by you to send mail through Postfix. Are your users trusted or
> are you running a spam filter on outbound mail?
>
> About all I can tell is that you're using TLS keys to secure SMTP
> connections to other MTAs and restricting originating MUAs to
> $mynetworks, so that should be OK though its hard to be certain without
> knowing what xxx.xxx.xxx.xxx represents.

It's my client router IP. It gives me the ability to send email directly
from my MUA. It's a potential weak, if the provider decides to change it
(it never ocurred since two years), and also by IP spoofing, so I
schedule to setup a TLS access, which was not possible with the previous
release of postfix I used.
Where I'm outside, I use the local IMP client by a ssl https access.

Thanks Martin for your help. It's good to have it (it was almost tricky
to setup postfix correctly with only the official documentation, and the
web).

Have a happy new years (it should be already done, regarding your location)
jm

0 new messages