On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: > That parameter doesn't prevent spammers from sending junk to postmaster, it > prevents mail to postmaster from bypassing your existing anti-spam controls. > Big difference.
It looks like it does pass my 'anti-spam' controls however & I am not sure why or how I can determine what is allowing this particular example to slip past. Below is straight from my Postfix logs and in the end of this email you can see my postconf -n shows '$double_bounce_sender': Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160: hostname 160.40.204.89.access.ttknet.ru verification failed: Name or service not known Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160] Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5: client=unknown[89.204.40.160] Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5: message-id=<20100227200549.179c477a...@mail.iamghost.com> Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5: from=<postmas...@iamghost.com>, size=3854, nrcpt=1 (queue active) Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160] Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6: client=localhost.localdomain[127.0.0.1] Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6: message-id=<20100227200549.179c477a...@mail.iamghost.com> Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from localhost.localdomain[127.0.0.1] Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: from=<postmas...@iamghost.com>, size=4620, nrcpt=1 (queue active) Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY, [89.204.40.160] [89.204.40.160] <postmas...@iamghost.com> -> <postmas...@iamghost.com>, Message-ID: <20100227200549.179c477a...@mail.iamghost.com>, mail_id: awUEbrkCfcvq, Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5: to=<postmas...@iamghost.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EC5B277ADD6) Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6: to=<car...@iamghost.com>, orig_to=<postmas...@iamghost.com>, relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0, status=sent (delivered to maildir) Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed > No. Apparently you have no controls that would otherwise reject this spam. I guess I didn't really understand fully the full meaning of '$double_bounce_sender'. > Yes, looks as if the spammer forged your postmaster as the envelope sender. > You can reject mail FROM postmaster@ your domain with a check_sender_access > map. I do have a 'sender_access' map in /etc/postfix and in main.cf: [r...@mail postfix]# postconf -n | grep 'sender_access' smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_client_access hash:/etc/postfix/client_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net Inside the file however I have domains and specific email addresses. Is this wrong formatting for the 'sender_access' file? # /etc/postfix/sender_access # # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples... # lmco.com OK saic.com OK se-core.net OK army.mil OK us.army.mil OK rayhtheonvtc.com OK sting_r...@yahoo.com OK aol.com REJECT craigslist.org REJECT facebookmail.com REJECT gmail.com REJECT hotmail.com REJECT yahoo.com REJECT youtube.com REJECT Noel or anyone. If you can please help me understand the following: 1. Why did Postfix allow the sender to bypass my 'anti spam' rules in my main.cf when it appeared in my logs above it didn't have a proper formatted fqdn and or hostname? 2. Was it passed because it was spoofed to come from 'postmas...@iamghost.com' & I need to add a rule for this in 'sender_access'? 3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email to 'Postmaster' run through checks? 4. Based on my postconf -n (below) and my contents above showing '/etc/postfix/sender_access', do I have the correct values in the 'sender_access' file or is it improperly formatted? ***Postconf -n*** [r...@mail postfix]# postconf -n address_verify_sender = $double_bounce_sender alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20480000 mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_client_access hash:/etc/postfix/client_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, permit smtpd_tls_CAfile = /etc/ssl/intermediate.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /srv/ssl/mail.crt smtpd_tls_key_file = /srv/ssl/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550
