Postfix - antispam and relay package

marcelloc · Oct 19, 2011, 1:54 AM

mauricioniñoavella,

The basic setup is already in this topic.
http://forum.pfsense.org/index.php/topic,40622.msg217539.html#msg217539

All features in postfix forwarder package was include after many hours reading official postfix documentation.

Many features in this packages, has samples or direct links to postfix website, take a look.

Also you have the options to see the result of gui setup in View confi files tab.

Some docs about SASL say that are many implementations for it in postfix, now I'm trying to find one compatible with pfsense.

see considerations on enabling TLS
http://www.postfix.org/TLS_README.html

darklogic · Oct 19, 2011, 4:20 PM

marcelloc

I have a e-mail that seems to be getting blocked, which I think is a false positive. Here is the log I get back. Note that I removed the actual domain name and IP.

postfix/smtpd[32719]: NOQUEUE: reject: RCPT from mail.example.org[XXX.XXX.XXX.XXX]: 450 4.7.1 <ex02.example.local>: Helo command rejected: Host not found; from= someone@example.orgto= someone@mydomain.comproto=ESMTP helo= <ex02.example.local>I added this filter rule in the header to allow. This did not seem to work, but when I added a different rule to REJECT a different domain name, it worked.

/^From:.*@example.org/ OK

Any idea on this?

Thanks,

MDP</ex02.example.local>/someone@mydomain.com /someone@example.org</ex02.example.local>

marcelloc · Oct 19, 2011, 10:03 PM

The host that remote server announce on Helo smtp command Does not exist.

This is one of the header verification tests.

marcelloc · Oct 20, 2011, 4:05 PM

Hi all,

Postfix compilation on x64 now includes cyrus-SASL2 and TLS.

who need or want to test it, reinstall or remove/install postfix package.

No changes in gui for this option. Include all your SASL and/or TLS config in custom main.cf options

att,
Marcello Coutinho

darklogic · Oct 28, 2011, 5:29 PM

marcelloc,

I am getting a lot of these messages and I have seen a lot of them that are from domains and users I know. What can I do to stop these false positives. Here is the message I recieve minus real IP and domain names.

postfix/smtpd[61721]: NOQUEUE: reject: RCPT from mail.someonesdomain.com[xxx.xxx.xxx.xxx]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@someonesdomain.comto= user@mydomain.comproto=ESMTP helo=<cnasrv.cna.local></cnasrv.cna.local>/user@mydomain.com /someone@someonesdomain.com</cnasrv.cna.local>

Here is my configuration. I have messed around trying to find out what is causing it and had no luck.

ACL Filter MIME:
/^name=[^>]*.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}})\b/ REJECT ".$2" file attachment types not allowed

**ACL Filter CIDR:**My Internal Subnet xxx.xxx.xxx.xxx/24

Antispam:
Header Verification = strong

Zombie Blocker = Enabled with enforce

After greetins Test= all selected

Softbounce= enabled

RBL with = dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, cbl.abuseat.org, b.barracudacentral.org

RBL threshold = 1

SPF Check = Recomended setting

I have tried litteraly disabling everything and setting head check to basic to see if the messages would pass. I even added rules to the ACL filter list such as /^From:.*@someonesdomain.com OK

Is there something I can do? Do you have any suggestions?

Thanks,

MDP

marcelloc · Oct 21, 2011, 1:27 PM

As I told you last post, postfix is very judicious in header checks, so check your DNS server to see if this host announced by remote SMTP does exist or not.

You can also try to white-list this host in your local RBL and CIDR ACL.

I have many of these alerts too, but all of them are really spam or 'misconfigured' hosts.

darklogic · Oct 21, 2011, 4:40 PM

marcelloc,

I am going to assume that they are misconfigured host because I know they are not spam emails.

I did state I added the /^From:.*@someonesdomain.com OK in the ACL's Filter in the header section. Does this not whitelist the e-mail or is it just whitelisting only one of the spam checks?

Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?

Thanks,

MDP

darklogic · Oct 21, 2011, 4:43 PM

Sorry, I meant relay off the pfsense box. My mail server would not act as an open relay.

marcelloc · Oct 21, 2011, 4:48 PM

@darklogic:

I am going to assume that they are misconfigured host because I know they are not spam emails.

Did you tested name resolution oh the remote host header info?

@darklogic:

Also, if I add their domain address to the CIDR allow, wouldn't that allow their mail server to relay off ours according to the text I am reading at the bottom of that form field?

When using postscreen, the documentations says(correct me if I'm wrong) that this only prevents blocking.
When postscreen is disabled, any ip on CIDR allows relay on your server.

Can you test this with any other external ip?

darklogic · Oct 21, 2011, 4:59 PM

I have been using mxtoolbox.com for testing. One of the domains I am trying to figure out why it is getting blocked is clemansnelson.com

When I do a test on mxtoolbox.com for mail.clemansnelson.com I get the following.

