[Solved] Postfix Mail anti-spam security

Discussion in 'Installation/Configuration' started by Diogo Jesus, Mar 5, 2018.

  1. Diogo Jesus

    Diogo Jesus New Member

    Hello,
    After seeing this topic I decided to implement those settings which were really effective against spam. The only problem found was the greylist.

    Greylist was really effective it only had 2 downsides.
    1- 5 min delay to receive mails. In our company sometimes we receive mails while doing phone calls, so we kinda need instant mail delivery.
    2- Services like OVH will always get blocked in greylist loop.

    How does OVH work.
    After receiving a bounceback, they will resend the email with a new hostname, and they will get greylisted again. Basically it stays in loop.

    Since in our company we work A LOT with emails we really need to receive all client emails but we also need to block spam.

    Is there any other setting that i can setup instead of greylist?

    Thank you,

    Diogo Jesus
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    Remove the greylisting setup by that how-to and install postscreen instead; there a pretty decent postscreen configuration in https://git.ispconfig.org/ispconfig/ispconfig3/issues/4239

    You should also install postwhite to help with mail systems which behave the way you described OVH. I don't think we have had a single complaint on this once postwhite was setup.

    Recent perfect server guides will have actual greylist support setup which you can enable on a per-mailbox basis if needed, but it will still have the problem with ovh and the like.
     
    Diogo Jesus likes this.
  3. Diogo Jesus

    Diogo Jesus New Member

    thanks for the info, but what is the main difference from postscreen and greylist? apparently the are both the "same". If that's the case I still cannot use that method since in our country a LOT of companies use OVH services (even we're using for the servers at the moment). Problem is that the only one I know is OVH, but we might have more. So if postscreen acts like greylist I still need another method.

    Diogo Jesus
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

  5. Diogo Jesus

    Diogo Jesus New Member

    Hi, sorry for the late reply but we had other issues and only this week I restarted working under our mail server.
    After enabling this option, emails from gmail are getting blocked. So far is the only one but I think that they use the same system as OVH / yahoo, which means, if refused resend with new IP. Is there any workaround for this?

    Code:
    Mar 29 11:27:22 webapps postfix/dnsblog[20931]: addr 209.85.220.173 listed by domain dnsbl.sorbs.net as 127.0.0.6
    Mar 29 11:27:22 webapps postfix/dnsblog[20928]: addr 209.85.220.173 listed by domain hostkarma.junkemailfilter.com as 127.0.0.3
    Mar 29 11:27:22 webapps postfix/dnsblog[20928]: addr 209.85.220.173 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
    Mar 29 11:27:22 webapps postfix/dnsblog[20935]: addr 209.85.220.173 listed by domain wl.mailspike.net as 127.0.0.18
    Mar 29 11:27:22 webapps postfix/dnsblog[20930]: addr 209.85.220.173 listed by domain score.senderscore.com as 127.0.4.99
    
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Yes, as mentioned in both previous posts, you need to install postwhite in order to address that issue.
     
  7. Diogo Jesus

    Diogo Jesus New Member

    postwhite was installed but forgot to mention it on postfix main.cf config file
    Code:
    postscreen_access_list = permit_mynetworks,
      cidr:/etc/postfix/postscreen_spf_whitelist.cidr
    
    working like a charm for now, For OVH I added *.mail-out.ovh.net. which is what they recommend. I added this into postwhite.conf file. But at least now, i'm able to receive mails from outlook/gmail, etc.
     
    Jesse Norell likes this.
  8. Diogo Jesus

    Diogo Jesus New Member

    Sorry for doubling posting, so on custom_hosts field of postwhite.conf I added, *.mail-out.ovh.net.
    But today morning during the tests I cannot receive mails from OVH provider yet. Here's the log.

    Code:
    Apr  3 09:19:37 webapps postfix/postscreen[4563]: CONNECT from [xx.xx.xx.xx]:46470 to [yy.yy.yy.yy]:25
    Apr  3 09:19:37 webapps postfix/dnsblog[4566]: warning: valid_hostname: empty hostname
    Apr  3 09:19:37 webapps postfix/dnsblog[4566]: warning: malformed domain name in resource name of SOA record for xx.xx.xx.xx.rbl.LOCAL.DOMAIN:
    Apr  3 09:19:37 webapps postfix/dnsblog[4569]: warning: valid_hostname: empty hostname
    Apr  3 09:19:37 webapps postfix/dnsblog[4569]: warning: malformed domain name in resource name of SOA record for xx.xx.xx.xx.rwl.LOCAL.DOMAIN:
    Apr  3 09:19:37 webapps postfix/dnsblog[4579]: addr xx.yy.xx.xx listed by domain score.senderscore.com as 127.0.4.67
    Apr  3 09:19:37 webapps postfix/dnsblog[4572]: addr xx.yy.xx.xx listed by domain list.dnswl.org as 127.0.5.0
    Apr  3 09:19:44 webapps dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=yy.yy.yy.yy, lip=yy.yy.yy.yy, mpid=4584, TLS, session=<KOTfh+xowu9esVlV>
    Apr  3 09:19:49 webapps postfix/tlsproxy[4585]: CONNECT from [xx.yy.xx.xx]:46470
    Apr  3 09:19:49 webapps postfix/postscreen[4563]: NOQUEUE: reject: RCPT from [xx.yy.xx.xx]:46470: 450 4.3.2 Service currently unavailable; from=<[email protected]>, to=<[email protected]>, proto=ESMTP, helo=<10.mo178.mail-out.ovh.net>
    
