On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
I'm getting spam leaking through from sites with non-resolving IP or
invalid DNS, sending mail to myself as me.
You COULD use reject_unknown_client_hostname but it has substantial
false positives.
More directly, you could enforce your own SPF record:
caerllewys.net. 259200 IN TXT "v=spf1 ip4:216.246.132.90 -all"
It's more than slightly hypocritical to publish a "-all" SPF record when
you don't pay attention to it yourself. There are a wide variety of
tools that can be used to enforce SPF in various ways. I use
SpamAssassin (via MIMEDefang, which isn't important) because SA has a
deep capacity to deal with the fact that SPF records are often not worth
anything for a variety of reasons, including domain owners who don't
understand what "-all" should mean in principle. There are also
free-standing milters and policy daemons available for SPF enforcement.
In this case it also appears that the IP address was in the CBL and
hence SpamHaus Zen when you accepted it. Maybe not, but if you are not
killing such IPs in postscreen you're going to have a lot of spam
getting further in than it needs to. Also, if you're running a smallish
mail system with a limited audience that does not include a need to
communicate with Vietnamese correspondents, you can probably block all
email traffic from 14.160.0.0/11.
In addition, you should split initial mail submission from inbound
transport and (if you do any...) intermediary relay of mail. Putting a
submission service on port 587 removes the need to make your port 25
smtpd configuration allow for both types of handling.
Here's an example:
Jul 12 08:03:52 minbar postfix/smtpd[17824]: warning: hostname
static.vnpt.vn does not resolve to address 14.167.212.244
Jul 12 08:03:52 minbar postfix/smtpd[17824]: connect from
unknown[14.167.212.244]
Jul 12 08:03:53 minbar postfix/smtpd[17824]: 4F5D74037FB5B:
client=unknown[14.167.212.244]
Jul 12 08:03:53 minbar postfix/cleanup[17827]: 4F5D74037FB5B:
message-id=<003601d1dc70$06d04a92$13f689a9@dveov>
Jul 12 08:03:53 minbar opendkim[4236]: 4F5D74037FB5B: external host
[14.167.212.244] attempted to send as caerllewys.net
Jul 12 08:03:53 minbar postfix/qmgr[15588]: 4F5D74037FB5B:
from=<[email protected]>, size=2201, nrcpt=1 (queue active)
Jul 12 08:03:54 minbar postfix/pickup[16696]: 018314037FB5D: uid=1666
from=<[email protected]>
Jul 12 08:03:54 minbar postfix/cleanup[17827]: 018314037FB5D:
message-id=<003601d1dc70$06d04a92$13f689a9@dveov>
Jul 12 08:03:54 minbar postfix/pipe[17828]: 4F5D74037FB5B:
to=<[email protected]>, relay=dspam, delay=0.69,
delays=0.66/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dspam
service)
Jul 12 08:03:54 minbar postfix/qmgr[15588]: 4F5D74037FB5B: removed
Jul 12 08:03:54 minbar opendkim[4236]: 018314037FB5D: DKIM-Signature
field added (s=dkim, d=caerllewys.net)
Why are you signing mail that came from a random bot in Vietnam? If
OpenDKIM can't be made to require authentication in order to sign mail,
it is broken. I'm not familiar with it, so I expect you're just missing
some setting that exists...
Jul 12 08:03:54 minbar postfix/qmgr[15588]: 018314037FB5D:
from=<[email protected]>, size=2321, nrcpt=1 (queue active)
Jul 12 08:03:54 minbar postfix/local[17843]: 018314037FB5D:
to=<[email protected]>, relay=local, delay=0.05,
delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Jul 12 08:03:54 minbar postfix/qmgr[15588]: 018314037FB5D: removed
Jul 12 08:03:54 minbar postfix/smtpd[17824]: disconnect from
unknown[14.167.212.244] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
I have the following helo and sender restrictions in place:
smtpd_helo_restrictions = reject_invalid_hostname
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unknown_reverse_client_hostname
smtpd_sender_restrictions = permit_mynetworks
reject_invalid_hostname
reject_unknown_sender_domain
reject_non_fqdn_sender
You've been here long enough to have seen this request before:
Please provide 'postconf -n' output as described in the last section of
Postfix's DEBUG_README file.
The above snippets do not draw a full enough picture of your config to
offer a proper specific fix. However, IN GENERAL, you should avoid
duplicating 'reject_*' settings in different restriction lists unless
you have a concrete reason to do that. It is also pointless to put
sender restrictions in smtpd_helo_restrictions.
OpenDKIM is picking up that 14.167.212.244 is falsely trying to send
mail as caerllewys.net,
It doesn't seem to me like OpenDKIM is noticing any sort of falsity,
since it claims to be adding a signature.
but Postfix is letting it happen. I just added
a pcre restriction to smtpd_helo_restrictions to refuse any host
trying
to HELO as 'caerllewys.net', though I haven't had time yet to see
whether it works,
It almost surely will not in this case, but that is not a bad choice. I
see no indication that this spambot is HELO'ing with your name, but some
will.
but surely there should be some straightforward
directive to tell Postfix not to allow a site outside of $mynetworks
to
send me mail using my own email address as sender.
Yes, there are such directives, and you're not showing the most suitable
places for them.
You should have smtpd_recipient_restrictions and maybe
smtpd_relay_restrictions lists, one or both of which end with "reject".
You should also have distinct SMTP and initial submission services, so
that you can more tightly control who claims to be you and what mail
Postfix hands to OpenDKIM for signing.
Am I missing something that should be obvious?
Yes: DEBUG_README.
