Carlos Alberto Bernat Orozco wrote:
Hi group
I'm writing to you as my only hope. I'm very dissapointed because I'm
black listed due to a misconfiguration that I haven't found where.
This is the problem. From a time, I've been watching my logs and this
is what I see:
Jul 14 23:48:21 server postfix/qmgr[11448]: A9044104A29: from=<>,
size=3613, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 89CB2104C08:
from=<[EMAIL PROTECTED]>, size=1734, nrcpt=4 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5C3651049D2: from=<>,
size=3197, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5F140104BF2:
from=<[EMAIL PROTECTED]>, size=1799, nrcpt=4 (queue active)
A lot of this. It appears I'm sending backscatter email. The account
"ber" doesn't even exist and the "from=<>" is impossible to block
until moment. I read the next:
http://www.postfix.org/BACKSCATTER_README.html
But here is what I don't know why this happening.
How can I block this? I know I'm not an open relay. So why is this
happening? I send my postconf
# postconf -n
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access, permit_mynetworks,
reject_unknown_client, reject_rbl_client zen.spamhaus.org,
permit
[...]
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo.regexp, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, reject_invalid_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_mynetworks, reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client zen.spamhaus.org, permit
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks, permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
First, what is in the following maps?
/etc/postfix/client_checks
/etc/postfix/sender_checks
/etc/postfix/access
It's a bit dangerous to list any OK in a map before
reject_unauth_destination if there are *global* or *wildcard* entries.
These can cause mail to be accepted where it may not be otherwise.
Second,
Get rid of any wildcard aliases in hash:/etc/postfix/aliases. They
cause more problems then they are worth and let Backscatter clog your
server even more.
Third, you are repeating checks unnecessarily.
Because of this, /etc/postfix/rbl_client_exceptions is never checked
when you like to because all hosts were already blocked in
smtpd_client_restrictions.
Also, if /etc/postfix/rbl_client_exceptions is not a full IP, hash will
not work on networks, but a cidr table type may.
Try one (1) of the following instead.
Example 1 (using similar classes):
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access, check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
reject_unknown_client, check_client_access
hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client zen.spamhaus.org
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo.regexp, reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks, permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain
Example 2(combined checks at RCPT time):
(delete smtpd_client_restrictions, smtpd_helo_restrictions and
smtpd_sender_restrictions)
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/access, permit_mynetworks, reject_unauth_destination,
reject_unknown_client, check_helo_access hash:/etc/postfix/helo.regexp,
reject_invalid_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, check_client_access
hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client zen.spamhaus.org
(End examples)
Again, please check the maps before "permit_mynetworks,
reject_unauth_destination" carefully before allowing clients blindly.
Example 1 is less vulnerable to mistakes but slightly harder to read
through all the checks.
Brian
Please I need some guidance because I don't know how to stop this
Thanks in advanced
