Problem with local "relay"
con...@stz-bg.com
can some one help with postfix. I have version 2.7.2 installed on
slackware 13.2 with spam assassin, clamd, domainkey. I use dovecot 2.0.8
for local deliver agent + sieve plugin for spam folder. The problem is
that spammers send a spam email to local hosts from local domain. How to
disable that ?
Here is header for example:
Return-Path: <con...@mydomain.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mydomain.com
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=50.0 required=5.0 tests=DCC_CHECK,DIGEST_MULTIPLE,
DKIM_SIGNED,DRUGS_ERECTILE,DRUG_ED_CAPS,FH_HELO_EQ_D_D_D_D,
FROM_IN_TO_AND_SUBJ,HELO_DYNAMIC_IPADDR2,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_1,LIVEFILESTORE,MIME_HTML_ONLY,PYZOR_CHECK,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RDNS_NONE,
SUBJECT_NEEDS_ENCODING,TO_EQ_FM_DIRECT_MX,TO_EQ_FM_DOM_HTML_IMG,
TO_EQ_FM_DOM_HTML_ONLY,TO_EQ_FM_HTML_DIRECT,TO_EQ_FM_HTML_ONLY,TO_IN_SUBJ,
TO_NO_BRKTS_DIRECT,TO_NO_BRKTS_NORDNS_HTML,TO_NO_BRKTS_PCNT,T_DKIM_INVALID,
T_REMOTE_IMAGE,T_SURBL_MULTI1,T_SURBL_MULTI2,T_SURBL_MULTI3,
T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK,URIBL_DBL_SPAM,
URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam
version=3.3.1
X-Spam-Report:
* 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP
addr
* 2)
* 1.1 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
* 4.5 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: sysoogayn.com]
* 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: sysoogayn.com]
* 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: sysoogayn.com]
* 0.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: sysoogayn.com]
* 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist *
[URIs: sysoogayn.com]
* 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist *
[URIs: sysoogayn.com]
* 1.0 DRUG_ED_CAPS BODY: Mentions an E.D. drug
* 2.6 LIVEFILESTORE URI: LIVEFILESTORE
* 1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words * 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts *
1.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) *
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level * above 50%
* [cf: 100]
* 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
* 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
* 2.2 DRUGS_ERECTILE Refers to an erectile drug
* 0.0 T_SURBL_MULTI2 T_SURBL_MULTI2
* 0.0 T_URIBL_BLACK_OVERLAP T_URIBL_BLACK_OVERLAP
* 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.1 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
* 0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image *
0.0 T_SURBL_MULTI3 T_SURBL_MULTI3
* 0.0 T_SURBL_MULTI1 T_SURBL_MULTI1
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid *
0.8 TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image
link * 2.1 FROM_IN_TO_AND_SUBJ From address is in To and Subject
* 0.4 TO_NO_BRKTS_PCNT To: misformatted + percentage
* 0.2 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only *
1.5 TO_IN_SUBJ To address is in Subject
* 1.1 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
* 0.0 T_REMOTE_IMAGE Message contains an external image
* 1.1 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML
only * 3.2 TO_EQ_FM_HTML_DIRECT To == From and HTML only,
direct-to-MX * 1.7 TO_EQ_FM_HTML_ONLY To == From and HTML only
* 3.5 TO_NO_BRKTS_DIRECT To: misformatted and direct-to-MX
Delivered-To: con...@mydomain.com
Received: from mail.mydomain.com (localhost [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 15B14102F33
for <con...@mydomain.com>; Wed, 19 Jan 2011 14:15:42 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=from:to
:subject:mime-version:content-type:content-transfer-encoding; s=
mail; bh=ssAe2x6s3O6nOGEcewgIBuO3Xhw=; b=IRQ6bNnSEG6L0vD2BJdSy2u
RYZA/XCx/C0KmBfzpcM7g0AGqFqOMWJ42QKGtxITAi4SxNP8umArqYkiQzwvBRuX
IFY+sVUftO8CzfG7G1wq4kQbzs6KCXwjdB6pjapM5aE9p3oM+BRHX2NX5ibRL3bO
DJaxAzHVvhf0ZeoGVKeY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mydomain.com; h=from:to
:subject:mime-version:content-type:content-transfer-encoding; q= dns;
s=mail; b=CCksT1DHtAGI3hRSsmlekaNBKlbdmLiwaszjz0JYdB3mJhaZK
YbW5ejyDRAfPl7yx74uKwm8VYtW+D5tEYkqxNj4JqhULw5AFm0WBwMu5ljO2cET8
VGPMkHSqWwLWr7uXd/5Vnf947xem5kox1s36dSD5ismtG47EN1EIrjUr74=
Received: from 119-24-207-82.pool.ukrtel.net (unknown [82.207.24.119])
by mail.mydomain.com (Postfix) with SMTP id 5D199102F32
for <con...@mydomain.com>; Wed, 19 Jan 2011 14:15:41 +0200 (EET)
From: con...@mydomain.com
To: con...@mydomain.com
Subject: con...@mydomain.com VIAGRA ® Official -04%
