Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 28th September 2009, 23:23
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default E-mail server receive and send spams

Hello!
I tried to solve this problem, spending time in google and other forums, finding information...
I think I did many things...but!

The problem is that my e-mail server sends and receive thousands of spam and I'm listed in http://www.mxtoolbox.com/blacklists.aspx in 5-7lists.

What I have:
OpenSuse10.3
Postfix 2.6.5
Cyrus SASL 2.1.22
Postgrey 1.32
ISPconfig 2.2.33

Here are:
1) /etc/postfix/main.cf:
Code:
####################################################################################
###GENERAL SETTINGS
####################################################################################
mail_owner = postfix
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = myhostname.$mydomain
inet_interfaces = all
inet_protocols = all
biff = yes
masquerade_domains = 
#mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = 
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
mailbox_size_limit = 0
message_size_limit = 10240000
mydomain = ardit.lv
mynetworks = 127.0.0.0/8
delay_warning_time = 1h
message_strip_characters = \0
setgid_group = maildrop

####################################################################################
###MAPS
####################################################################################
canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
virtual_maps = hash:/etc/postfix/virtusertable
alias_maps = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
body_checks = regexp:/etc/postfix/body_checks

####################################################################################
###DIRECTORIES
####################################################################################
readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/mail
program_directory = /usr/lib/postfix
mydestination = /etc/postfix/local-host-names
sample_directory = /usr/share/doc/packages/postfix/samples
manpage_directory = /usr/share/man
html_directory = /usr/share/doc/packages/postfix/html

####################################################################################
###PATHS
####################################################################################
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
newaliases_path = /usr/bin/newaliases
daemon_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
mydestination = /etc/postfix/local-host-names

####################################################################################
###DEBUG
####################################################################################
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5

####################################################################################
###SASL
####################################################################################
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = cyrus
#smtpd_sasl_path = private/auth
smtpd_sasl_path = smtpd
smtpd_sasl_mechanism_filter = !gssapi, !external, static:all
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

####################################################################################
###TLS
####################################################################################
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

####################################################################################
###RULES AGAINST SPAMS ETC. MALWARES
####################################################################################
smtpd_sender_restrictions = 
	    warn_if_reject,
	    hash:/etc/postfix/access_client,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    reject_non_fqdn_sender,
	    reject_unknown_sender_domain,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit

smtpd_client_restrictions =
	    permit_sasl_authenticated,
	    check_client_access hash:/etc/postfix/access_client,
	    reject_rbl_client relays.mail-abuse.org,
	    reject_rbl_client relays.ordlb.org,
	    reject_rhsbl_sender dsn.rfc-ignorant.org,
#	    reject_unknown_client,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit_mynetworks,
	    reject_unauth_pipelining,
	    permit 

smtpd_helo_restrictions = 
	    permit_sasl_authenticated,
	    permit_mynetworks, 
	    reject_invalid_hostname, 
	    reject_unknown_hostname,
	    reject_non_fqdn_hostname,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    regexp:/etc/postfix/helo.regexp, 
	    permit

bounce_size_limit = 1024
smtpd_helo_required = yes
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

access_map_reject_code = 554
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

notify_classes = resource,software

smtpd_recipient_restrictions = 
	    warn_if_reject,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    check_relay_domains,
	    reject_non_fqdn_sender,
	    reject_non_fqdn_recipient,
	    reject_unknown_sender_domain,
	    reject_unknown_recipient_domain,
	    reject_unauth_destination,
	    reject_unauth_pipelining,
	    check_policy_service inet:127.0.0.1:6000,
	    check_policy_service inet:127.0.0.1:10023,
	    #check_sender_access hash:/etc/postfix/verify_sender_map,
	    reject_rbl_client cbl.abuseat.org,
	    reject_rbl_client sbl-xbl.spamhaus.org,
	    reject_rbl_client bl.spamcop.net, 
	    reject_rbl_client rblmap.tu-berlin.de,
	    reject_rbl_client relays.ordb.org,
	    reject_rbl_client dnsbl.sorbs.org,
	    reject_rbl_client opm.blitzed.org,
	    reject_rbl_client blackholes.easynet.nl,
	    reject_rbl_client ix.dnsbl.manitu.net,
	    reject_rbl_client dsn.rfc-ignorant.org,
	    reject_rbl_client proxies.relays.monkeys.com,
	    reject_rbl_client dul.dnsbl.sorbs.net,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client multi.uribl.com,
	    reject_rbl_client zen.spamhaus.org,
	    reject_rbl_client bogusmx.rfc-ignorant.org,
#	    check_client_access hash:/etc/postfix/helo_client_exceptions,
	    check_client_access hash:/etc/postfix/rbl_client_exceptions,
	    permit
2) Body checks is made after this How To: http://www.malware.com.br/postfix.txt

