Spam almost under control, still need a little assistance.

Discussion in 'Server Operation' started by indiadamjones, Mar 30, 2014.

  1. indiadamjones

    indiadamjones Member

    Hi there. Somehow a few messages are still getting delivered. I thought this was bounce spam, but I'm not sure. Can some check out this header information, and give me any hints about the nature of these spam messages?

    Code:
    Received: (qmail 93169 invoked by uid 102); 30 Mar 2014 12:06:13 -0000
    Received: from unknown (HELO mtaq4.grp.bf1.yahoo.com) (10.xxx.xxx.xxx)
      by m1.grp.bf1.yahoo.com with SMTP; 30 Mar 2014 12:06:13 -0000
    Received: (qmail 20003 invoked from network); 30 Mar 2014 12:06:13 -0000
    Received: from unknown (HELO cloud3.megabotix.com) (192.xxx.xxx.xxx)
      by mtaq4.grp.bf1.yahoo.com with SMTP; 30 Mar 2014 12:06:13 -0000
    Received: from localhost (localhost [127.0.0.1])
    	by cloud3.megabotix.com (Postfix) with ESMTP id 80C2470248;
    	Sun, 30 Mar 2014 08:06:13 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at cloud3.megabotix.com
    Received: from cloud3.megabotix.com ([127.0.0.1])
    	by localhost (megabotix.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id Ku-7AeN_2r8H; Sun, 30 Mar 2014 08:06:12 -0400 (EDT)
    Received: from megabotix.com (unknown [37.238.110.142])
    	(Authenticated sender: [email protected])
    	by cloud3.megabotix.com (Postfix) with ESMTPA id 0A50170247;
    	Sun, 30 Mar 2014 08:06:10 -0400 (EDT)
    From: "steve" <[email protected]>
    To: "Braless Ladies unsubscribe"
     <[email protected]>,
     "clubclit unsubscribe" <[email protected]>
    Subject: steve
    Date: Sat, 30 Mar 2014 01:06:10 +0100
    MIME-Version: 1.0
    X-mailer: Microsoft Office Outlook, Build 11.0.5510
    Reply-To: [email protected]
    Content-type: multipart/alternative;
     boundary="----=_NextPart_000_B47E_24C0548D.7663BB37"
    Message-Id: <[email protected]>
    X-eGroups-Remote-IP: 192.xxx.xxx.xxx
    X-eGroups-Remote-IP: 10.xxx.xxx.xxx
    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_B47E_24C0548D.7663BB37
    Content-type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    
    http://radgeber-lindau.de/mjww/ejowbrvce.oto
    
    ------=_NextPart_000_B47E_24C0548D.7663BB37
    Content-type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable
    
    =EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;=
     charset=
    =3DUTF-8></head><body>http://radgeber-lindau.de/mjww/ejowbrvce.oto</body></htm=
    l>
    ------=_NextPart_000_B47E_24C0548D.7663BB37--
    main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    readme_directory = /usr/share/doc/postfix
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = cloud3.megabotix.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = $myhostname, localhost.$mydomain, localhost
    relayhost = 
    mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =  
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023
    #smtpd_recipient_restrictions = permit_mynetworkds, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhause.org, check_policy_service inet:127.0.0.1:10023
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,  reject_rbl_client cbl.abuseat.org,  reject_rbl_client b.barracudacentral.org
    smtpd_tls_security_level = may
    smtpd_tls_protocols = !SSLv2, !SSLv3
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
    smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    message_size_limit = 0
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    #policy-spf_time_limit = 3600s
    strict_rfc821_envelopes = yes
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    queue_directory = /var/spool/postfix
    
    master.cf
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=no
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
       -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
       -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix	-	n	n	-	2	pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    policy  unix  -       n       n       -       -       spawn
            user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
    
    Thanks a ton.
     
  2. dcurrey

    dcurrey Member

    You might what to add postgrey and postscreen into your mix.

    Decent postscreen with proper rbl works wonders.

    Also double check you main.cf file. Just glancing at it I am seeing two "smtpd_client_restrictions = " lines.
    smtpd_recipient_restrictions is commented out. Did you intend this?

    postgrey instructions http://www.howtoforge.com/greylisting_postfix_postgrey
    its pretty simple setup but can be annoying if you are expecting mail from new locations.

    postscrreen. http://www.postfix.org/POSTSCREEN_README.html

    A little trickier to setup. Still try to balance it out myself. But I am really aggressive with my settings.
     
  3. indiadamjones

    indiadamjones Member

    Nice, thank you!

