On 3/1/2010 10:50 AM, Carlos Williams wrote:
On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones<njo...@megan.vbhcs.org> wrote:
That parameter doesn't prevent spammers from sending junk to postmaster, it
prevents mail to postmaster from bypassing your existing anti-spam controls.
Big difference.
It looks like it does pass my 'anti-spam' controls however& I am not
sure why or how I can determine what is allowing this particular
example to slip past.
It "slips past" because there are no rules to block it.
Below is straight from my Postfix logs and in
the end of this email you can see my postconf -n shows
'$double_bounce_sender':
Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
service not known
Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
client=unknown[89.204.40.160]
Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
message-id=<20100227200549.179c477a...@mail.iamghost.com>
Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
from=<postmas...@iamghost.com>, size=3854, nrcpt=1 (queue active)
Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
client=localhost.localdomain[127.0.0.1]
Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
message-id=<20100227200549.179c477a...@mail.iamghost.com>
Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
localhost.localdomain[127.0.0.1]
Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
from=<postmas...@iamghost.com>, size=4620, nrcpt=1 (queue active)
Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
[89.204.40.160] [89.204.40.160]<postmas...@iamghost.com> ->
<postmas...@iamghost.com>, Message-ID:
<20100227200549.179c477a...@mail.iamghost.com>, mail_id: awUEbrkCfcvq,
Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
to=<postmas...@iamghost.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
EC5B277ADD6)
Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
to=<car...@iamghost.com>, orig_to=<postmas...@iamghost.com>,
relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
status=sent (delivered to maildir)
Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed
No. Apparently you have no controls that would otherwise reject this spam.
I guess I didn't really understand fully the full meaning of
'$double_bounce_sender'.
Yes, looks as if the spammer forged your postmaster as the envelope sender.
You can reject mail FROM postmaster@ your domain with a check_sender_access
map.
I do have a 'sender_access' map in /etc/postfix and in main.cf:
[r...@mail postfix]# postconf -n | grep 'sender_access'
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unlisted_recipient,
check_policy_service unix:postgrey/socket, check_sender_access
hash:/etc/postfix/sender_access,
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_client_access hash:/etc/postfix/client_access,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
Inside the file however I have domains and specific email addresses.
Is this wrong formatting for the 'sender_access' file?
# /etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
#
lmco.com OK
saic.com OK
se-core.net OK
army.mil OK
us.army.mil OK
rayhtheonvtc.com OK
sting_r...@yahoo.com OK
aol.com REJECT
craigslist.org REJECT
facebookmail.com REJECT
gmail.com REJECT
hotmail.com REJECT
yahoo.com REJECT
youtube.com REJECT
You can add "postmas...@your_domain REJECT" to this list if
you want.
Noel or anyone. If you can please help me understand the following:
1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
my main.cf when it appeared in my logs above it didn't have a proper
formatted fqdn and or hostname?
You have no rules to reject based on this.
2. Was it passed because it was spoofed to come from
'postmas...@iamghost.com'& I need to add a rule for this in
'sender_access'?
No, that doesn't appear to have any bearing.
3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
to 'Postmaster' run through checks?
4. Based on my postconf -n (below) and my contents above showing
'/etc/postfix/sender_access', do I have the correct values in the
'sender_access' file or is it improperly formatted?
***Postconf -n***
[r...@mail postfix]# postconf -n
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamghost.com
myhostname = mail.iamghost.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unlisted_recipient,
check_policy_service unix:postgrey/socket, check_sender_access
hash:/etc/postfix/sender_access,
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_client_access hash:/etc/postfix/client_access,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
bl.spamcop.net, permit
No glaring errors, although you might want to remove
reject_unknown_recipient_domain as the only thing it's likely
to block is your own domain.
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, permit
smtpd_tls_CAfile = /etc/ssl/intermediate.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /srv/ssl/mail.crt
smtpd_tls_key_file = /srv/ssl/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
-- Noel Jones
