Postfix - antispam and relay package
-
Here is the message minus user email name and our domain name.
postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local>When you say my DNS, our you referring to my internal DNS or external WAN DNS from the firewall?
Thanks,
MDP</cnasrv.cna.local>/someone@mydomain.com/someone@clemansnelson.com</cnasrv.cna.local>
-
I have spotted about 6 other domains that I know are not spam that is getting the same message above. If I disable the Postfix forwarder and then do a temporary NAT and port forward of SMTP:25 to our internal mail server. The transparent spam filters we have will allow the message through and they do a lot of the same checks. I must have something misconfigured on postfix, or these host are not configured correctly. I am not willing to say something is wrong with the package because we are still getting a lot of good e-mails coming through.
Up above I posted my base config, can you see anything that would be causing the issue in that config?
Thanks,
MDP
-
postfix/smtpd[10950]: NOQUEUE: reject: RCPT from mail.clemansnelson.com[24.123.130.226]: 450 4.7.1 <cnasrv.cna.local>: Helo command rejected: Host not found; from= someone@clemansnelson.comto= someone@mydomain.comproto=ESMTP helo= <cnasrv.cna.local></cnasrv.cna.local>/someone@mydomain.com/someone@clemansnelson.com</cnasrv.cna.local>
The problem is this : helo=<cnasrv.cna.local></cnasrv.cna.local>
Helo host in smtp negotiaton must exist. If you allow any host in SMTP helo, you are opening your server for a lot of spam.
Many STMP admins 'foget' to configure their servers, it's normal.
In any way I suggest you to disable spam checks.
EDIT:
Note that any client behind a misconfigured server will receive this erros for many domains, so they can forward it to SMTP 'admins'
-
Well, as much as I hated to, I disabled the spam checks and saved, then disabled and saved and then renabled postfix and saved.
I am still getting the same messages?
Thanks,
MDP
-
And about your config, I suggest you to change RBL threshold to 2.
As I told you, this host error is got by header check, not postscreen.
See configuration files options in gui.in main.cf
#Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes smtpd_helo_restrictions = reject_unknown_helo_hostnameThis is a feature, not a bug or false positive.
Don't think the problem is with your setup.
-
Ok, I am starting to see now what you are saying. On the main config code you pointed out, Should I change smtpd_helo_required = yes to = no or change smtpd_helo_restrictions = reject_unknown_helo_hostname
Like you said, I am afraid I will open the gates for flooding of spam. We have transparent backend filters, but I was hoping to kill most of it at the gateway level.
So what would you suggest at this point. I changed my RBL from 1 to 2.
Thanks for all your help,
MDP
-
Send a email to postmaster@ domains you identify that misconfiguration.
Or try CIDR with remote SMTPS While using postscreen
-
RBL with = dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, cbl.abuseat.org, b.barracudacentral.org
MDP,
Hi. I'm the owner/manager of invaluement.com and the host name you listed above for using invaluement.com as an RBL is WRONG!!!! (I deleted it in my quote of your post.. see post for what I'm talking about)
Anyone using that host name as an RBL will ONLY get rejected queries. This a waste of other's resources–since anyone adding a bogus RBL only adds wasted time to the processing of each message. Therefore, please edit your post above to remove that reference to invaluement.
Even if you had the correct host name, it would STILL get blocked because access to invaluement is ONLY available to paying subscribers via RSYNC to rbldnsd files, which are then hosted locally.
An invaluement subscription is VERY INEXPENSIVE... and locally hosted RBLs on an rbldnsd server are extremely FAST--which helps your filtering to go FASTER and become more scalable--could even save you $$ on hardware upgrades in the future! Subscription information can be found here:
http://dnsbl.invaluement.com/subscribe/
Thanks and please let me know if you have any questions.
-
marcelloc,
Can you confirm if that last post from invaluement is true? I noticed they are a new user with that being their first post. Looks a little shady.
Also I e-mail postmaster at those domains with nothing yet. Also, I am not sure what you were meaning with "Or try CIDR with remote SMTPS While using postscreen"?
Thanks,
MDP
-
The Rbl list in package example is just an example for how to configure Rbl list.