    Postgrey is on, don't know if I have the best settings in there, also have fail2ban. I'm taking a look at postscreen and rbl now. I corrected the main.cf by commenting out one of the smtpd_client_restrictions, and un-commenting smtpd_recipient_restrictions. Thank you very much. I will report back shortly, with an update. This has been a real challenge for me, I can't wait to get this working solid.:D
     
  4. dcurrey

    dcurrey Member

    Make sure you remove the rbls from your smtpd_client_restrictions. Don't need them in both.

    If it helps below is my postscreen section from main.cf

    As you can see me threshold is 2 and some of the sites I trust more jump spam right across it. Still trying to iron out the white list to reduce false positives.

    Good site to check if ip is on blacklist is http://whatismyipaddress.com/blacklist-check

    It also gives some info on how the blacklist works.
    Code:
    # Postscreen settings
    # ---------------------------------
    postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
    postscreen_greet_action = enforce
    postscreen_dnsbl_action = enforce
    postscreen_blacklist_action = enforce
    #postscreen_pipelining_enable = yes
    postscreen_dnsbl_ttl = 1h
    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_sites = zen.spamhaus.org*3
            bl.mailspike.net*3
            rep.mailspike.net=127.0.0.[13;14]*1
            b.barracudacentral.org*2
            bl.spamcop.net
            bl.spameatingmonkey.net
            ix.dnsbl.manitu.net
            bl.blocklist.de
    #       dnsbl.sorbs.net=127.0.0.[2;3;6;7;10]
            dnsbl.sorbs.net
            spam.dnsbl.sorbs.net*2
            dnsbl-2.uceprotect.net
            hostkarma.junkemailfilter.com=127.0.0.3
            hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
    #       l1.apews.org*2
    #       l2.apews.org*2
            # Whitelist
    #       list.dnswl.org=127.0.[0..255].0*-1
    #       list.dnswl.org=127.0.[0..255].1*-2
            list.dnswl.org=127.0.[0..255].[2;3]*-1
            rep.mailspike.net=127.0.0.[17;18]*-1
            rep.mailspike.net=127.0.0.[19;20]*-2
            hostkarma.junkemailfilter.com=127.0.0.1*-1
    

    Here is some of my postscreen_access.cidr

    Code:
    # Postscreen rules
    
    
    # Facebook Crap
    66.220.144.128/27       permit
    66.220.144.160/29       permit
    66.220.144.168/29       permit
    66.220.155.128/27       permit
    66.220.155.160/29       permit
    66.220.155.168/29       permit
    
    # Outlook.com
    65.52.0.0/14            permit
    # Gmail
    209.85.128.0/17         permit
    
    # Spam
    207.211.61.0/24         reject
    69.175.0.0/17           reject
    
    # Polictical crap
    74.121.48.0/21          reject
    208.73.4.0/22           reject
    
    Hope that helps. And use at your own risk. I am still learning myself.:)
     
  5. indiadamjones

    indiadamjones Member

    That's cool, I added to my main.cf

    I'm getting a shit ton of these now:
    Code:
    Transcript of session follows.
    
     Out: 220 cloud3.megabotix.com ESMTP Postfix (Ubuntu)
     In:  EHLO LanixPC
     Out: 250-cloud3.megabotix.com
     Out: 250-PIPELINING
     Out: 250-SIZE
     Out: 250-VRFY
     Out: 250-ETRN
     Out: 250-STARTTLS
     Out: 250-AUTH PLAIN LOGIN
     Out: 250-AUTH=PLAIN LOGIN
     Out: 250-ENHANCEDSTATUSCODES
     Out: 250-8BITMIME
     Out: 250 DSN
     In:  STARTTLS
     Out: 220 2.0.0 Ready to start TLS
     In:  EHLO megabotix.com
     Out: 250-cloud3.megabotix.com
     Out: 250-PIPELINING
     Out: 250-SIZE
     Out: 250-VRFY
     Out: 250-ETRN
     Out: 250-AUTH PLAIN LOGIN
     Out: 250-AUTH=PLAIN LOGIN
     Out: 250-ENHANCEDSTATUSCODES
     Out: 250-8BITMIME
     Out: 250 DSN
     In:  AUTH PLAIN AGFkYW1AbWVnYWJvdGl4LmNvbQBmYXJjaGluYQ==
     Out: 235 2.7.0 Authentication successful
     In:  MAIL FROM:<[email protected]>
     Out: 250 2.1.0 Ok
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  MAIL FROM:<[email protected]>
     Out: 503 5.5.1 Error: nested MAIL command
    
    Session aborted, reason: lost connection
    
    For other details, see the local mail logfile
    I've got them filtered to a side box. I looked up the code, and I'm not sure it's a bad thing yet. Thanks for your help.
     
