Jeroen, thank you for your post its very informative and its what I was looking for.
Paul. From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Jeroen Geilman Sent: Wednesday, November 10, 2010 6:48 PM To: postfix-users@postfix.org Subject: Re: confused on reject_unknown_recipient_domain On 11/10/2010 11:49 PM, PA wrote: 1st thanks for reading this email. Recently I been getting hit with a lot of dictionary attacks and I was wondering if someone can shed some light on this. I using the following postfix options: smtpd_sender_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, permit smtpd_recipient_restrictions = regexp:/etc/postfix/recipient_regexp, reject_unauth_pipelining, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination It may make it clearer what is happening if you put all these restrictions in smtpd_recipient_restrictions. Unless you changed the default of delay_reject = yes, they are all evaluated at the recipient stage anyway. It would also mean less duplication of effort. Notice the email is 1st rejected because of "reject_unknown_recipient_domain" No, two recipients were rejected (that you have shown; include the FULL log next time) The other 47 were not. but then the same email (same message IS) is accepted with 47 recipients. I thought that once there was an unknown recipient domain that the whole email would be rejected/deferred back to the sender. No. Each recipient is either accepted or rejected; a rejection counts towards the error limit. Once that is reached, the next rejected recipient (or any other SMTP error) WILL dump the entire message. You have only two rejected recipients, which is less than your error limit. The other 47 recipients were fine, according to your configuration. Stricter checks on mail submitted via SASL will prevent such abuse. I'm confused as to why the email was delivered?? Because it contained 47 valid recipients and did not trigger sufficient restrictions to exceed your hard_error_limit. Nov 10 04:10:04 mrelay1 postfix/smtpd[25678]: E287230E8F0: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus Nov 10 04:10:07 mrelay1 postfix/smtpd[25678]: E287230E8F0: reject: RCPT from unknown[94.242.206.37]: 450 4.1.2 <mailto:dsurgeoncli...@freemail.absa.co.za> <dsurgeoncli...@freemail.absa.co.za>: Recipient address rejected: Domain not found; from= <mailto:i...@fnb.co.za> <i...@fnb.co.za> to= <mailto:dsurgeoncli...@freemail.absa.co.za> <dsurgeoncli...@freemail.absa.co.za> proto=ESMTP helo=<User> Nov 10 04:10:10 mrelay1 postfix/smtpd[25678]: E287230E8F0: reject: RCPT from unknown[94.242.206.37]: 450 4.1.2 <mailto:d...@physics.uct.ac.za> <d...@physics.uct.ac.za>: Recipient address rejected: Domain not found; from= <mailto:i...@fnb.co.za> <i...@fnb.co.za> to= <mailto:d...@physics.uct.ac.za> <d...@physics.uct.ac.za> proto=ESMTP helo=<User> Nov 10 04:10:23 mrelay1 postfix/cleanup[25677]: E287230E8F0: message-id=20101110091004.e287230e...@mrelay1.xxxx.xx Nov 10 04:10:23 mrelay1 postfix/qmgr[4833]: E287230E8F0: from= <mailto:i...@fnb.co.za> <i...@fnb.co.za>, size=11697, nrcpt=47 (queue active) I'm having a hard time trying to stop spammers from relaying mail through this server. The first step would be to disable / reset the password / require strong passwords on SASL accounts. This one is obviously compromised - or the client's PC is infected. We need sasl auth and I can't set any unknown clients restrictions You don't need to, if you set up a proper submission listener separate from the MTA-to-MTA smtpd listener. because we have customers who connect from ips that don't have a reverse/forward DNS like some Comcast ips. I was wondering if someone has any suggestions. You could change it to this: smtpd_helo_required = yes smtpd_sender_restrictions = smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_reverse_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, regexp:/etc/postfix/recipient_regexp, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, permit Then you uncomment the submission listener in master.cf: submission inet n - - - - smtpd This runs on port 587. You can require both SASL and TLS on this port, and set restrictions that only apply to this listener: submission inet n - - - - smtpd -o smtpd_tls_security_options=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject The HELO and *domain checks on the regular port 25 listener will stop a LOT of spam. -- J.
