Spam Tracing/blocking

Discussion in 'Installation/Configuration' started by TimR, May 2, 2012.

  1. TimR

    TimR New Member

    I am trying to block spam coming into a mail server I admin.

    Config OpenSuSe11.3/Postfix/Dovecot

    Router TP-Link TD-W8920G

    Log below of incoming spam. Spamassassin correctly identifies it. It is delivered to one active mail box and bounced from another deleted user.

    main.cf (lots from falko's suggestions) included

    Questions.
    1. From log:
    May 2 09:28:59 mmay-server postfix/smtpd[6063]: 5C7B5E43FA: client=unknown[192.168.6.2]
    The connecting server delivering the message is client=unknown[192.168.6.2]. 192.168.6.2 is the router's local ip. Why isn't the incoming mail server's external IP revealed? Is it a misconfiguration of my router? The router port forwards to the mail server box on 192.168.6.1

    2. From log:
    May 2 09:29:03 mmay-server postfix/smtp[6087]: certificate verification failed for mx1.xrea.com[202.172.25.31]:25: untrusted issuer /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
    May 2 09:29:04 mmay-server postfix/smtp[6087]: BEC6EE4472: to=<lettyrana@xrea.com>, relay=mx1.xrea.com[202.172.25.31]:25, delay=4.2, delays=0.05/0.01/2.8/1.3, dsn=2.0.0, status=sent (250 ok 1335914945 qp 19895)
    These lines seem to indicate that some info is captured to identify spamming server. How can I use it to stop spam?

    Thanks,
    Tim

    Log
    May 2 09:28:59 mmay-server postfix/smtpd[6063]: 5C7B5E43FA: client=unknown[192.168.6.2]
    May 2 09:29:00 mmay-server postfix/cleanup[6073]: 5C7B5E43FA: message-id=<69l85h57j48-69308177-739w3l27@kkqnbcqhj>
    May 2 09:29:00 mmay-server postfix/qmgr[17341]: 5C7B5E43FA: from=<lettyrana@xrea.com>, size=813, nrcpt=2 (queue active)
    May 2 09:29:00 mmay-server spamd[4755]: spamd: connection from localhost [127.0.0.1] at port 36258
    May 2 09:29:00 mmay-server spamd[4755]: spamd: setuid to nobody succeeded
    May 2 09:29:00 mmay-server spamd[4755]: spamd: processing message <69l85h57j48-69308177-739w3l27@kkqnbcqhj> for nobody:65534
    May 2 09:29:00 mmay-server spamd[4755]: spamd: identified spam (16.1/5.0) for nobody:65534 in 0.2 seconds, 793 bytes.
    May 2 09:29:00 mmay-server spamd[4755]: spamd: result: Y 16 - ALL_TRUSTED,BAYES_99,FREEMAIL_FROM,FS_REPLICA,FS_REPLICAWATCH,REPLICA_WATCH,SANE_04e8bf28eb445199a7f11b943c44d209,SANE_3b92eda751c992f230f215fb7eb36844,SANE_4ef8302546bf270a19baf98508afacc4 scantime=0.2,size=793,user=nobody,uid=65534,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=36258,mid=<69l85h57j48-69308177-739w3l27@kkqnbcqhj>,bayes=1.000000,autolearn=spam
    May 2 09:29:00 mmay-server spamd[3183]: prefork: child states: II
    May 2 09:29:00 mmay-server postfix/pickup[5960]: A2273E5086: uid=65534 from=<lettyrana@xrea.com>
    May 2 09:29:00 mmay-server postfix/pipe[6076]: 5C7B5E43FA: to=<kirstie@maxmay.com.au>, relay=spamassassin, delay=6.9, delays=6.6/0/0/0.25, dsn=2.0.0, status=sent (delivered via spamassassin service)
    May 2 09:29:00 mmay-server postfix/pipe[6076]: 5C7B5E43FA: to=<max@maxmay.com.au>, relay=spamassassin, delay=6.9, delays=6.6/0/0/0.25, dsn=2.0.0, status=sent (delivered via spamassassin service)
    May 2 09:29:00 mmay-server postfix/qmgr[17341]: 5C7B5E43FA: removed
    May 2 09:29:00 mmay-server postfix/cleanup[6073]: A2273E5086: message-id=<69l85h57j48-69308177-739w3l27@kkqnbcqhj>
    May 2 09:29:00 mmay-server postfix/qmgr[17341]: A2273E5086: from=<lettyrana@xrea.com>, size=3774, nrcpt=2 (queue active)
    May 2 09:29:00 mmay-server postfix/local[6083]: A2273E5086: to=<mmay@mmay-server.maxmay.com.au>, orig_to=<max@maxmay.com.au>, relay=local, delay=0.17, delays=0.1/0.02/0/0.05, dsn=2.0.0, status=sent (delivered to mailbox)
    May 2 09:29:00 mmay-server postfix/local[6082]: A2273E5086: to=<kstewart@mmay-server.maxmay.com.au>, orig_to=<kirstie@maxmay.com.au>, relay=local, delay=0.18, delays=0.1/0.01/0/0.07, dsn=5.1.1, status=bounced (unknown user: "kstewart")
    May 2 09:29:00 mmay-server postfix/cleanup[6073]: BEC6EE4472: message-id=<20120501232900.BEC6EE4472@mmay-server.maxmay.com.au>
    May 2 09:29:00 mmay-server postfix/bounce[6085]: A2273E5086: sender non-delivery notification: BEC6EE4472
    May 2 09:29:00 mmay-server postfix/qmgr[17341]: BEC6EE4472: from=<>, size=5781, nrcpt=1 (queue active)
    May 2 09:29:00 mmay-server postfix/qmgr[17341]: A2273E5086: removed
    May 2 09:29:01 mmay-server postfix/smtpd[6063]: disconnect from unknown[192.168.6.2]
    May 2 09:29:03 mmay-server postfix/smtp[6087]: certificate verification failed for mx1.xrea.com[202.172.25.31]:25: untrusted issuer /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
    May 2 09:29:04 mmay-server postfix/smtp[6087]: BEC6EE4472: to=<lettyrana@xrea.com>, relay=mx1.xrea.com[202.172.25.31]:25, delay=4.2, delays=0.05/0.01/2.8/1.3, dsn=2.0.0, status=sent (250 ok 1335914945 qp 19895)
    May 2 09:29:04 mmay-server postfix/qmgr[17341]: BEC6EE4472: removed

