Postfix Config - Antispam - mod_security - ISPConfig3 - Debian Squeeze

Discussion in 'ISPConfig 3 Priority Support' started by randomsam, Aug 28, 2013.

  1. randomsam

    randomsam New Member HowtoForge Supporter

    Recently I've been thinking that I should have a crack at hardening my server a little. ISPConfig 3.0.5.3, Debian 6.07, Postfix 2.7.1-1+squeeze1

    Firstly Postfix:

    I have hardened my install using some recommendations found here :

    http://www.howtoforge.com/hardening-postfix-for-ispconfig-3

    I am wondering is I have gone too far in terms of antispam. In an attempt to monitor mail sending and receving I installed mailgraph. In the 24 hour period since installing mailgraph the stats are as follows:

    Sent : 365
    Received : 634
    Bounced : 1
    Viruses : 1
    Spam : 54
    Rejected : 10170

    Rejected seems exceptionally high, I am inclined to believe the numbers as the logs are full of messages like these.

    450 4.7.1 Client host rejected: cannot find your hostname

    Relay access denied; from=<>

    and

    verification failed: Name or service not known

    I am a little worried that I am rejecting mail that could be legitimate and would appreciate if someone could sanity check my config.

    I include the relavent parts below

    -------------------------------------------
    main.cf
    --------------------------------------------

    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_policy_service inet:127.0.0.1:10031
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    smtpd_client_message_rate_limit = 100
    owner_request_special = no
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname
    strict_rfc821_envelopes = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes

    --------------------------------------------
    The sections I have made additions to in main.cf are smtpd_recipient_restrictions, smtpd_sender_restrictions, smtpd_client_restrictions, smtpd_helo_required, smtpd_helo_restrictions, strict_rfc821_envelopes, smtpd_recipient_restrictions, smtpd_data_restrictions and smtpd_delay_reject.

    I have installed postfix-policyd so I can set a quota for sending mail. The only thing I have postfix-policyd doing is monitoring quotas and enforcing them (not yet using any of the whitelisting/greylisting/blacklisting features). The references to check_policy_service inet:127.0.0.1:10031 are the ones I have added to talk to policyd.

    As I say postfix works I am getting no spam at all, the worry is that I am using policies that are too strict and rejecting legitimate mail into oblivion.


    2.) Mod_security

    I have installed Apache mod_security, which is merrily blocking injection attempts and writing to a log file. /var/log/apache2/modsec_debug.log
    This log file has been steadily filling up for a few days, does anyone have any suggestions for adding it to logrotate or will it be done automatically?


    Sorry for the long post, just thought I would provide all I could in terms of info.
     
    Last edited: Aug 28, 2013
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) The setup you applied is very strict. You can e.g. undo the spf part as valid senders often dont have a spf record.

    2) Logrotate will rotate all files that end with ".log" in /var/log/apache2/ automatically on Debian. See /etc/logrotate.d/apache2 for details.
     
  3. randomsam

    randomsam New Member HowtoForge Supporter

    Hi Till,

    Thanks for the info. Unless I am slowly going mad I can't find any refererence to spf in my config.
    I don't have postfix-policyd-spf-python or postfix-policyd-spf-perl installed so can't see the reference to this.

    In reference to the strict policies I am running I'm not sure what to undo. The only thing I am a little wary of is reject_unknown_client_hostname as there is some discussion that this may be causing issues with non-RFC compliant hosts and perhaps I should be using reject_unknown_reverse_client_hostname instead.

    Any suggestions as to what I could do to reduce the strict policies without opening the server to a world of spam would be great.

    Many thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If you havent installed the spf part of the guide, then youndont have tonremove it :) the reject_unknown_client_hostname should be ok in my opinion.
     

Share This Page