Postfix - antispam and relay package

biggsy

Some more research turned up this:

Hello,

I currently use relay_domains and relay_transport as a means to relay
email on to another mail server which hands off to the MDA. Everything
works well.  Occasionally there may be a delivery problem when talking
to the relay_transport that results in a bounce being generated by
postfix - an expected behavior of any MTA.  What I need to do is hide
details (the IP address) of the relay_transport in the bounce message
due to security concerns.  I tried using the bounce template
configuration to do this, but postfix adds this information anyways.  Is
there any way to hide this information?
… [show rest of quote]

Is this about the RECEIVED headers in the undeliverable message? If so
then you need a content filter or header_checks rule.

Is this about the remote hostname[address]:port in the server response?
If so then you need Postfix 2.12 with smtp_delivery_status_filter to
sanitise the delivery status message.

Wietse

Current package is based on 2.10

BenKenobe

I shall explore and report, I did find smtpd_reject_footer but this appears one line below the 'offending' one and doesn't help to 'correct' the IP returned in the message.

Bismarck

@BenKenobe:

The error that the other server returned was:
550 5.1.1 user@domain.co.uk: Recipient address rejected: undeliverable address: host 192.168.1.253[192.168.1.253] said: 553 5.1.8 Sender address <double-bounce@_._.>domain does not exist (in reply to MAIL FROM command)</double-bounce@..>/user@domain.co.uk

Sorry but I can't reproduce this, your internal server (192.168.1.253) should never give such error (Recipient address rejected) since only valid email recipients/domains should pass postfix.

Another element that needs to be thought about is the response mechanism. If a user doesn't exist I want the system to 'swallow' the request and not to respond - by responding you leave the system open to harvesting attacks where a spammer sends lots of mails to 'random' account names within a domain and then vets the responses anything that doesn't generate a 'no such user' message being a positive, very soon after spam starts arriving, I proved this by setting up an account 'support' that they always seem to try but used it nowhere - and it soon started getting spam.

How can responses be 'tailored' or adjusted such that this kind of address harvesting doesn't work. You obviously can't hide a domain, you still need to work properly with SMTP senders so there must be a way to 'not respond' in a way that assists spammers - or to 'lie' - what about sending a 'no such domain' response for non existent users, this will fail permanently or sending a 'cannot deliver now try later' - the latter will choke their servers to death on retries. I can handle the rest by using 'non standard names for things such as sails instead of sales - or something even more cryptic.

I'm sure this would break some RFCs, 'swallow', 'not respond' or 'lie' would all be the same as 'no such user', there is just valid or not, no mater how you name it. And 'support@domain.com' is a very common account but eg. 'ranga.yogeshwar@domain.com' is not and guessing/harnessing such real mail accounts would be highly infective and take zillion of years.

What about configuring a block on any site / IP making more than X connection attempts to port 25 within X seconds.

This can be easily abused and make your mail server DoS, think about it.

What's your internal MTA? I still believe you have some kind of misconfiguration here, try to keep your setup "simple" and make it work first and secure it second. Try to telnet or use SMTP diag, for me it looks like postfix and your internal server is accepting mails at the same time, thats why your internal server is responding that error, when postfix should do.

If you like to hide your internal MTAs IP from Headers just use IGNORE:

Remove Sensitive Information from Headers

/^Received: from MyMTA.local*/ IGNORE
/^Received:.*with ESMTPS/ IGNORE
/^X-Originating-IP:/ IGNORE
/^User-Agent:/ IGNORE

But I think this is not really related to your problem…

BenKenobe

My problem here is that

a) Postfix is reporting the error but not correctly embedding the public IP in 'error' responses to the sender.

b) I know that what I want breaks a few rules but if a user account doesn't exist I want it to behave like spamd and tie up the senders 'server' by grey listing - I don't want to send a "doesn't exist" reject response.

c) I don't want a system that allows infinite login attempts with a different username from the same IP in a short time frame - brute force attack basically. I am aware of the DOS issue but there needs to be a solution to prevent this 'hammering' in an 'elegant' manner.

mschiek01

@BenKenobe:

Tried it, didn't work.

Surely this behaviour must have been spotted before, am I the only one that finds the revealing of internal IP address's unacceptable. This should be set to the 'domain' and public IP.

What does postix say is happening in the log when you see this behavior?

/var/log/maillog

Also I am not sure as to why you have your internal email server rejecting the message from postfix.  Maybe I am not just understanding you correctly.  Postfix should be rejecting the message not you email server.

Postfix should be checking for valid receipents and rejecting them.  You should see this in the log "550 5.1.1 <@.com>: Recipient address rejected: User unknown in relay recipient table.