    postfix/main.cf
    inet_protocols = all
    biff = no
    mail_spool_directory = /var/mail
    canonical_maps = hash:/etc/postfix/canonical
    virtual_alias_domains = hash:/etc/postfix/virtual
    relocated_maps = hash:/etc/postfix/relocated
    transport_maps = hash:/etc/postfix/transport
    sender_canonical_maps = hash:/etc/postfix/sender_canonical
    masquerade_exceptions = root
    masquerade_classes = envelope_sender, header_sender, header_recipient
    myhostname = mmay-server.$mydomain
    delay_warning_time = 1h
    message_strip_characters = \0
    program_directory = /usr/lib/postfix
    inet_interfaces = all
    masquerade_domains =
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    defer_transports =
    mynetworks_style = host
    mydomain = maxmay.com.au
    mynetworks = 127.0.0.0/8, !192.168.6.2, 192.168.6.0/24
    relay_domains = $mydestination, hash:/etc/postfix/relay
    disable_dns_lookups = no
    relayhost =
    #content_filter = smtp-amavis:[127.0.0.1]:10025
    content_filter =
    mailbox_command =
    mailbox_transport =
    strict_8bitmime = no
    disable_mime_output_conversion = no
    smtpd_sender_restrictions = reject_unknown_sender_domain, hash:/etc/postfix/access
    smtpd_client_restrictions =
    #anti spam settings--->
    smtpd_helo_required = yes
    #smtpd_helo_required = no
    disable_vrfy_command = yes
    strict_rfc821_envelopes = yes
    #strict_rfc821_envelopes = no
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    smtpd_recipient_restrictions =
    check_sender_access hash:/etc/postfix/sender_access,
    reject_invalid_hostname,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client multi.uribl.com,
    reject_rbl_client dsn.rfc-ignorant.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client multihop.dsbl.org,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client ix.dnsbl.manitu.net,
    reject_rbl_client combined.rbl.msrbl.net,
    reject_rbl_client rabl.nuclearelephant.com,
    permit
    #smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    # <------ end anti spam settings
    smtpd_helo_restrictions =
    #smtpd_reject_unlisted_sender = no
    smtp_sasl_auth_enable = no
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = /var/spool/postfix/private/auth
    smtpd_sasl_auth_enable = yes
    smtpd_use_tls = yes
    smtp_use_tls = yes
    smtp_enforce_tls = no
    smtp_tls_session_cache_timeout = 3600s
    smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
    alias_maps = hash:/etc/aliases
    mailbox_size_limit = 0
    message_size_limit = 0
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
     

Share This Page