Hi shot me if I'm wrong ;-) but I think your smtp service is an open relay?! I don't see reject_unauth_destination after your permit_mynetwork and permit_sasl_authenticated. Thats means (at least afaik) that any mail will be accepted as long as it does not hit one of your reject_* statements. So for your submission/smtps service I'd recommend to add a final reject to the restrictions and for the smtpd_recipient_restrictions I'd recommend to add reject_unauth_destination directly after permit_sasl_authenticated. Imho it would be preferable to disable AUTH on port 25 anyway (but that might start "religious" discussions here ;-))
I wonder a bit that your postfix allows processing mail at all because the man says: > IMPORTANT: Either the smtpd_relay_restrictions or the > smtpd_recipient_restrictions parameter must specify at least one of > the following restrictions. Otherwise Postfix will refuse to receive > mail: > > reject, reject_unauth_destination > > defer, defer_if_permit, defer_unauth_destination Another thing I wonder about is your output from mxtoolbox test. It shows your server rejects with a 4xx temporary reject. That should be a 5xx. I think postfix complains about something in its logs. Cheers -- tobi Am 15.10.19 um 09:27 schrieb Julien Michaux: > Hi everyone, > > I have a problem with postfix. > > I use OBM as a mail server (postfix + cyrus + ldap, etc...). My postfix is > not openrelay : > > 220 xxxxxx ESMTP Postfix (Debian/GNU) [706 ms] > EHLO keeper-us-east-1c.mxtoolbox.com > 250-xxxxxx > 250-PIPELINING > 250-SIZE 52428800 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN [702 ms] > MAIL FROM:<supert...@mxtoolbox.com> <supert...@mxtoolbox.com> > 250 2.1.0 Ok [700 ms] > RCPT TO:<t...@mxtoolboxsmtpdiag.com> <t...@mxtoolboxsmtpdiag.com> > 454 4.7.1 <t...@mxtoolboxsmtpdiag.com> <t...@mxtoolboxsmtpdiag.com>: Relay > access denied [719 ms] > > LookupServer 3927ms > > Time to time, my server is attack and he sends spam. All spam are from a > specific address "cy...@mydomain.com" <cy...@mydomain.com>. > I tried many things but nothing works. I have to stop postfix for some > hours and attack ends until next time. > > Can you provide me advice or corrections to my config to ensure this attack > can't success please ? > > Here is master.cf : > smtp inet n - n - - smtpd -v > -o receive_override_options=no_address_mappings > -o content_filter=smtp-amavis:127.0.0.1:10024 > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_helo_restrictions=$mua_helo_restrictions > -o smtpd_sender_restrictions=$mua_sender_restrictions > -o smtpd_recipient_restrictions=$mua_recipient_restrictions > -o milter_macro_daemon_name=ORIGINATING > -o receive_override_options=no_address_mappings > -o content_filter=smtp-amavis:127.0.0.1:10024 > smtps inet n - n - - smtpd > -o syslog_name=postfix/smtps > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_helo_restrictions=$mua_helo_restrictions > -o smtpd_sender_restrictions=$mua_sender_restrictions > -o smtpd_recipient_restrictions=$mua_recipient_restrictions > -o milter_macro_daemon_name=ORIGINATING > -o receive_override_options=no_address_mappings > -o content_filter=smtp-amavis:127.0.0.1:10024 > pickup unix n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr unix n - n 300 1 qmgr > tlsmgr unix - - n 1000? 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > showq unix n - n - - showq > error unix - - n - - error > retry unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scache unix - - n - 1 scache > smtp-amavis unix - - y - 2 smtp > -o smtp_data_done_timeout=1200 > -o disable_dns_lookups=yes > -o smtp_send_xforward_command=yes > 127.0.0.1:10025 inet n - y - - smtpd > -o content_filter= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions=$mua_sender_restrictions > > Here is main.cf : > > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) > biff = no > append_dot_mydomain = no > myhostname = xxxxxxxx > myorigin = $myhostname > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > local_recipient_maps = $alias_maps > mydestination = localhost > virtual_transport = error:mailbox does not exist > virtual_mailbox_domains = hash:/etc/postfix/virtual_domains > virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox > virtual_alias_maps = hash:/etc/postfix/virtual_alias > hash:/etc/postfix/virtual_alias_1pour1 > pcre:/etc/postfix/virtual_alias_catchall > transport_maps = hash:/etc/postfix/transport > recipient_delimiter = + > smtp_use_tls = yes > smtpd_use_tls = yes > smtpd_tls_cert_file = /etc/obm/certs/fullchain.pem > smtpd_tls_key_file = /etc/obm/certs/privkey.pem > smtp_tls_security_level = may > smtpd_tls_security_level = may > smtp_tls_note_starttls_offer = yes > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > message_size_limit = 52428800 > mua_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unknown_reverse_client_hostname, > check_sender_access hash:/etc/postfix/sender_access > smtpd_helo_required = yes > mua_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname > mua_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_sender_login_mismatch, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rbl_client zen.spamhaus.org > smtpd_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unknown_reverse_client_hostname, > check_sender_access hash:/etc/postfix/sender_access > smtpd_helo_required = yes > smtpd_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_sender_login_mismatch, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rbl_client zen.spamhaus.org > smtp_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unknown_reverse_client_hostname, > check_sender_access hash:/etc/postfix/sender_access > smtp_helo_required = yes > smtp_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname > smtp_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_sender_login_mismatch, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rbl_client zen.spamhaus.org > > Thanks for your help > > > Michaux Julien > Courriel : jul...@michaux.name >
