Added a Check - Asking for a Review
Today I downloaded Ralph Hildebrandt's Postfix example and used his 'check_helo_access' example in my configuration. I have not 'reloaded' Postfix yet because I want to make sure that I did not add this in and cause any redundant checks or worse, break something. Can you guys please review my main.cf and tell me if I added this into the correct sections / order? Below is an output of my 'postconf -n' *START POSTCONF -N* address_verify_sender = $double_bounce_sender alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix recipient_delimiter = + relay_domains = sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/mail.crt smtpd_tls_key_file = /etc/ssl/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 *END POSTCONF -N* As you can see I added the 'check_helo_access' in my 'smtpd_recipient_restrictions'. I was wondering if this was the correct section in my main.cf for 'check_helo_access'? I thought this would go in the 'smtpd_helo_restrictions' in my main.cf however I just read in "The Book of Postfix" that this trigger applies to the envelope recipient(s), sender, & the HELO/EHLO argument. To me that makes it sound like all checks should be listed under 'smtpd_recipient_restrictions', no? Let me know what you think from my Postfconf -n above and if it's not too much trouble, if anyone can comment on my thoughts on why this particular trigger is listed under the sections discussed in this paragraph. Thanks for any clarification.
Re: Added a Check - Asking for a Review
* Carlos Williams : > cause any redundant checks or worse, break something. Can you guys why not use soft_bounce = yes :) ? > check_helo_access pcre:/etc/postfix/helo_checks.pcre, And what is the content of the file? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Added a Check - Asking for a Review
On Wed, Jan 20, 2010 at 10:20 AM, Ralf Hildebrandt wrote: > why not use soft_bounce = yes :) ? I have never used it before. That sounds like a good idea. >> check_helo_access pcre:/etc/postfix/helo_checks.pcre, > And what is the content of the file? [r...@mail postfix]# cat helo_checks.pcre /^localhost$/ 550 Don't use my own domain (localhost)! /^iamghost.\com$/ 550 Don't use my own domain! /^64\.95\.64\.198$/ 550 Your spam was rejected because you're forging my IP. /^\[64\.95\.64\.198\]$/ 550 Your spam was rejected because you're forging my IP. /^mail\.iamghost.\com$/ 550 Don't use my own hostname! /^[0-9.-]+$/550 Your software is not RFC 2821 compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP. Beyond this file, does my main.cf file look correct to you?
Re: Added a Check - Asking for a Review
> /^localhost$/ 550 Don't use my own domain (localhost)! > /^iamghost.\com$/ 550 Don't use my own domain! > /^64\.95\.64\.198$/ 550 Your spam was rejected because you're > forging my IP. > /^\[64\.95\.64\.198\]$/ 550 Your spam was rejected because you're > forging my IP. > /^mail\.iamghost.\com$/ 550 Don't use my own hostname! > /^[0-9.-]+$/550 Your software is not RFC 2821 > compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in > []) - not a naked IP. > > Beyond this file, does my main.cf file look correct to you? Looks OK. I would merge: smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net into: smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname check_policy_service unix:postgrey/socket, reject_unlisted_recipient, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_data_restrictions = reject_unauth_pipelining, -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Added a Check - Asking for a Review
On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt wrote: > I would merge: > > smtpd_helo_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname > > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_pipelining, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, > reject_unauth_destination, reject_unlisted_recipient, > check_policy_service unix:postgrey/socket, check_sender_access > hash:/etc/postfix/sender_access, > check_helo_access pcre:/etc/postfix/helo_checks.pcre, > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net > > into: Thank you very much for your merge suggestion. I am reading your book right now (page 70-72) and trying to understand the concept are the merge suggestion. Would you mind explaining what benefit / performance is attributed by merging all? Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my main.cf or should I omit that completely since there are no variables for this trigger? Thank you so much for your time and assistance!