3) /etc/postfix/rbl_client_exceptions contains my client domain names:
Code:
.domain.com OK
.........
4) hello.regexp contains:
Code:
/^localhost$/ 550 Don't use my own hostname
/^host\.domain\.com$/ 550 Don't use my own hostname
/^127\.0\.0\.1$/ 550 Don't use my own IP address
/^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
/^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
#/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
#/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
~
5) /etc/access_client contains:
Code:
####################################################
###Manually founded
####################################################
216.52.192.0/24 REJECT
63.251.178.28 REJECT
158.36.80.149 REJECT
82.128.0.0/24 REJECT
65.55.92.0/24 REJECT
206.46.232.0/24 REJECT
65.55.92.88 REJECT
65.55.37.0/24 REJECT
58.36.80.149 REJECT
116.228.146.94REJECT
195.248.241.211 REJECT
203.34.37.27 REJECT
210.241.225.190 REJECT
167.206.112.6 REJECT
96.57.243.42 REJECT
207.157.105.74 REJECT
41.222.193.35 REJECT
203.39.191.100 REJECT
216.201.209.161 REJECT
80.232.169.191 REJECT
202.22.159.237 REJECT
84.238.0.4 REJECT

####################################################
###Whitelist
####################################################
.myclient1.com OK
.myclient2.com OK
...........
.myclient3.com OK
.gov OK
.gov.lv OK

#####################################################
### ALL Bad IP's from http://www.unixhub.com/block.html###
#####################################################
after updeiting these file I use postmap /etc/postfix/appropriate_map_file

7) /etc/postfix/master.cf:
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
smtps   inet n   -   n   - - smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
	-o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#localhost:10025 inet	n	-	n	-	-	smtpd -o content_filter=
scache	  unix	-	-	n	-	1	scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus	  unix	-	n	n	-	-	pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp	  unix	-	n	n	-	-	pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
retry     unix  -       -       n       -       -       error
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
8) netstat -tap
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:imaps                 *:*                     LISTEN      3302/couriertcpd    
tcp        0      0 *:pop3s                 *:*                     LISTEN      3334/couriertcpd    
tcp        0      0 *:mysql                 *:*                     LISTEN      2361/mysqld         
tcp        0      0 *:corba-iiop-ssl        *:*                     LISTEN      5647/rpc.rquotad    
tcp        0      0 *:pop3                  *:*                     LISTEN      3317/couriertcpd    
tcp        0      0 localhost.localdoma:783 *:*                     LISTEN      6329/spamd.pid      
tcp        0      0 *:sunrpc                *:*                     LISTEN      3421/portmap        
tcp        0      0 *:imap                  *:*                     LISTEN      3280/couriertcpd    
tcp        0      0 *:www-http              *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 *:smtps                 *:*                     LISTEN      5314/master         
tcp        0      0 *:hosts2-ns             *:*                     LISTEN      2889/ispconfig_http 
tcp        0      0 *:ftp                   *:*                     LISTEN      5756/proftpd: (acce 
tcp        0      0 myhost.mydomain.l:domain *:*                     LISTEN      5621/named          
tcp        0      0 localhost.locald:domain *:*                     LISTEN      5621/named          
tcp        0      0 *:ssh                   *:*                     LISTEN      3234/sshd           
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      5621/named          
tcp        0      0 *:smtp                  *:*                     LISTEN      5314/master         
tcp        0      0 *:https                 *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 localhost.loc:lanserver *:*                     LISTEN      3429/famd           
tcp        0      0 myhost.mydomain.lv:38451 mta-v9.mail.vip.mu:smtp ESTABLISHED 5266/smtp           
tcp        0      0 myhost.mydomain.lv:33570 mfe1.sinos.net:smtp     ESTABLISHED 5332/smtp           
tcp        0      0 myhost.mydomain.lv:57976 server4.camintel.c:smtp ESTABLISHED 3051/smtp           
tcp        0      0 myhost.mydomain.lv:ftp   customer-2:compaq-https ESTABLISHED 5582/proftpd: mole  
tcp        0      0 myhost.mydomain.lv:47469 fr-end-01.ipteleco:smtp ESTABLISHED 5336/smtp           
tcp        0      0 myhost.mydomain.lv:54602 mta-v2.mail.vip.sp:smtp TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:38921 de.mx.aol.com:smtp      TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:37318 mx-ha01.web.de:smtp     TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:41672 mxf2.rambler.ru:smtp    TIME_WAIT   -                   
tcp        0      1 myhost.mydomain.lv:55333 211.76.133.78:smtp      FIN_WAIT1   -                   
tcp        0      0 myhost.mydomain.lv:50394 server-0076f.dnspr:smtp ESTABLISHED 3033/smtp           
tcp        0      1 myhost.mydomain.lv:50499 eowyn.portugalmail:smtp SYN_SENT    5481/smtp
10) created post-rule-setup.sh script as described in http://www.howtoforge.com/forums/showthread.php?t=6393 and http://www.howtoforge.com/forums/showthread.php?t=36299 and here are source
Inserted almost ALL bad IPS
Code:
##############################
##############################
##############################
# For AUTH-SMTP###############
##############################
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT

######################################################
###Blocking incoming for smtp port 25
######################################################
######################################################
# My own blaclikst of IP's
######################################################
iptables -A INPUT -p tcp -s 158.26.80.149 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 63.251.178.28 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.104 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.8 --dport 25 -j REJECT
...............
iptables -A OUTPUT -p tcp -s 204.126.12.0/23 --dport 21 -j REJECT
iptables -A OUTPUT -p tcp -s 204.126.140.0/23 --dport 21 -j REJECT

In process solving the problem I added almost all INPUT and OUTPUT IP addresses from this blackIPlist: http://blacklist.linuxadmin.org/

But the problem is, that after system reboot, iptables locks and does not start, so I manually have to delete /var/lock/bastille. After that I restart FW, but all rules ar gone...

All installed as described in http://www.howtoforge.com/perfect_server_opensuse10.3... 1.5 years mail server lives without big problems, but all started last week...dead line was last Thursday ;-(

11) /var/log/messages:
Code:
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (REFUSED) resolving 'ondasnet.com.br/MX/IN': IP_
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'inter.net.co/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:30 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ahcrucha.hurtad.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ajahuel.paine.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'andbello.florid.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'anglica.plaza.cl' (in 'plaza.cl'?): IP_#53
12) /var/log/mail.err:
Code:
Sep 28 11:45:19 myhost postfix/bounce[9990]: fatal: lock file defer 42F952F96E8: Resource temporarily unavailable
Sep 28 11:46:05 myhost postfix/bounce[11012]: fatal: lock file defer 41C74EE2F14: Resource temporarily unavailable
Sep 28 11:46:14 myhost postfix/bounce[11003]: fatal: lock file defer E25FD77AA7E: Resource temporarily unavailable
Sep 28 11:46:58 myhost postfix/bounce[9942]: fatal: lock file defer 176FF519632: Resource temporarily unavailable
Sep 28 21:09:21 myhost postfix/master[5313]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable
13) I have no DNS server on my server, DNS entries manages my data center ISP...

14)I have fail2ban installed and configured and DenyHosts.

15) Also system is checked using rkhunter-1.3.4 and chkrootkit...

I have aprr. 10 clients with appr. 30 emails. But my /var/spool/postfix/incoming folder contains >160 000 entries (messages), /var/spool/postfix/active folder contains max size - 20 000 entries...

I can delete all recors from these folders, but they are back after few seconds.
There are messages with "Australian National Lotteries", "Nigeria e-mails", spam meils to big amount of aol and yahho users (existing, non-existing) etc...

Today after some searches in google I make SASL authentification to SMTP server, so, without authorizing and check TLS box e-mails cann not be sent! But these also do not solve the problem!

I don't know, what else You should know to help me...?

Is there any chance to win the spammers and get back my normal mail server process?

Last edited by Mole; 29th September 2009 at 02:26.
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
postfix, spams

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
with ISPConfig, Postfix, and Courier, mail does not send or receive karazy-k Server Operation 15 20th July 2009 05:44
postfix unable to send email to other mail server terry15 Server Operation 1 8th May 2009 13:45
Mail Server Wont send or receive emails... andrusha Installation/Configuration 21 7th June 2008 10:51
Mail server jas_esp Server Operation 1 7th December 2005 18:17


All times are GMT +2. The time now is 12:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.