Postfix - SPAM problem

Discussion in 'Server Operation' started by thavaht, Apr 6, 2010.

  1. thavaht

    thavaht New Member

    Somehow my server (Debian + Postfix) was used to deliver spam, so my IP appears listed in UCEPROTECT-Level1. :mad:

    Help please find out how was it possible and to fix it.

    I’ve checked my IP against http://www.spamhelp.org/shopenrelay/ and http://www.mxtoolbox.com/diagnostic.aspx and results are ok.

    Below is extract from mail log. Notice that ustm.co.uk is not my domain and 83.138.172.76 is not my IP and it is not in mynetworks.
    Code:
    Apr  5 19:03:17 mail amavis[25447]: (25447-11) Passed CLEAN, LOCAL [127.0.0.1] [83.138.172.76] <[email protected]> -> <[email protected]>,<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,
    <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,….
    
    My main.cf is as follows (I’ve suppressed mydestination and myhostname)
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    
    relayhost =
    mynetworks = 212.96.26.50, 196.28.239.21, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_command =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    #smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    #
    # Configuração antispam
    #
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    
    #strict_rfc821_envelopes = yes
    strict_rfc821_envelopes = no
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    smtpd_recipient_restrictions =
                check_client_access hash:/etc/postfix/access_client,
                check_recipient_access hash:/etc/postfix/recipients
                permit_sasl_authenticated,
                permit_mynetworks,
                check_policy_service inet:127.0.0.1:2501,
                reject_unknown_recipient_domain,
                reject_invalid_hostname,
                reject_unauth_pipelining,
                reject_unknown_client,
                reject_unauth_destination,
                reject_rbl_client multi.uribl.com,
                reject_rbl_client dsn.rfc-ignorant.org,
                reject_rbl_client dul.dnsbl.sorbs.net,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl-xbl.spamhaus.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client ix.dnsbl.manitu.net,
                reject_rbl_client combined.rbl.msrbl.net,
                reject_rbl_client sbl.spamhaus.org,
                reject_rbl_client zen.spamhaus.org,
                reject_rbl_client dnsbl.njabl.org,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client cbl.anti-spam.org.cn,
                reject_rbl_client dnsbl-1.uceprotect.net,
                reject_rbl_client virus.rbl.jp,
                reject_rbl_client virbl.bit.nl,
                reject_rbl_client wormrbl.imp.ch,
                reject_rbl_client spamrbl.imp.ch,
                reject_rbl_client spamlist.or.kr,
                permit
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    
    #
    # Configurações próprias
    #
    minimal_backoff_time = 600s
    queue_run_delay = 600s
    maximal_backoff_time = 3600s
    maximal_queue_lifetime = 4h
    bounce_queue_lifetime = 4h
    TIA
    thavaht
     
    Last edited: Apr 6, 2010
  2. MxToolBox

    MxToolBox New Member

    Thank you for using our Blacklist Tool! Once you run a lookup, you can follow the links to the Blacklist websites (via the "details" link or the Blacklist name) and request delisting directly from them. I also want to provide you with a link to a very handy article we posted on our blog - What Blacklists Are and How MxToolbox Helps!

    This article explains how our services eliminate the problems blacklists cause and how they are oftentimes recurring and hard to permanently fix. If you can't get resolution to the problems, don't hesitate to contact us!

    Thank you,
    @MxToolBox
     

Share This Page