Postfix - antispam and relay package
-
Config is as per previous posts. Listening on localhost which is NAT'd from the public IP, two domains each mapped to its own unique internal IP. The detail appearing in the system status log is merely a cut down version of the one sent to the e-mail sender - but it contains the domains private local IP's and not the public one.
There's nothing wrong with my MTA's internal or external - this behaviour is coming from my mail server - but Postfix is simply repeating the message and it shouldn't - I need to find an expression to force the local IP to be replaced with the public IP - but ONLY where appropriate.
I DO NOT want reject responses for non existent user accounts - at least on the first attempt within a set period since most 'spammers' don't behave or retry in line with RFC guidelines. I want REJECT converted to TRY AGAIN LATER .. something that SpamD can do but using SpamD with postfix has proved less than successful.
I'm stunned how hard this seems to be for Postfix - at least without hacking around in the code - I've tried numerous Postfix settings now and all have failed - presumably because of the order encountered - or I'm just not entering them as it expects - lets face it script lines full of 'regex' expressions aren't exactly easy to read, assuming that I'm even looking in the correct .inc files.
My mailserver is an enterprise class mailserver (Kerio) and even it seems unable to handle the simple concept of 'black hole' mailboxes and rejects instantly any mail for non existent accounts, it is very verbose in its response too. It won't block multiple failed login attempts from the same IP and will happily converse with a brute force script all day long - I have better things to waste CPU cycles and bandwidth on.
I am tentatively planning a move to hMailServer because it will block bad behaviour from IP address's, but not until it gets TLS sorted out, maintaining Kerio is just too expensive for our needs but I'm not prepared to go 'open text'.
With regards the mail log there is no such file in the var/log folder. I report messages to the system log and a syslog server.
-
I am not sure what the log looks like when reporting to the system log. As for the syslog server I don't this this is even an option in postifx.
If you go to the configuration page/general/logging/destination select the second item var/log/maillog. Then restart postfix I think you will get a better ideal of what is going on in postfix.
also in the log level set it at least to 2.
post the portion of the log as I would be interested to see it.
-
syslog isn't an option in postfix and is why I send messages to the system log - because that can be sent to a syslog server. I'll try the log thing and see if the information's any different, my debug level is currently 2.
-
There's nothing wrong with my MTA's internal or external - this behaviour is coming from my mail server - but Postfix is simply repeating the message and it shouldn't - I need to find an expression to force the local IP to be replaced with the public IP - but ONLY where appropriate.
We all said it more as once you need to stop forwarding mail addresses from postfix which are non-existing to your internal server, thats postfix job.
My mailserver is an enterprise class mailserver (Kerio) and even it seems unable to handle the simple concept of 'black hole' mailboxes and rejects instantly any mail for non existent accounts, it is very verbose in its response too. It won't block multiple failed login attempts from the same IP and will happily converse with a brute force script all day long - I have better things to waste CPU cycles and bandwidth on.
I am tentatively planning a move to hMailServer because it will block bad behaviour from IP address's, but not until it gets TLS sorted out, maintaining Kerio is just too expensive for our needs but I'm not prepared to go 'open text'.
BenKenobe, if I understand your intention right, you won't be happy with postfix. Postfix/Mailscanner should be the one and only layer of defence, since bad mails should be disarmed BEFORE the reach the internal server, but in your scenario your internal server looks like a second layer of defence, which will not work well in conjunction with Postfix/Mailscanner.
-
I'm quite happy to drop the 'secondary' defenses once I'm satisfied that the primary are working well.
How do I stop Postfix forwarding or rejecting non existent address's though, and how do I make it substitute the local mail server IP for the 'correct' public one.
I have explicitly stated which accounts are acceptable on the 'Custom Valid Recipients' tab, by doing so would expect Postfix to deal with all others but it still checks against the mail server for 'account existence' and uses the message returned by the mail server so even though it doesn't pass the mail it still checks for the accounts presence every single time - which I don't think it should do, it should only attempt delivery of specifically identified accounts - all others need to be handled 100% by Postfix with no involvement of the mail server at all.
I have removed all the tarpitting and spam traps on the Kerio, but I have put SpamD back in front of Postfix - this has had the same effect it had before though - it can take hours for valid mails to hit the inbox because many vendors send from continually changing IP address's, I really don't like it much but it does some of what I need.
Incidentally I have had maillog enabled for 18 hours now and it is still empty !! - not something I expected at all because I'm still getting E-Mail.
Starting to wonder if I have a duff install.
-
BenKenobe,
You could limit the number of connections from an IP in a given timeframe on the firewall rule you have for SMTP. Under Advanced features.
I'm not arguing with what you're looking for but I don't think exposing an RFC 1918 address to the sending mailserver in those reject messages is really that worrying. To exploit that knowledge would require compromise of your firewall or an internal host. Then you would have much more to worry about.
I can't see how you get that reject on invalid domain message. postfix should reject mail for any domain that it's not configured to relay for, without reference to your mailserver.
The double-bounce is used by postfix to check the validity of a recipient in a domain that it is configured to relay. However, I think it does cache recent ones to avoid that extra effort.
-
I'm quite happy to drop the 'secondary' defenses once I'm satisfied that the primary are working well.
How do I stop Postfix forwarding or rejecting non existent address's though, and how do I make it substitute the local mail server IP for the 'correct' public one.
