On 4/5/2010 5:19 PM, Voytek Eymont wrote:
On Tue, April 6, 2010 4:22 am, Noel Jones wrote:
Apr 5 11:03:31 postfix/smtpd[31021]: NOQUEUE: reject: RCPT from
fep06.mfe.bur.connect.com.au[203.63.86.26]: 554 5.7.1
<fep06.mfe.bur.connect.com.au[203.63.86.26]>: Client host rejected:
sender address does not match client hostname; from=<xxx...@yahoo.com>
to=<y...@zzz.org.au> proto=ESMTP
helo=<fep06.mfe.bur.connect.com.au>
This is almost certainly a "spoofed freemail" rule added to
the local postfix. Recipes for similar rules have been posted on this
list in the past.
Noel, thanks
in fact I copied such rule from the list in the past, perhaps I mis placed
it (or did I leave parts of the previous rule..?);
Looks as if the rule is working properly. If you no longer
need or want this rule, remove it from your configuration.
The rule works, but as with most UCE rules there is some risk
of rejecting mail you want. You get to decide if such a rule
is acceptable general policy for your site, or if you need to
whitelist a specific client.
-- Noel Jones
main.cf has:
smtpd_restriction_classes = from_freemail_host
from_freemail_host =
reject_unknown_client,
check_client_access hash:/etc/postfix/freemail_hosts,
check_client_access regexp:/etc/postfix/freemail_reject,
reject
# cat freemail_hosts
yahoo.com OK
earthlink.net OK
excite.com OK
excitenetwork.com OK
cat freemail_reject
# freemail_reject
/^/ REJECT sender address does not match client hostname
(I was missing LF at the end of this, after 'hostname', could that cause a
problem ?)
as well as check_sender_access in smtpd_recipient_restrictions, is this
what causing me problem ?
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination,
...
check_sender_access hash:/etc/postfix/freemail_access,
...
# cat freemail_access
yahoo.com from_freemail_host
earthlink.net from_freemail_host
excite.com from_freemail_host
postconf -n
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
body_checks = pcre:/etc/postfix/body_checks
body_checks_size_limit = 150000
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15360000
mime_header_checks = pcre:$config_directory/mime_headers.pcre
mydestination = $myhostname, localhost.$mydomain
mynetworks = 116.197.145.51 60.242.27.57 127.0.0.1
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
recipient_delimiter = +
sample_directory = /etc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
regexp:/etc/postfix/helo_access
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/freemail_access, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_helo_access
hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender
dsn.rfc-ignorant.org,
reject_rbl_client psbl.surriel.com, check_policy_service
inet:127.0.0.1:10031,
permit
smtpd_restriction_classes = from_freemail_host
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 36000s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = $message_size_limit
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
