Spam almost under control, still need a little assistance.

Discussion in 'Server Operation' started by indiadamjones, Mar 30, 2014.

  1. indiadamjones

    indiadamjones Member

    Hi there. Somehow a few messages are still getting delivered. I thought this was bounce spam, but I'm not sure. Can some check out this header information, and give me any hints about the nature of these spam messages?

    Received: (qmail 93169 invoked by uid 102); 30 Mar 2014 12:06:13 -0000
    Received: from unknown (HELO (
      by with SMTP; 30 Mar 2014 12:06:13 -0000
    Received: (qmail 20003 invoked from network); 30 Mar 2014 12:06:13 -0000
    Received: from unknown (HELO (
      by with SMTP; 30 Mar 2014 12:06:13 -0000
    Received: from localhost (localhost [])
    	by (Postfix) with ESMTP id 80C2470248;
    	Sun, 30 Mar 2014 08:06:13 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at
    Received: from ([])
    	by localhost ( []) (amavisd-new, port 10024)
    	with ESMTP id Ku-7AeN_2r8H; Sun, 30 Mar 2014 08:06:12 -0400 (EDT)
    Received: from (unknown [])
    	(Authenticated sender: [email protected])
    	by (Postfix) with ESMTPA id 0A50170247;
    	Sun, 30 Mar 2014 08:06:10 -0400 (EDT)
    From: "steve" <[email protected]>
    To: "Braless Ladies unsubscribe"
     <[email protected]>,
     "clubclit unsubscribe" <[email protected]>
    Subject: steve
    Date: Sat, 30 Mar 2014 01:06:10 +0100
    MIME-Version: 1.0
    X-mailer: Microsoft Office Outlook, Build 11.0.5510
    Reply-To: [email protected]
    Content-type: multipart/alternative;
    Message-Id: <[email protected]>
    This is a multi-part message in MIME format.
    Content-type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    Content-type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable
    =EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;=
    # See /usr/share/postfix/ for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    readme_directory = /usr/share/doc/postfix
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname =
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = $myhostname, localhost.$mydomain, localhost
    relayhost = 
    mynetworks =, [::ffff:]/104, [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =  
    virtual_alias_maps = proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:
    #smtpd_recipient_restrictions = permit_mynetworkds, permit_sasl_authenticated, reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender, check_policy_service inet:
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/,  reject_rbl_client,  reject_rbl_client
    smtpd_tls_security_level = may
    smtpd_tls_protocols = !SSLv2, !SSLv3
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
    smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    message_size_limit = 0
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    #policy-spf_time_limit = 3600s
    strict_rfc821_envelopes = yes
    content_filter = amavis:[]:10024
    receive_override_options = no_address_mappings
    queue_directory = /var/spool/postfix
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    # Do not forget to execute "postfix reload" after editing this file.
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=no
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
       -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
       -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in maildrop_destination_recipient_limit=1
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    # ====================================================================
    # Recent Cyrus versions can use the existing "lmtp" entry.
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    # Specify in one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    # ====================================================================
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in cyrus_destination_recipient_limit=1
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    # ====================================================================
    # Old example of delivery via Cyrus.
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    # ====================================================================
    # See the Postfix UUCP_README file for configuration details.
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    # Other external delivery methods.
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix	-	n	n	-	2	pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/
      ${nexthop} ${user}
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    policy  unix  -       n       n       -       -       spawn
            user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
    Thanks a ton.
  2. dcurrey

    dcurrey Member

    You might what to add postgrey and postscreen into your mix.

    Decent postscreen with proper rbl works wonders.

    Also double check you file. Just glancing at it I am seeing two "smtpd_client_restrictions = " lines.
    smtpd_recipient_restrictions is commented out. Did you intend this?

    postgrey instructions
    its pretty simple setup but can be annoying if you are expecting mail from new locations.


    A little trickier to setup. Still try to balance it out myself. But I am really aggressive with my settings.
  3. indiadamjones

    indiadamjones Member

    Nice, thank you!

    Postgrey is on, don't know if I have the best settings in there, also have fail2ban. I'm taking a look at postscreen and rbl now. I corrected the by commenting out one of the smtpd_client_restrictions, and un-commenting smtpd_recipient_restrictions. Thank you very much. I will report back shortly, with an update. This has been a real challenge for me, I can't wait to get this working solid.:D
  4. dcurrey

    dcurrey Member

    Make sure you remove the rbls from your smtpd_client_restrictions. Don't need them in both.

    If it helps below is my postscreen section from

    As you can see me threshold is 2 and some of the sites I trust more jump spam right across it. Still trying to iron out the white list to reduce false positives.

