On 5/6/2009 10:45 PM, Sahil Tandon wrote: > Show entire output instead of snippets via grep.
Sorry... I didn't provide the full output because this config has been vetted here before, and this specific config weakness that was exploited had already been pointed out, but obviously you don't know that and I should have provided it anyway, sorry... myhost ~ # postconf -n alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases anvil_rate_time_unit = 360s anvil_status_update_time = 3600s bounce_size_limit = 1 broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 15m home_mailbox = .maildir/ message_size_limit = 51200000 mydomain = media-brokers.com myhostname = smtp.media-brokers.com mynetworks = 127.0.0.0/8 192.168.1.32 parent_domain_matches_subdomains = recipient_delimiter = + relay_domains = relayhost = [post18.emailfiltering.com] smtp_fallback_relay = [smtp.nuvox.net] smtpd_hard_error_limit = 3 smtpd_recipient_limit = 100 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/moved-employees, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access cidr:/etc/postfix/allowed_clients.cidr, check_recipient_access hash:/etc/postfix/x-employees, check_sender_access hash:/etc/postfix/blocked_senders, smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/wildcard.crt smtpd_tls_key_file = /etc/ssl/wildcard.key smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = mysql:/etc/postfix/mysql_vam.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_gid_maps = static:207 virtual_mailbox_base = /var/virtual virtual_mailbox_domains = mysql:/etc/postfix/mysql_vmd.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf virtual_minimum_uid = 207 virtual_uid_maps = static:207 myhost ~ # Incidentally, the check_recipient_access does not contain any OK's, only custom rejects. >> 1. What is the best way to 'plonk' someone at the smtp level? > Identify them in some way (ENVELOPE sender, connecting IP, et cetera) and > REJECT them. Thats the point - I thought I did. Is that not what check_sender_access checks? myhost ~ # cat /etc/postfix/blocked_senders # Senders Being Blocked ... #hlug090...@buzzhost.co.uk reject Which as you can see above is called by smtpd_recipient_restrictions check_sender_access per my original post. >> 2. What exactly was wrong with the way I went about blocking this idiot? > Provide more information, especially some relevant logs instead of a portion > of the messages you were receiving. It wasn't a portion, it was the entire message (as an attachment) with full headers, but you're right I should have sent logs... my excuse is I sent this in a hurry because I had somewhere I *had* to be (buying a house is a pain in the arse), but was hoping for some answers to look more closely at this issue this morning... Anyway, logs: Here are the two rejects from his last two attempts to send a message after I blocked him: May 6 15:20:31 myhost postfix/smtpd[4799]: connect from ixe-mta-18-tx.emailfiltering.com[194.116.198.213] May 6 15:20:31 myhost postfix/smtpd[4799]: NOQUEUE: reject: RCPT from ixe-mta-18-tx.emailfiltering.com[194.116.198.213]: 554 5.7.1 <hlug090...@buzzhost.co.uk>: Sender address rejected: Access denied; from=<hlug090...@buzzhost.co.uk> to=<cmar...@media-brokers.com> proto=ESMTP helo=<ixe-mta-18.emailfiltering.com> May 6 15:20:31 myhost postfix/smtpd[4799]: disconnect from ixe-mta-18-tx.emailfiltering.com[194.116.198.213] and May 6 15:22:06 myhost postfix/smtpd[4799]: connect from ixe-mta-18-tx.emailfiltering.com[194.116.198.213] May 6 15:22:06 myhost postfix/smtpd[4799]: NOQUEUE: reject: RCPT from ixe-mta-18-tx.emailfiltering.com[194.116.198.213]: 554 5.7.1 <hlug0901 0...@buzzhost.co.uk>: Sender address rejected: Access denied; from=<hlug090...@buzzhost.co.uk> to=<cmar...@media-brokers.com> proto=ESMTP helo =<ixe-mta-18.emailfiltering.com> Then about 42 minutes later, the flood of these 'ABUSE' messages (about one per second until I removed the address from the blocked senders list, after which they immediately stopped): May 6 16:04:19 myhost postfix/smtpd[5523]: connect from ixe-mta-18-tx.emailfiltering.com[194.116.198.213] May 6 16:04:20 myhost postfix/smtpd[5523]: 1F0844D45CD: client=ixe-mta-18-tx.emailfiltering.com[194.116.198.213] May 6 16:04:20 myhost postfix/cleanup[5541]: 1F0844D45CD: message-id=<20090506200420.1f0844d4...@smtp.media-brokers.com> May 6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD: from=<cmar...@media-brokers.com>, size=1809, nrcpt=1 (queue active) May 6 16:04:20 myhost postfix/virtual[5608]: 1F0844D45CD: to=<cmar...@media-brokers.com>, relay=virtual, delay=0.47, delays=0.46/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) May 6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD: removed They all have these 'message-id=<blahb...@smtp.media-brokers.com> lines in them... maybe SAV probes are somehow being used to generate them? >> 3. What was the mechanism employed to flood my server with these >> messages, and how do I protect against it in the future (maybe simply >> changing the way I'm blocking unwanted senders now will accomplish >> that?)? > See answer to Q2. See logs above... >> 4. Should I report his abuse? Or was it deserved because of the way I >> was using check_sender_access? > To whom would you report it? :-) The abuse desk for whoever is hosting the slimeball? If he is the admin, then maybe his boss? Look, I certainly know Victor and Wietse don't need me to defend them from impotent threats of violence from morons like Rik, and I should have just kept my mouth shut, but it really irked me to see these comments aimed at the people who provide such incredible help here, of which I have been the recipient more than once. Now, I'm honestly asking for help here... my server was intentionally ATTACKED by this asshat simply because I rejected mail from him, and if I hadn't just happened to be sitting here and noticed it within 3 minutes, there's no telling how much damage might have been done. I'm not crying about being a victim - yes, obviously he exploited a specific configuration weakness of mine, and I'd like to know how to FIX it, and also learn what is the proper way to reject mail from people I don't want mail from without them being able to cripple my mail server in retaliation for their mail being rejected. Thanks and I truly appreciate any help you or anyone else is willing to provide... -- Best regards, Charles