  6. dcurrey

    dcurrey Member

    You may want to set "postscreen_dnsbl_action = ignore" until you are sure you have it configured correctly. Same with postscreen_greet_action

    See section Turning on postscreen(8) without blocking mail from http://www.postfix.org/POSTSCREEN_README.html Make sure you setup master.cf also
     
    Last edited: Mar 31, 2014
  7. indiadamjones

    indiadamjones Member

    You want me to remove the reject_rbl_client from this code right?

    Code:
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,  reject_rbl_client cbl.abuseat.org,  reject_rbl_client b.barracudacentral.org
     
  8. dcurrey

    dcurrey Member

    Yes remove both of them. You can migrate them to the postscreen section. I think I have b.barracudacentral.org already in my example above.
     
  9. indiadamjones

    indiadamjones Member

    enforce --> ignore

    Found the following, and I think I like the sound of enforce, but I went ahead and changed it to ignore for the greet_action and the dnsbl_action.

    Code:
    postscreen_greet_action (default: ignore)
    The action that postscreen(8) takes when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter. Specify one of the following:
    
    ignore (default)
    Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
    enforce
    Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
    drop
    Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
    In either case, postscreen(8) will not whitelist the remote SMTP client IP address.
    
    This feature is available in Postfix 2.8.
     
  10. dcurrey

    dcurrey Member

    Once you are done testing set both back to enforce. This is just so you don't bounce any mail during testing. Just look at your mail.log and you will see entries from postscreen.
     
  11. indiadamjones

    indiadamjones Member

    Whoa! What the heck is this?
    Code:
    Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: CONNECT from [202.68.85.62]:16947 to [xxx.xxx.xxx.xxx]:25
    Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: PASS OLD [202.68.85.62]:16947
    Mar 30 19:35:01 cloud3 postfix/smtpd[1643]: connect from remote.realsure.co.nz[202.68.85.62]
    Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: CONNECT from [127.0.0.1]:39234 to [127.0.0.1]:25
    Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: WHITELISTED [127.0.0.1]:39234
    
    or this?

    Mar 30 21:54:25 cloud3 amavis[6221]: (06221-17) Passed CLEAN {RelayedOpenRelay}

    I don't want be an open relay.
     
  12. indiadamjones

    indiadamjones Member

    This looks promising.

    Mar 30 21:58:10 cloud3 postfix/postscreen[5828]: DNSBL rank 6 for [180.235.186.199]:1377
     
  13. dcurrey

    dcurrey Member

    The first section is normal, postscreen has already seen that address and passed it. Temporary white list.

    Second section kind of worries me. Might help if I saw more of the logs around that entry. Mine always shows "Passed CLEAN {RelayedInbound}"

    The one thing that comes to mind is make sure your end users are sending mail via port 587 so postscreen doesn't look at them.

    Goto http://www.mailradar.com/openrelay/ enter your ip it does several open relay test.
     
    Last edited: Mar 31, 2014
  14. indiadamjones

    indiadamjones Member

    Nice!

    All tested completed! No relays accepted by remote host!

    I will keep monitoring the logs. Glancing at some of the other posts, I wonder if I have my amavis setup correctly.

    Regards,
    Adam
     
  15. indiadamjones

    indiadamjones Member

    Just wanted to say thank you! e-mail server status is TOO TIGHT! Had some clients getting rejected from sorbs, so I #'d it. I'm really excited to say though, my undelivered folder looks to have stabilized. Just out of curiosity, what kind of fail2ban settings are you using? No worries, not trying to give you another errand, but you REALLY HELPED me! Thanks a ton! This looks to be stemming the tide of spam.
     
  16. dcurrey

    dcurrey Member

    This is something you differently have to tweak.

    I just added the spam.dnsbl.sorbs.net*2 since the two aqews.org keep timing out. They had a lot a false positives but the threshold seem to compensate nicely. Without them I started to see more spam so I added the spam.dnsbl.sorbs.net a lot of them showed up on that list. I have seen conflicting reports that this list is part of dnsbl.sorbs.net You could try removing the "*2" or change the postscreen_dnsbl_threshold to 3 or 4.

    Since this is my personal email server I am able to get away with things like
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    check_policy_service unix:private/policy-spf,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_unknown_client_hostname

    All as part of my spam blocking. Much more work you would be surprised how many companies don't setup helo and reverse dns or even spf records correctly. Have to have whitelist for them.

    As far as fail2ban goes I basically just turned on the sections that I needed ssh dovecot etc. But pretty much the default ubuntu 13.10 config.
     
    Last edited: Apr 2, 2014

Share This Page