I have explicitly stated which accounts are acceptable on the 'Custom Valid Recipients' tab, by doing so would expect Postfix to deal with all others but it still checks against the mail server for 'account existence' and uses the message returned by the mail server so even though it doesn't pass the mail it still checks for the accounts presence every single time - which I don't think it should do, it should only attempt delivery of specifically identified accounts - all others need to be handled 100% by Postfix with no involvement of the mail server at all.
Do you have a this line in your config?????
**You need to have a comand line in the access lists -> "filters while receiving mail"
It should be something like this "/^from:/ HOLD"**
You need the above line and I don't see where you ever said you had it?
With the mail log did you stop and restart postfix. Don't do it from the gui as I am not sure that works or at least I have had problems with it. Use the command line.
/usr/local/etc/rc.d/postfix onestop
/usr/local/etc/rc.d/postfix onestart
This will also give you a better idea of any errors that are occurring during startup.
As soon as you do this if you go to /var/log/maillog you should see activity.
-
I restarted via the command line and the mail log is now populating … I'll remember that one.
With regards the filter - I didn't add any - didn't see the need since I explicitly defined my recipients list, I'd have assumed that anything not in that list could be 'delayed' or 'rejected by default.
I see the filter mentioned has a /HOLD on it so maybe that's the missing link - although I fail to see how that works since the 'from' isn't what I'm trying to control - it is the 'to'. If I look at the examples they show 'sender' email address's not recipient address's - I don't really care who is sending.
I'll try to dig into the documentation a little deeper.
-
Are you using postfix/mailscanner? I assumed you were maybe you are not?
If not then you are correct you don't need that.
-
No not using mailscanner - is it something worth using.
I currently have 'SpamD -> Postfix -> Mail Server' and it seems to be keeping the spammers at bay, has also stopped brute force attacks to port 25. I wish I didn't need SpamD because of the delays it creates with 'unknown' senders but I've not seen a single 'spammer' in any inbox today and only one brute force attempt to a mail port that I've since closed (I've now closed all NONE TLS ports except 25 - and that's routed through the filters)
I've got the mail server pretty well hardened, just need to resolve the reject message IP address now …
-
In the postix gui go to view config -> master cf and check and make sure you have this in the config
/sender_access,
reject_non_fqdn_helo_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_multi_recipient_bounce,
–-----> reject_unverified_recipient,
permitalso in client access list / my networks you only have your internal ip range listed correct?
-
Only internal IP's correct, I commented out the 'reject' because I don't want it rejected - although it still gets rejected somehow - I even tried modifying the reject codes to 450 instead but it still returns the 550.1.1 which tells me it is using what the mail server sends back and not what I want it to. I've tried also the various SMTP privacy filters but it is hard to know which file to build them into - doesn't work in the custom commands for sure.
Remember I'm trying to stop spammers figuring out which address's exist by sending many e-mails each to a different username - the reject message is a dead giveaway - I want the offender tarpit'd and messed about as much as possible.
-
This may be your problem although I am not even sure what you are trying to do will work.
In the postfix gui ->"Domains to Forward" did you put information in here ?
In the postfix gui -> "Recipients" did you put information here ?
If you did both that is most likely your problem.
Postfix is receiving an email connection request and the first thing it is doing is checking the relay domain table and contacting the server which is saying not a good address and that is what postfix is replying. It doesn't matter what you put in the address verification as this is a second step not first.
You are basically using both methods. Which obviously will not work for what you are trying to do. Remove the information from the domains to forward and see what happens.
You will need to add a relayhost = [an.ip.add.ress] to the config.
-
I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.
What did I do wrong?
Thanx,
GarthK -
I've installed the Postfix package and all seems to be working fine. I then installed the Postfix widget and, while the PF widget bar shows up on the dashboard, there's no data displayed at all.
What did I do wrong?
Thanx,
GarthKGot to services/postfix/general at the bottom of the page
Widgets set
-
Thanx for the reply. I did what you suggested and even waited three days just to see if that would make a diff but no luck. The Postfix bar is there but no data is displayed. I also reinstalled it but no change.
Anything else I need to do?
-
Widget works when you set logs to /var/log/maillog
-
That took care of it!
Thanx Much,
Garth -
Hi guys,
I am using this package for a few days now and am very happy with it because the amount of spam was reduced drastically.
So first of all thank you for your work here, marcelloc.
I just encountered two problems which I couldn't solve for myself.
1. The "Search mail" function doesn't work for me. Probably because postfix can't find a sqlite database. Reinstallation of postfix didn't help.
2. Some mails take a very long time to get delivered to my actual mail server. I guess this is because some bigger companies with multiple mail servers send mails out through a different server once the message isn't accpeted instantly by postfix. (gmail or hrs for example)
Is there a way to accept e-mails faster even if the initial sender ip differs from the current sender ip in postfix?And again thank you (in advance)
Many apologies if this has been asked and answered before.
-
Works great but I have a question. There is a company sending us email with a single MX record, say mail.company.com, but the email is actually being sent by one of multiple servers, mail1.company.com, mail2.company.com, and so on. None of these servers has a DNS record so can not be found by PF after the RCPT TO: is received. This causes the email to be rejected, correctly IMHO, but I need to figure out how to let this email thru. Can I whitelist these servers and, if so, how?
Thanx,
Garth