You MUST take care on what list you choose. There is also a link in the package for a lot of Rbl lists, free and paid.
And about the emails you sent, just be patient. You can also look for other emails on domains web page.
-
I clicked the link, but I am not sure what list are free and which ones are paid?
-
marcelloc,
I have some new info for you as requested. I have compared the past 3 weeks of SPAM data on our backend SPAM filter reports, and they have been very close from week-to-week of around 650 to 700 SPAM e-mails per week. This past weeks reports since the postfix forwarder package has been installed, has litterally cut that report down to around 190 to 200 SPAM e-mails. This is without any mail scanner or Spamassin added to the postfix forwarder.
So right now we are seeing about a 300% decrease in SPAM on just the first layer of filtering at the gateway level. Very Nice…
Any idea on when that mailscanner feature will be added?
-
Great news,
Looking my logs what I see is that nasty emails like fake domains, virus, phishing, etc are almost 100% blocked with postfix. Comercial mail that has real smtp info can be easly blocked using ACLS.
Any idea on when that mailscanner feature will be added?
I think i will release a mailscanner-dev version with freebsd 8.1-release packages to get it working until pfsense packages are done.
Thanks for your feedback
-
marcelloc,
Can you confirm if that last post from invaluement is true? I noticed they are a new user with that being their first post. Looks a little shady.
Here is confirmation. See message to 'darklogic' at the bottom of this page: http://dnsbl.invaluement.com/about/
…I couldn't do that if this wasn't legit! -
I've also included this in Rbl field list info:
THIS IS JUST AN EXAMPLE, CHECK IF ANY LIST YOU CHOOSE IS PAID OR FREE!
ex: dnsbl.sorbs.net, bl.spamcop.net2, dnslb.local-5, b.barracudacentral.org -
marcelloc,
I removed the list from my post.
Also, I am having no luck with those domains that are getting rejected that I know are ok e-mails, but maybe misconfigured servers. I am getting a lot of this and I have had about 5 employees ask if something was wrong with the e-mail system. If I can't figure a way to allow these e-mails, I may have to back away from the postfix package. I really don't want to do that… This is the same issue I have been previously posting about.
Thanks,
MDP
-
First of all, it's not a issue with postfix. It's a issue with remote smtp admin.
Try to include remote server in cidr or call remote admin.
Here is the link for poscreen documentation about whitelist:
http://www.postfix.org/postconf.5.html#postscreen_access_list
PERMANENT WHITE/BLACKLIST TEST
This test is executed immediately after a remote SMTP
client connects. If a client is permanently whitelisted,
the client will be handed off immediately to a Postfix
SMTP server process.postscreen_access_list (permit_mynetworks)
Permanent white/blacklist for remote SMTP client IP
addresses. -
I'm sorry, I didnt mean to sound like I was saying something is wrong with your package. I just don't have any clear way to resolve this issue with so many misconfigured e-mail servers.
There is little documentation for your package and the docs that are being provided are for a project other than a package for pfsense. If I knew all the ends and outs of this package, I guess I would know the answer, and if I knew the answer on how to configure this mod with little documentation to follow, I guess I might even be able to develope it, but I don't know.
Even you main.cf file states in it, not to modify?
I like this package, I really want to use it, but the documentation being provided is not for the pfsense package.
Thanks For All You Help,
MDP
-
the link was for postscreen documentation to show you that putting the remote smtp ip in CIDR while using postscreen does not open your server to relay.
You just step over postscreen and connect direct to postfix daemon where there are other tests.
Sorry if it seemed offensive, was not my intention.
-
marcelloc,
I was not taking it offensive, I was trying to clear up the fact that I am no developer or coder. It takes me some time to understand what's going on in the guts of the program. Basically I don't have your knowledge and therefore I don't understand some of the lingo or even the documentation that is being provided. I understand that this package is still new and in RC1 stage right now and some things should not be exspected. In all reality, I have no reason to complain as this package is free and you are spending your free time to develope it, and I thank you for that truely.
So what I got from your last post is if you add the public IP of the sender in the Client Access List in the CIDR form box. It will pass the message from that domain address that is getting blocked or any address coming from that domain IP? Is that correct?
Thanks for your time,
MDP