On 2010-05-26 brian wrote: > I've a hunch that the following problem is not something that can be > configured away through postfix but, as I'm well aware that my > config-fu is not the strongest, I'd like any advice more experience > among you might have. I'm sure this isn't a rare problem. > > I recently began supporting the website for a small organisation. One > change I suggested was to utilise a .org domain rather than .com (not > due to any trouble but simply because they're a non-comercial > organisation). The old domain points to this new server in order to > redirect web traffic. AFAIK, there were never any email addresses used > under the old domain. But, now I've set up postfix, I'm seeing > thousands of failed attempts to send to various fictitious DOMAIN.com > addresses. These are properly being blocked 554/relay access denied.
The connections are being rejected, so unless your server resources are being exhausted by the delivery attempts I don't think you have to worry about it. > I've installed fail2ban, which seems to help. However, I'm still > seeing several attempts a second as the sender IP is changed. Is > there something more I can do to mitigate the stress on the server? Of course you can utilize something like fail2ban to already block connections at the network layer. However, since your Postfix seems to be doing just fine, there's no real need for that. > FWIW, aside from aliases for the usual postmaster, abuse, and > webmaster addresses, this domain has just 2 actual addresses to be > maintained. So, might a whitelist approach be the way to go? Or, is > this something i should leave to iptables/fail2ban? I think you should just leave it to Postfix. > myhostname = demeter.DOMAIN.org > mydomain = DOMAIN.org > myorigin = $mydomain > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost > relayhost = > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination I usually recommend to add local_recipient_maps = $alias_maps and add explicit mappings for those local users that should be able to receive mail. Otherwise your Postfix will accept mail for any local user account on the system. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