Re: Added a Check - Asking for a Review
Carlos Williams schrieb: > On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt > wrote: >> I would merge: >> >> smtpd_helo_restrictions = permit_mynetworks, >> permit_sasl_authenticated,reject_non_fqdn_helo_hostname, >> reject_invalid_helo_hostname >> >> smtpd_recipient_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject_unauth_pipelining, >> reject_non_fqdn_recipient, reject_unknown_recipient_domain, >> reject_unauth_destination, reject_unlisted_recipient, >> check_policy_service unix:postgrey/socket, check_sender_access >> hash:/etc/postfix/sender_access, >> check_helo_access pcre:/etc/postfix/helo_checks.pcre, >> reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net >> >> into: > > Thank you very much for your merge suggestion. I am reading your book > right now (page 70-72) and trying to understand the concept are the > merge suggestion. Would you mind explaining what benefit / performance > is attributed by merging all? > > Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my > main.cf or should I omit that completely since there are no variables > for this trigger? > > Thank you so much for your time and assistance! For me it makes only sense to have seperate smtpd_helo and smtp_recipient restrictions if you set smtpd_delay_reject to no. If set yes the check will anyway be performed only when RCPT TO command is received. Furthermore at the time of HELO there is no SASL auth done yet. So this setting does nothing there. @Ralf would it not make more sense to place check_sender_access before the check_policy_service? Otherwise you might greylist senders you don't want (like maillists) Regards tobi
Re: Added a Check - Asking for a Review
* Carlos Williams : > Thank you very much for your merge suggestion. I am reading your book > right now (page 70-72) and trying to understand the concept are the > merge suggestion. Would you mind explaining what benefit / performance > is attributed by merging all? It makes it easier to read :) > Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my > main.cf or should I omit that completely since there are no variables > for this trigger? That is the same :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Added a Check - Asking for a Review
* tobi : > @Ralf > would it not make more sense to place check_sender_access before the > check_policy_service? Otherwise you might greylist senders you don't > want (like maillists) I was thinking about this as well... Up to you I guess :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Added a Check - Asking for a Review
Ralf Hildebrandt a écrit : > * Carlos Williams : > >> Thank you very much for your merge suggestion. I am reading your book >> right now (page 70-72) and trying to understand the concept are the >> merge suggestion. Would you mind explaining what benefit / performance >> is attributed by merging all? > > It makes it easier to read :) > I generally do this: - all anti-spam checks are under smtpd_recipient_restrictions - other checks (such as enforcing sender-login match, restricting who can send to some addresses ...etc) go elsewhere. This way, the latter can apply to all mail (even outbound mail) without the risk of becoming an open relay... >> Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my >> main.cf or should I omit that completely since there are no variables >> for this trigger? > > That is the same :) >
Re: Added a Check - Asking for a Review
On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt wrote: >> /^localhost$/ 550 Don't use my own domain (localhost)! >> /^iamghost.\com$/ 550 Don't use my own domain! >> /^64\.95\.64\.198$/ 550 Your spam was rejected because you're >> forging my IP. >> /^\[64\.95\.64\.198\]$/ 550 Your spam was rejected because you're >> forging my IP. >> /^mail\.iamghost.\com$/ 550 Don't use my own hostname! >> /^[0-9.-]+$/ 550 Your software is not RFC 2821 >> compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in >> []) - not a naked IP. >> >> Beyond this file, does my main.cf file look correct to you? > > Looks OK. Why did this email get through Postfix if my I followed Ralph's example of helo_checks.pcre'? I posted my postconf -n previously in this message and above you can see the contents of 'helo_checks.pcre' & I would think this would prevent anyone from sending mail to my Postfix server spoofing my domain in the headers. Am I wrong? I got the following email this weekend: Return-Path: X-Original-To: postmas...@iamghost.com Delivered-To: postmas...