On Mon, 2009-08-17 at 11:28 +0200, Ralf Hildebrandt wrote: > * Martijn de Munnik <mart...@youngguns.nl>: > > Hi all, > > > > Sometimes our mail server is 'under attack' and we get a lot of these > > entries in our log file: > > > > Aug 17 11:08:19 stevie.youngguns.nl postfix/smtpd[14890]: [ID 197553 > > mail.info] NOQUEUE: reject: RCPT from unknown[212.22.199.165]: 450 4.1.8 > > <indispensabl...@homepc>: Sender address rejected: Domain not found; > > from=<indispensabl...@homepc> to=<banquetastrophys...@rpc-design.nl> > > proto=ESMTP helo=<homepc> > > > > Normally we reject about 15 msgs/min but when such an attack happens it > > peaks to about 700 msgs/min. The error is returned to the sending mail > > (spam) server is 450 domain not found. Because a domain lookup could > > also be a temporary failure this is a temporary error returned. > > > > The 450 error triggers the spammer to retry sending the mail. > > Do you have a caching DNS server?
Yes, but still things can go wrong and I don't want a failing DNS lookup to be fatal. > > > The to address is an unknown user on my system so postfix could return a > > 550 error. How can I do this? > > Reorder the checks > > > relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl, > > gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, > > ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, > > interim-denbosch.nl > > mydestination, is not a relay domain! Oke thanks, stupid mistake. > > > > smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit > Does this one still work? As far as I know it does. But I see it is also included in xbl.spamhaus.org. > > > smtpd_recipient_restrictions = permit_sasl_authenticated, > > permit_mynetworks, reject_non_fqdn_recipient, reject_non_fqdn_hostname, > > reject_non_fqdn_sender, reject_unauth_destination, > > reject_unlisted_recipient, reject_unknown_recipient_domain, > > reject_unverified_recipient, reject_invalid_hostname, reject_rbl_client > > virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, > > check_policy_service inet:127.0.0.1:10023, permit > > Your problem is that you distributed the checks all ocver > smtpd_sender_restrictions, smtpd_recipient_restrictions and > smtpd_client_restrictions > > > smtpd_sender_restrictions = permit_mynetworks, > > reject_unknown_sender_domain, permit Mmm, I think I need to read the manual to really understand where all those rejects/permits belong. > Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