Mime-Version: 1.0
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <2011011912154...@mail.mydomain.com>
Date: Wed, 19 Jan 2011 14:15:42 +0200 (EET)
Here is postmail user config:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
message_size_limit = 30720000
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
proxy_read_maps = $local_recipient_maps $mydestionation
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,
check_helo_access dbm:/etc/postfix/helo_checks
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/mail.mydomain.com.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.mydomain.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.mydomain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:1005
virtual_mailbox_base = /var/spool/postmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:1004
Regards,
Hristo Simeonov
Victor Duchovni
> Hello ppl,
> can some one help with postfix. I have version 2.7.2 installed on
> slackware 13.2 with spam assassin, clamd, domainkey. I use dovecot 2.0.8
> for local deliver agent + sieve plugin for spam folder. The problem is
> that spammers send a spam email to local hosts from local domain. How to
> disable that ?
>
> Received: from 119-24-207-82.pool.ukrtel.net (unknown [82.207.24.119])
> by mail.mydomain.com (Postfix) with SMTP id 5D199102F32
> for <con...@mydomain.com>; Wed, 19 Jan 2011 14:15:41 +0200 (EET)
The origin IP address is listed in zen.spamhaus.org
119.24.207.82.zen.spamhaus.org. 300 IN A 127.0.0.11
119.24.207.82.zen.spamhaus.org. 300 IN A 127.0.0.4
So it is listed in PBL and XBL. You really should not accept mail from
PBL hosts.
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_helo_access dbm:/etc/postfix/helo_checks
Do consider adding RBL checks against SpamHaus Zen, either via the
public mirrors (your own DNS resolver, not an upstream ISP cache),
or a paid feed.
--
Viktor.
con...@stz-bg.com
My mailserver is a low load average and i did not enable blacklists, i
have them commented because i checking sieve delivery to spam folder. The
things that i wanna ask it is how to disable email like this one to be
received.
As i see header i understand and probably postfix too:
From: con...@mydomain.com
To: con...@mydomain.com
Mail is coming from me to me again and postfix forward the email and it's
signed from my own server with my own key and delivery to me. Well,
probably i can't explain very well what i want, but i want this to can't
be happened or may be this is a bug when postfix see my own email to send
email postfix thing that email is going out and sign the email with
domainkey.
I added this line:
check_helo_access dbm:/etc/postfix/helo_checks
that file contain:
mydomain.com REJECT You are not in mydomain.com
but it's seems something does not work or i make a mistake some where,
that's why im asking for help.
Hristo.
Noel Jones
> I added this line:
> check_helo_access dbm:/etc/postfix/helo_checks
> that file contain:
> mydomain.com REJECT You are not in mydomain.com
>
use check_sender_access not check_helo_access.
Victor Duchovni
> From: con...@mydomain.com
> To: con...@mydomain.com
The same thing happens when you or I receive our own posts from this list.
There is nothing wrong with inbound mail whose "From:" header is your
own address. Some sites reject envelope sender addresses that bear their
own domain. This imposes much less (often tolerable) collateral damage.
Lots of posts in the list archives describe how to stop such "forgery".
As for DKIM signing, you need to make your DKIM software aware of the
message "origin" and only sign outbound email.
--
Viktor.
Condor
I think my email server is configure to sign only outbound emails. Here is
my master.cf file:
smtp inet n - - - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u ${recipient} -e
/usr/local/libexec/dovecot/deliver -d ${recipient}
pickup fifo n - - 60 1 pickup
# -o content_filter=dksign:[127.0.0.1]:10027
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o local_header_rewrite_clients=
dksign unix - - n - 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
For that reason i think something is wrong when email coming remote to me
from me and signed with DK.
For forgery probably that is correct page that i need to read ?
http://www.postfix.org/BACKSCATTER_README.html
--
Regards,
Condor
Jeroen Geilman
>
> My mailserver is a low load average and i did not enable blacklists, i
> have them commented because i checking sieve delivery to spam folder. The
> things that i wanna ask it is how to disable email like this one to be
> received.