@iamghost.com Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6 for ; Sat, 27 Feb 2010 15:05:50 -0500 (EST) X-Virus-Scanned: amavisd-new at iamghost.com X-Spam-Flag: YES X-Spam-Score: 7.457 X-Spam-Level: *** X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1] autolearn=no Received: from mail.iamghost.com ([127.0.0.1]) by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id awUEbrkCfcvq for ; Sat, 27 Feb 2010 15:05:50 -0500 (EST) Received: from ambianceimports.com (unknown [89.204.40.160]) by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5 for ; Sat, 27 Feb 2010 15:05:48 -0500 (EST) To: Subject: ***SPAM*** Delivery Status Notification From: Inez MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <20100227200549.179c477a...@mail.iamghost.com> Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST) I thought this was the point of adding the 'helo_checks' but I think I am missing something. Can anyone please help explain what I did wrong or am missing? I think this email should have been prevented with: /^iamghost\.com$/ 550 Don't use my own domain The headers of this email show the spammer spoofed this email to come from 'postmas...@iamghost.com'. *Below is my output of 'postconf -n': address_verify_sender = $double_bounce_sender alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix recipient_delimiter = + relay_domains = sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/mail.crt smtpd_tls_key_file = /etc/ssl/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550
Re: Added a Check - Asking for a Review
On Sun, 28 Feb 2010, Carlos Williams wrote: > Received: from mail.iamghost.com ([127.0.0.1]) >by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024) >with LMTP id awUEbrkCfcvq for ; >Sat, 27 Feb 2010 15:05:50 -0500 (EST) > Received: from ambianceimports.com (unknown [89.204.40.160]) >by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5 >for ; Sat, 27 Feb 2010 15:05:48 -0500 (EST) > > I thought this was the point of adding the 'helo_checks' but I think I > am missing something. Can anyone please help explain what I did wrong > or am missing? I think this email should have been prevented with: > > /^iamghost\.com$/ 550 Don't use my own domain Where in the headers do you see evidence that the spamming server tried to HELO with iamghost.com? -- Sahil Tandon
Re: Added a Check - Asking for a Review
On 2/28/2010 2:26 PM, Carlos Williams wrote: On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt wrote: /^localhost$/ 550 Don't use my own domain (localhost)! /^iamghost.\com$/ 550 Don't use my own domain! /^64\.95\.64\.198$/ 550 Your spam was rejected because you're forging my IP. /^\[64\.95\.64\.198\]$/ 550 Your spam was rejected because you're forging my IP. /^mail\.iamghost.\com$/ 550 Don't use my own hostname! /^[0-9.-]+$/550 Your software is not RFC 2821 compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP. Beyond this file, does my main.cf file look correct to you? Looks OK. Why did this email get through Postfix if my I followed Ralph's example of helo_checks.pcre'? I posted my postconf -n previously in this message and above you can see the contents of 'helo_checks.pcre' & I would think this would prevent anyone from sending mail to my Postfix server spoofing my domain in the headers. Am I wrong? I got the following email this weekend: Return-Path: X-Original-To: postmas...@iamghost.com Delivered-To: postmas...@iamghost.com Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6 for; Sat, 27 Feb 2010 15:05:50 -0500 (EST) X-Virus-Scanned: amavisd-new at iamghost.com X-Spam-Flag: YES X-Spam-Score: 7.457 X-Spam-Level: *** X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1] autolearn=no Received: from mail.iamghost.com ([127.0.0.1]) by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id awUEbrkCfcvq for; Sat, 27 Feb 2010 15:05:50 -0500 (EST) Received: from ambianceimports.com (unknown [89.204.40.160]) by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5 for; Sat, 27 Feb 2010 15:05:48 -0500 (EST) To: Subject: ***SPAM*** Delivery Status Notification From: Inez MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id:<20100227200549.179c477a...@mail.iamghost.com> Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST) I thought this was the point of adding the 'helo_checks' but I think I am missing something. Can anyone please help explain what I did wrong or am missing? I think this email should have been prevented with: /^iamghost\.com$/ 550 Don't use my own domain The headers of this email show the spammer spoofed this email to come from 'postmas...@iamghost.com'. Learn to read the Received: headers. Received: from helo_hostname (client_hostname [client.ip]) by myname (Postfix) with SMTP id QUEUEID for ; date (the "for " part is omitted if there is more than one recipient.) Your check is for the helo_hostname, which is ambianceimports.com. If you want to prevent your own domain as sender address in outside mail, you'll need to add a check_sender_access map for that. -- Noel Jones *Below is my output of 'postconf -n': address_verify_sender = $double_bounce_sender alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix recipient_delimiter = + relay_domains = sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_sender, reject_u