    Good site to check if ip is on blacklist is

    It also gives some info on how the blacklist works.
    # Postscreen settings
    # ---------------------------------
    postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
    postscreen_greet_action = enforce
    postscreen_dnsbl_action = enforce
    postscreen_blacklist_action = enforce
    #postscreen_pipelining_enable = yes
    postscreen_dnsbl_ttl = 1h
    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_sites =*3
            # Whitelist

    Here is some of my postscreen_access.cidr

    # Postscreen rules
    # Facebook Crap       permit       permit       permit       permit       permit       permit
    #            permit
    # Gmail         permit
    # Spam         reject           reject
    # Polictical crap          reject           reject
    Hope that helps. And use at your own risk. I am still learning myself.:)
  5. indiadamjones

    indiadamjones Member

    That's cool, I added to my

    I'm getting a shit ton of these now:
    Transcript of session follows.
     Out: 220 ESMTP Postfix (Ubuntu)
     In:  EHLO LanixPC
     Out: 250-PIPELINING
     Out: 250-SIZE
     Out: 250-VRFY
     Out: 250-ETRN
     Out: 250-STARTTLS
     Out: 250-AUTH PLAIN LOGIN
     Out: 250-AUTH=PLAIN LOGIN
     Out: 250-8BITMIME
     Out: 250 DSN
     In:  STARTTLS
     Out: 220 2.0.0 Ready to start TLS
     In:  EHLO
     Out: 250-PIPELINING
     Out: 250-SIZE
     Out: 250-VRFY
     Out: 250-ETRN
     Out: 250-AUTH PLAIN LOGIN
     Out: 250-AUTH=PLAIN LOGIN
     Out: 250-8BITMIME
     Out: 250 DSN
     Out: 235 2.7.0 Authentication successful
     In:  MAIL FROM:<[email protected]>
     Out: 250 2.1.0 Ok
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  RCPT TO:<[email protected]>
     Out: 451 4.3.5 Server configuration error
     In:  MAIL FROM:<[email protected]>
     Out: 503 5.5.1 Error: nested MAIL command
    Session aborted, reason: lost connection
    For other details, see the local mail logfile
    I've got them filtered to a side box. I looked up the code, and I'm not sure it's a bad thing yet. Thanks for your help.
  6. dcurrey

    dcurrey Member

    You may want to set "postscreen_dnsbl_action = ignore" until you are sure you have it configured correctly. Same with postscreen_greet_action

    See section Turning on postscreen(8) without blocking mail from Make sure you setup also
    Last edited: Mar 31, 2014
  7. indiadamjones

    indiadamjones Member

    You want me to remove the reject_rbl_client from this code right?

    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/,  reject_rbl_client,  reject_rbl_client
  8. dcurrey

    dcurrey Member

    Yes remove both of them. You can migrate them to the postscreen section. I think I have already in my example above.
  9. indiadamjones

    indiadamjones Member

    enforce --> ignore

    Found the following, and I think I like the sound of enforce, but I went ahead and changed it to ignore for the greet_action and the dnsbl_action.

    postscreen_greet_action (default: ignore)
    The action that postscreen(8) takes when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter. Specify one of the following:
    ignore (default)
    Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
    Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
    Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
    In either case, postscreen(8) will not whitelist the remote SMTP client IP address.
    This feature is available in Postfix 2.8.
  10. dcurrey

    dcurrey Member

    Once you are done testing set both back to enforce. This is just so you don't bounce any mail during testing. Just look at your mail.log and you will see entries from postscreen.
  11. indiadamjones

    indiadamjones Member

    Whoa! What the heck is this?
    Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: CONNECT from []:16947 to []:25
    Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: PASS OLD []:16947
    Mar 30 19:35:01 cloud3 postfix/smtpd[1643]: connect from[]
    Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: CONNECT from []:39234 to []:25
    Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: WHITELISTED []:39234
    or this?

    Mar 30 21:54:25 cloud3 amavis[6221]: (06221-17) Passed CLEAN {RelayedOpenRelay}

    I don't want be an open relay.
  12. indiadamjones

    indiadamjones Member

    This looks promising.

    Mar 30 21:58:10 cloud3 postfix/postscreen[5828]: DNSBL rank 6 for []:1377
  13. dcurrey

    dcurrey Member

    The first section is normal, postscreen has already seen that address and passed it. Temporary white list.

    Second section kind of worries me. Might help if I saw more of the logs around that entry. Mine always shows "Passed CLEAN {RelayedInbound}"

    The one thing that comes to mind is make sure your end users are sending mail via port 587 so postscreen doesn't look at them.

    Goto enter your ip it does several open relay test.
    Last edited: Mar 31, 2014
  14. indiadamjones

    indiadamjones Member


    All tested completed! No relays accepted by remote host!

    I will keep monitoring the logs. Glancing at some of the other posts, I wonder if I have my amavis setup correctly.

  15. indiadamjones

    indiadamjones Member

    Just wanted to say thank you! e-mail server status is TOO TIGHT! Had some clients getting rejected from sorbs, so I #'d it. I'm really excited to say though, my undelivered folder looks to have stabilized. Just out of curiosity, what kind of fail2ban settings are you using? No worries, not trying to give you another errand, but you REALLY HELPED me! Thanks a ton! This looks to be stemming the tide of spam.
  16. dcurrey

    dcurrey Member

    This is something you differently have to tweak.

    I just added the*2 since the two keep timing out. They had a lot a false positives but the threshold seem to compensate nicely. Without them I started to see more spam so I added the a lot of them showed up on that list. I have seen conflicting reports that this list is part of You could try removing the "*2" or change the postscreen_dnsbl_threshold to 3 or 4.

    Since this is my personal email server I am able to get away with things like
    check_policy_service unix:private/policy-spf,

    All as part of my spam blocking. Much more work you would be surprised how many companies don't setup helo and reverse dns or even spf records correctly. Have to have whitelist for them.

    As far as fail2ban goes I basically just turned on the sections that I needed ssh dovecot etc. But pretty much the default ubuntu 13.10 config.
    Last edited: Apr 2, 2014

Share This Page