> As i see header i understand and probably postfix too:
>
> To: con...@mydomain.com
>
The headers are trivially spoofed and should never be relied upon for
accepting or rejecting mail.
The envelope (SMTP protocol) MAIL FROM address offers more reliable
screening.
There's two common ways to prevent this sort of spoof:
- if you only accept blanket mail from trusted domains and authenticated
users, add a check_sender_access map to your smtpd_sender_restrictions
that REJECTs all your domains AFTER permitting these two classes of clients:
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_sender_access
hash:/etc/postfix/fake_domains [, anything else you have]
and in /etc/postfix/fake_domains:
@yourdomain.com REJECT Stop spoofing my domain!
@otherdomain.com REJECT No spoofing from you!
- if that's too much trouble, or you have complicated relay
requirements, consider at least adding reject_unlisted_sender in your
smtpd_sender_restrictions somewhere. This REJECTS any sender address
that lies within a domain that you control, but for which the address
itself is NOT valid.
However, while stopping some common mass email dictionary floods, this
does not prevent spammers from using real existing addresses as the sender.
I usually just use both, it doesn't hurt.
--
J.
Noel Jones
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_sender_access
> hash:/etc/postfix/fake_domains [, anything else you have]
>
> and in /etc/postfix/fake_domains:
>
> @yourdomain.com REJECT Stop spoofing my domain!
> @otherdomain.com REJECT No spoofing from you!
There is not "@" in the key.
yourdomain.com REJECT Stop spoofing my domain!
otherdomain.com REJECT No spoofing from you!
http://www.postfix.org/access.5.html
-- Noel Jones
Condor
> On 1/19/11 8:54 PM, con...@stz-bg.com wrote:
>>
>> My mailserver is a low load average and i did not enable blacklists, i
>> have them commented because i checking sieve delivery to spam folder.
>> The
>> things that i wanna ask it is how to disable email like this one to be
>> received.
>> As i see header i understand and probably postfix too:
>>
>> From: con...@mydomain.com
>> To: con...@mydomain.com
>>
>
> The headers are trivially spoofed and should never be relied upon for
> accepting or rejecting mail.
> The envelope (SMTP protocol) MAIL FROM address offers more reliable
> screening.
>
> There's two common ways to prevent this sort of spoof:
>
> - if you only accept blanket mail from trusted domains and authenticated
> users, add a check_sender_access map to your smtpd_sender_restrictions
> that REJECTs all your domains AFTER permitting these two classes of
> clients:
>
> permit_sasl_authenticated, check_sender_access
> hash:/etc/postfix/fake_domains [, anything else you have]
>
> and in /etc/postfix/fake_domains:
>
> @yourdomain.com REJECT Stop spoofing my domain!
> @otherdomain.com REJECT No spoofing from you!
>
> requirements, consider at least adding reject_unlisted_sender in your
> smtpd_sender_restrictions somewhere. This REJECTS any sender address
> that lies within a domain that you control, but for which the address
> itself is NOT valid.
>
> However, while stopping some common mass email dictionary floods, this
> does not prevent spammers from using real existing addresses as the
> sender.
>
> I usually just use both, it doesn't hurt.
>
> --
> J.
>
>
Thank you, that is exact what i looking for. I was qmail user and today
migrate to postfix i did not read whole documentation yet.
--
Regards,
Condor
Jeroen Geilman
> On 1/19/2011 3:06 PM, Jeroen Geilman wrote:
>> permit_sasl_authenticated, check_sender_access
>> hash:/etc/postfix/fake_domains [, anything else you have]
>>
>> and in /etc/postfix/fake_domains:
>>
>> @yourdomain.com REJECT Stop spoofing my domain!
>> @otherdomain.com REJECT No spoofing from you!
>
>
>
Ha! I can never remember when it is and when it isn't.
--
J.
Victor Duchovni
> > As for DKIM signing, you need to make your DKIM software aware of the
> > message "origin" and only sign outbound email.
>
> I think my email server is configure to sign only outbound emails. Here is
> my master.cf file:
I see it configured to sign all mail entering the SMTP server.
> smtp inet n - - - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
---------------------------------------
> dksign unix - - n - 4 smtp
> -o smtp_send_xforward_command=yes
> -o smtp_discard_ehlo_keywords=8bitmime,starttls
>
> For that reason i think something is wrong when email coming remote to me
> from me and signed with DK.
No, this is how you've configured the server.
> For forgery probably that is correct page that i need to read ?
> http://www.postfix.org/BACKSCATTER_README.html
No, you need to read SMTPD_ACCESS_README.html and search the list archives
for about rejecting envelope sender "forgery".
--
Viktor.