    EDIT:

    added mx.ovh.com to the custom_hosts field. still not working. Because the provider is sending from XX.moXXX.mail-out.ovh.net
     
    Last edited: Apr 3, 2018
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Postwhite looks up spf records and whitelists hosts/address ranges which are allowed, so what you enter needs to have a valid spf record, which mx.ovh.com does have:
    Code:
    $ host -t txt mx.ovh.com
    mx.ovh.com descriptive text "v=spf1 ptr:mail-out.ovh.net ptr:mail.ovh.net ip4:8.33.137.105/32 ?all"
    
    xx.moxxx.mail-out.ovh.net will match via the ptr: mechanism, which is valid, but doesn't work with postwhite. This is the same problem yahoo's spf setup has, eg. see https://github.com/jsarenik/spf-tools/issues/138 .. the solution I believe was to screen-scrape the list of ip addrs off a webpage that yahoo posts, and include them; not ideal, but functional and working for the time.

    As for OVH, you might see if they maintain any spf record with address blocks, which would be the easiest to implement. If not, possibly they maintain a webpage of address ranges like yahoo? Or you might just build your own postscreen access list with a simple script from a nightly cron job, eg.:
    Code:
    (for a in {1..99}; do for b in {1..300}; do  host ${a}.mo${b}.mail-out.ovh.net; done; done  | grep 'has address' | awk '{print $4 " permit"}' | sort -u  > /etc/postfix/postscreen_ovh_whitelist.cidr) && postfix reload
    
    Then add `cidr:/etc/postfix/postscreen_ovh_whitelist.cidr` to your `postscreen_access_list` list. Kind of quick and dirty, but might get the job done. You might consult OVH for what the range to query is (ie. the '99' and '300' in the above script).

    A last option would be to turn that feature of greylisting off, which I believe is done by disabling deep protocol tests, though not positive without further searching (see http://postfix.1071664.n5.nabble.com/postscreen-undesired-greylisting-td48777.html which also includes another solution using 2 mx hosts sharing a postscreen cache, if you like that setup .. I don't know if it'd work with ovh's servers/queueing).
     
  10. Diogo Jesus

    Diogo Jesus New Member

    Thanks for the help. Your script seems to be working fine. I'll give a call at OVH support center and ask them what is their numbers range so I can change them. Still didn't push it in production but i'll keep you updated.
     
  11. Diogo Jesus

    Diogo Jesus New Member

    After contacting OVH they refused to give me such information, saying that their numbers keep changing and that they don't know the limit. After also asking on OVH forums one guy provided me a script that he is using with python.
    https://gist.github.com/ptitoliv/09f327aaf51a5c89193120330a29a36f#file-ovh_mail_out_list-py
    The list takes several hours to generate (more than 10 000 IPs so far). I'm running a cron tonight and tomorrow i'll post the feedback
     
  12. Diogo Jesus

    Diogo Jesus New Member

    uptade, after saving all their IPs, (it took a few minutes, i wrongly copied the code to my side which was looping and never ended).
    on postscreen_ovh_whitelist.cidr.
    After receiving a mail from an ovh client I get 450 4.3.2 Service currently unavailable.
    Which is better than before wich I was getting blacklisted by some services. Now there is no blacklist only service currently unavailable. Is there anything else that I can do to fix this issue?
    Thank you and sorry for double post
     
  13. Diogo Jesus

    Diogo Jesus New Member

    Problem fixed, forgot to uncomment one line in postscreen config. Thanks for the help
     
  14. Jesse Norell

    Jesse Norell Well-Known Member

    That python version starts at "1" and increments until dns returns "not found"; the actual dns query time should be similar/identical for both I would guess, but the python script will finish more efficiently, as the bash script I put above will continue to query for non-existent names up to a pre-determined number. However, if OVH ever skips a single name, and it appears they do (see below), the python version will provide an incomplete list. Choose your poison I suppose, or rewrite one or the other to do better (eg. the bash script will loop through all possible 5th level host names even if the 4th level domain doesn't exist).

    Code:
    mo199.mail-out.ovh.net has address 178.32.228.199
    mo200.mail-out.ovh.net has address 178.32.228.200
    Host mo201.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo202.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo203.mail-out.ovh.net not found: 3(NXDOMAIN)
    ...
    mo211.mail-out.ovh.net has address 178.32.228.211
    mo212.mail-out.ovh.net has address 178.32.228.212
    Host mo213.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo214.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo215.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo216.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo217.mail-out.ovh.net not found: 3(NXDOMAIN)
    Host mo219.mail-out.ovh.net not found: 3(NXDOMAIN)
    
     
  15. Diogo Jesus

    Diogo Jesus New Member

    I'll give it a try like this for now, as I'm runnng this in cron 3 times a day, once in the morning, before office to open, once at lunch break, and one after office hours. I'll keep this thread updated. If we don't see any problem we will keep this way, otherwise I'll write a new script or use you script as you said
     

Share This Page