220 CNASRV.CNA.local Microsoft ESMTP MAIL Service ready at Fri, 21 Oct 2011 12:59:31 -0400

OK - 24.123.130.226 resolves to mail.clemansnelson.com
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.335 seconds - Warning on Transaction time

Thanks,

MDP

darklogic · Oct 21, 2011, 5:09 PM

How would I go about disabling postscreen just to see if the mails start to come through. I thought I did disable once by simply unselecting the after greeting checks and disabling Zombie Blocker?

marcelloc · Oct 21, 2011, 5:11 PM

Can you see that there is a warning for this domain on your test?

I've made some tests here and mail.clemansnelson.com has a valid dns entry and it's related as SPF for clemansnelson.com.

check if your dns has same info and if postfix erros say that worng hostname is mail.clemansnelson.com or something else.

If you disable postscreen, the error will remain as it is done in header check.

darklogic · Oct 21, 2011, 5:16 PM

Here is the message minus user email name and our domain name.

postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local>When you say my DNS, our you referring to my internal DNS or external WAN DNS from the firewall?

Thanks,

MDP</cnasrv.cna.local>/someone@mydomain.com /someone@clemansnelson.com</cnasrv.cna.local>

darklogic · Oct 21, 2011, 5:22 PM

I have spotted about 6 other domains that I know are not spam that is getting the same message above. If I disable the Postfix forwarder and then do a temporary NAT and port forward of SMTP:25 to our internal mail server. The transparent spam filters we have will allow the message through and they do a lot of the same checks. I must have something misconfigured on postfix, or these host are not configured correctly. I am not willing to say something is wrong with the package because we are still getting a lot of good e-mails coming through.

Up above I posted my base config, can you see anything that would be causing the issue in that config?

Thanks,

MDP

marcelloc · Oct 21, 2011, 5:49 PM

@darklogic:

postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local></cnasrv.cna.local>/someone@mydomain.com /someone@clemansnelson.com</cnasrv.cna.local>

The problem is this : helo=<cnasrv.cna.local></cnasrv.cna.local>

Helo host in smtp negotiaton must exist. If you allow any host in SMTP helo, you are opening your server for a lot of spam.

Many STMP admins 'foget' to configure their servers, it's normal.

In any way I suggest you to disable spam checks.

EDIT:

Note that any client behind a misconfigured server will receive this erros for many domains, so they can forward it to SMTP 'admins'

darklogic · Oct 21, 2011, 5:47 PM

Well, as much as I hated to, I disabled the spam checks and saved, then disabled and saved and then renabled postfix and saved.

I am still getting the same messages?

Thanks,

MDP

marcelloc · Oct 21, 2011, 5:53 PM

And about your config, I suggest you to change RBL threshold to 2.

As I told you, this host error is got by header check, not postscreen.
See configuration files options in gui.

in main.cf

#Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname

This is a feature, not a bug or false positive.

Don't think the problem is with your setup.

darklogic · Oct 21, 2011, 6:02 PM

Ok, I am starting to see now what you are saying. On the main config code you pointed out, Should I change smtpd_helo_required = yes to = no or change smtpd_helo_restrictions = reject_unknown_helo_hostname

Like you said, I am afraid I will open the gates for flooding of spam. We have transparent backend filters, but I was hoping to kill most of it at the gateway level.

So what would you suggest at this point. I changed my RBL from 1 to 2.

Thanks for all your help,

MDP

marcelloc · Oct 21, 2011, 6:31 PM

Send a email to postmaster@ domains you identify that misconfiguration.

Or try CIDR with remote SMTPS While using postscreen

invaluement · Oct 24, 2011, 2:54 PM

@darklogic:

RBL with = dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, cbl.abuseat.org, b.barracudacentral.org

MDP,

Hi. I'm the owner/manager of invaluement.com and the host name you listed above for using invaluement.com as an RBL is WRONG!!!! (I deleted it in my quote of your post.. see post for what I'm talking about)

Anyone using that host name as an RBL will ONLY get rejected queries. This a waste of other's resources–since anyone adding a bogus RBL only adds wasted time to the processing of each message. Therefore, please edit your post above to remove that reference to invaluement.

Even if you had the correct host name, it would STILL get blocked because access to invaluement is ONLY available to paying subscribers via RSYNC to rbldnsd files, which are then hosted locally.

An invaluement subscription is VERY INEXPENSIVE... and locally hosted RBLs on an rbldnsd server are extremely FAST--which helps your filtering to go FASTER and become more scalable--could even save you $$ on hardware upgrades in the future! Subscription information can be found here:

http://dnsbl.invaluement.com/subscribe/

Thanks and please let me know if you have any questions.