You need to have a comand line in the access lists -> "filters while receiving mail"

It should be something like this "/^from:/ HOLD"

Otherwise postfix is not going to do anything.

BenKenobe

Config is as per previous posts. Listening on localhost which is NAT'd from the public IP, two domains each mapped to its own unique internal IP.  The detail appearing in the system status log is merely a cut down version of the one sent to the e-mail sender - but it contains the domains private local IP's and not the public one.

There's nothing wrong with my MTA's internal or external - this behaviour is coming from my mail server - but Postfix is simply repeating the message and it shouldn't - I need to find an expression to force the local IP to be replaced with the public IP - but ONLY where appropriate.

I DO NOT want reject responses for non existent user accounts - at least on the first attempt within a set period since most 'spammers' don't behave or retry in line with RFC guidelines. I want REJECT converted to TRY AGAIN LATER .. something that SpamD can do but using SpamD with postfix has proved less than successful.

I'm stunned how hard this seems to be for Postfix - at least without hacking around in the code - I've tried numerous Postfix settings now and all have failed - presumably because of the order encountered - or I'm just not entering them as it expects - lets face it script lines full of 'regex' expressions aren't exactly easy to read, assuming that I'm even looking in the correct .inc files.

My mailserver is an enterprise class mailserver (Kerio) and even it seems unable to handle the simple concept of 'black hole' mailboxes and rejects instantly any mail for non existent accounts, it is very verbose in its response too. It won't block multiple failed login attempts from the same IP and will happily converse with a brute force script all day long - I have better things to waste CPU cycles and bandwidth on.

I am tentatively planning a move to hMailServer because it will block bad behaviour from IP address's, but not until it gets TLS sorted out, maintaining Kerio is just too expensive for our needs but I'm not prepared to go 'open text'.

With regards the mail log there is no such file in the var/log folder. I report messages to the system log and a syslog server.

mschiek01

I am not sure what the log looks like when reporting to the system log.  As for the syslog server I don't this this is even an option in postifx.

If you go to the configuration page/general/logging/destination  select the second item var/log/maillog.  Then restart postfix  I think you will get a better ideal of what is going on in postfix.

also in the log level set it at least to 2.

post the portion of the log as I would be interested to see it.

BenKenobe

syslog isn't an option in postfix and is why I send messages to the system log - because that can be sent to a syslog server. I'll try the log thing and see if the information's any different, my debug level is currently 2.

Bismarck

There's nothing wrong with my MTA's internal or external - this behaviour is coming from my mail server - but Postfix is simply repeating the message and it shouldn't - I need to find an expression to force the local IP to be replaced with the public IP - but ONLY where appropriate.

We all said it more as once you need to stop forwarding mail addresses from postfix which are non-existing to your internal server, thats postfix job.

My mailserver is an enterprise class mailserver (Kerio) and even it seems unable to handle the simple concept of 'black hole' mailboxes and rejects instantly any mail for non existent accounts, it is very verbose in its response too. It won't block multiple failed login attempts from the same IP and will happily converse with a brute force script all day long - I have better things to waste CPU cycles and bandwidth on.

I am tentatively planning a move to hMailServer because it will block bad behaviour from IP address's, but not until it gets TLS sorted out, maintaining Kerio is just too expensive for our needs but I'm not prepared to go 'open text'.

BenKenobe, if I understand your intention right, you won't be happy with postfix. Postfix/Mailscanner should be the one and only layer of defence, since bad mails should be disarmed BEFORE the reach the internal server, but in your scenario your internal server looks like a second layer of defence, which will not work well in conjunction with Postfix/Mailscanner.

BenKenobe

I'm quite happy to drop the 'secondary' defenses once I'm satisfied that the primary are working well.

How do I stop Postfix forwarding or rejecting non existent address's though, and how do I make it substitute the local mail server IP for the 'correct' public one.

I have explicitly stated which accounts are acceptable on the 'Custom Valid Recipients' tab, by doing so would expect Postfix to deal with all others but it still checks against the mail server for 'account existence' and uses the message returned by the mail server so even though it doesn't pass the mail it still checks for the accounts presence every single time - which I don't think it should do, it should only attempt delivery of specifically identified accounts - all others need to be handled 100% by Postfix with no involvement of the mail server at all.

I have removed all the tarpitting and spam traps on the Kerio, but I have put SpamD back in front of Postfix - this has had the same effect it had before though - it can take hours for valid mails to hit the inbox because many vendors send from continually changing IP address's, I really don't like it much but it does some of what I need.

Incidentally I have had maillog enabled for 18 hours now and it is still empty !! - not something I expected at all because I'm still getting E-Mail.

Starting to wonder if I have a duff install.

biggsy

BenKenobe,

You could limit the number of connections from an IP in a given timeframe on the firewall rule you have for SMTP.  Under Advanced features.

