Noel Jones wrote:
Jim McIver wrote:
Here's a snippet from maillog, but not sure if it's what your looking
for:
Thanks, this is very helpful.
Mar 4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address
syntax from unknown[113.9.198.198] in MAIL co
mmand: bikedev...@yahoo.co.jp
The above client is listed in multiple RBLs, including
zen.spamhaus.org, bl.spamcop.net, cbl.abuseat.org,
b.barracudacentral.org, and dnsbl.sorbs.net.
Mar 4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150:
address not listed for hostname mail.medterm.o
d.ua
Mar 4 15:10:15 mail postfix/smtpd[56172]: connect from
unknown[81.25.227.150]
This client is also listed in multiple RBLs.
Mar 4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning:
RCPT from unknown[113.9.198.198]: 450 Client
host rejected: cannot find your hostname, [113.9.198.198];
from=<bikedev...@yahoo.co.jp> to=<odrawh...@dnews.com>
proto=SMTP helo=<yahoo.co.jp>
Clearly a forged HELO name. Grounds for rejecting any mail from this
client.
Mar 4 15:10:15 mail postfix/smtpd[56190]: E35C331:
client=unknown[113.9.198.198]
Mar 4 15:10:18 mail postfix/cleanup[56217]: E35C331:
message-id=<20090304231015.e35c...@mail.lmtribune.com>
Mar 4 15:10:18 mail postfix/qmgr[56169]: E35C331:
from=<bikedev...@yahoo.co.jp>, size=966, nrcpt=1 (queue active
)
Mar 4 15:10:18 mail postfix/smtp[56178]: E35C331:
to=<odrawh...@dnews.com>, relay=127.0.0.1[127.0.0.1], delay=3,
status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing
request - domain in BLACK LIST. (in reply to
MAIL FROM command))
What?? Some idiot content_filter at 127.0.0.1 is rejecting the mail
after you've already accepted it.
Don't do that. Reject mail when first comes from the internet. Once
mail has been accepted, a content filter must not reject the message.
Mar 4 15:10:18 mail postfix/cleanup[56175]: 5ABF260:
message-id=<20090304231018.5abf...@mail.lmtribune.com>
Mar 4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>,
size=2926, nrcpt=1 (queue active)
Mar 4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
Mar 4 15:10:19 mail postfix/smtpd[56190]: disconnect from
unknown[113.9.198.198]
Mar 4 15:10:20 mail postfix/smtp[56178]: 5ABF260:
to=<bikedev...@yahoo.co.jp>, relay=mx1.mail.yahoo.co.jp[124.83
.171.181], delay=2, status=bounced (host
mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
or deactivated due to abuse (#5.1.1) bikedev...@yahoo.co.jp (in reply
to RCPT TO command))
Yahoo didn't send this mail, and they don't want your backscatter bounce.
Eventually they (and others) will blacklist you for backscatter - ie.
returning mail they never sent.
You must fix your content_filter to not reject mail. Choices may
include tag+deliver, quarantine, or discard, depending on what your
software supports. It may offer the choice of reject or bounce, don't
do that.
You can also greatly reduce the load on the content filter by using
one or two good RBLs to reject mail before it ever gets to the
content_filter. zen.spamhaus.org is safe and very effective.
-- Noel Jones
I am using vexira for virus/content filtering and it has an area to put
in blacklisted domains. I'll check if I can change to quarantine.
ie
[mailfrom-blacklist]
*.ro
*.nz
*yourtopbrands.com
*server.rwbtec.com
*.co.jp
etc...
Would I be ahead to remove the domains from vexira and put them in the
access_client file, or is there a better place in postfix to list
domains I want to block?
access_client listing:
co.jp REJECT
atripema.com REJECT
atropema.com REJECT
co.nz REJECT
co.uk REJECT
com.au REJECT
snippet from main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_invalid_hostname
warn_if_reject reject_unknown_hostname
reject_unauth_pipelining
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
warn_if_reject reject_unknown_client
reject_non_fqdn_hostname
check_client_access hash:/usr/local/etc/postfix/access_client
check_helo_access hash:/usr/local/etc/postfix/helo_access
check_sender_access hash:/usr/local/etc/postfix/sender_access
check_recipient_access hash:/usr/local/etc/postfix/recipient_access
-Jim McIver
