Postfix - SPAM getting through on Submission

Discussion in 'General' started by wjk940, Jan 2, 2018.

  1. wjk940

    wjk940 New Member

    I hit a problem, where SPAM was using my "The Perfect Server - Ubuntu 17.10 (Artful Aardvark) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" as a relay. For me, the problem started in mid-December. Perhaps my ISP (Comcast) made a change. Perhaps something about SpamAssassin rules changed. Perhaps I updated software that started working differently. Regardless, I had to find a solution, since my ISP was cutting off my ability to send mail after my server relayed 1000 emails. Eventually, I hit on a combination of "smtp_*_restrictions" which are working. I think the main change to fix my problem was adding 'check_sender_access mysql:/etc/postfix/' to 'smtpd_relay_restrictions'. Following is the smtp* configuration in my /etc/postfix/

    In a terminal window, I've been monitoring my outgoing mail using "tail -f /var/log/mail.log | fgrep 'postfix/submission/smtpd' | fgrep 'from='"

    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
    smtp_sasl_tls_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_loglevel = 1
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = encrypt
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access
        mysql:/etc/postfix/, reject_rhsbl_client, reject_rbl_client
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,
        check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname,
        reject_non_fqdn_hostname, reject_invalid_helo_hostname,
        reject_unknown_helo_hostname, check_helo_access
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
        reject_rbl_client, reject_rhsbl_reverse_client, reject_rhsbl_helo, reject_rhsbl_sender, check_recipient_access
        mysql:/etc/postfix/, check_recipient_access
    smtpd_reject_unlisted_sender = yes
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
        reject_unauth_destination, check_sender_access
        mysql:/etc/postfix/, reject_rbl_client, reject_rhsbl_reverse_client,
        reject_rhsbl_helo, reject_rhsbl_sender
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps =
    smtpd_sender_restrictions = check_sender_access
        regexp:/etc/postfix/, permit_mynetworks,
        permit_sasl_authenticated, check_sender_access
        mysql:/etc/postfix/, check_sender_access
        regexp:/etc/postfix/, reject_unknown_sender_domain
    smtpd_tls_auth_only = yes
    smtpd_tls_eecdh_grade = ultra
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_loglevel = 0
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes

Share This Page