I'm not arguing with what you're looking for but I don't think exposing an RFC 1918 address to the sending mailserver in those reject messages is really that worrying.  To exploit that knowledge would require compromise of your firewall or an internal host.  Then you would have much more to worry about.

I can't see how you get that reject on invalid domain message.  postfix should reject mail for any domain that it's not configured to relay for, without reference to your mailserver.

The double-bounce is used by postfix to check the validity of a recipient in a domain that it is configured to relay.  However, I think it does cache recent ones to avoid that extra effort.

mschiek01

@BenKenobe:

I'm quite happy to drop the 'secondary' defenses once I'm satisfied that the primary are working well.

How do I stop Postfix forwarding or rejecting non existent address's though, and how do I make it substitute the local mail server IP for the 'correct' public one.

I have explicitly stated which accounts are acceptable on the 'Custom Valid Recipients' tab, by doing so would expect Postfix to deal with all others but it still checks against the mail server for 'account existence' and uses the message returned by the mail server so even though it doesn't pass the mail it still checks for the accounts presence every single time - which I don't think it should do, it should only attempt delivery of specifically identified accounts - all others need to be handled 100% by Postfix with no involvement of the mail server at all.

Do you have a this line in your config?????

**You need to have a comand line in the access lists -> "filters while receiving mail"

It should be something like this "/^from:/ HOLD"**

You need the above line and I don't see where you ever said you had it?

With the mail log did you stop and restart postfix.  Don't do it from the gui as I am not sure that works or at least I have had problems with it.  Use the command line.

/usr/local/etc/rc.d/postfix onestop

/usr/local/etc/rc.d/postfix onestart

This will also give you a better idea of any errors that are occurring during startup.

As soon as you do this if you go to /var/log/maillog  you should see activity.

BenKenobe

I restarted via the command line and the mail log is now populating … I'll remember that one.

With regards the filter - I didn't add any - didn't see the need since I explicitly defined my recipients list, I'd have assumed that anything not in that list could be 'delayed' or 'rejected by default.

I see the filter mentioned has a /HOLD on it so maybe that's the missing link - although I fail to see how that works since the 'from' isn't what I'm trying to control - it is the 'to'. If I look at the examples they show 'sender' email address's not recipient address's - I don't really care who is sending.

I'll try to dig into the documentation a little deeper.

mschiek01

Are you using postfix/mailscanner?  I assumed you were maybe you are not?

If not then you are correct you don't need that.

BenKenobe

No not using mailscanner - is it something worth using.

I currently have 'SpamD -> Postfix -> Mail Server' and it seems to be keeping the spammers at bay, has also stopped brute force attacks to port 25. I wish I didn't need SpamD because of the delays it creates with 'unknown' senders but I've not seen a single 'spammer' in any inbox today and only one brute force attempt to a mail port that I've since closed (I've now closed all NONE TLS ports except 25 - and that's routed through the filters)

I've got the mail server pretty well hardened, just need to resolve the reject message IP address now …

mschiek01

In the postix gui go to view config -> master cf and check and make sure you have this in the config

/sender_access,
reject_non_fqdn_helo_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_multi_recipient_bounce,
–-----> reject_unverified_recipient,
permit

also in client access list / my networks you only have your internal ip range listed correct?

BenKenobe

Only internal IP's correct, I commented out the 'reject' because I don't want it rejected - although it still gets rejected somehow - I even tried modifying the reject codes to 450 instead but it still returns the 550.1.1 which tells me it is using what the mail server sends back and not what I want it to. I've tried also the various SMTP privacy filters but it is hard to know which file to build them into - doesn't work in the custom commands for sure.

Remember I'm trying to stop spammers figuring out which address's exist by sending many e-mails each to a different username - the reject message is a dead giveaway - I want the offender tarpit'd and messed about as much as possible.

mschiek01

This may be your problem although I am not even sure what you are trying to do will work.

In the postfix gui ->"Domains to Forward"  did you put information in here ?

In the postfix gui -> "Recipients"  did you put information here ?

If you did both that is most likely your problem.

Postfix is receiving an email connection request and the first thing it is doing is checking the relay domain table and contacting the server which is saying not a good address and that is what postfix is replying.  It doesn't matter what you put in the address verification as this is a second step not first.

You are basically using both methods.  Which obviously will not work for what you are trying to do.  Remove the information from the domains to forward and see what happens.

You will need to add a relayhost = [an.ip.add.ress]  to the config.

garthk

I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.

What did I do wrong?

Thanx,
GarthK

mschiek01

@garthk:

I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.

What did I do wrong?

Thanx,
GarthK

Got to services/postfix/general at the bottom of the page
Widgets set