On Tue, May 24, 2011 at 04:53:26PM -0400, Ryan Buffa wrote:
> Thank you for your input Victor.
>
> My sender_access file only contains OK rules no reject rules.
This is wrong. It MUST contain zero OK rules, envelope sender
addresses are unauthenticated, and forgeries will be relayed.
> Should I just
> remove the sender_access list? I don't know that it is really helping or
> that I have it setup properly if it is full of OK instead of REJECT.
> Do you think this is the culprit to my problem?
It is the cause of your outbound spam problem, so drop it.
>
> Here is the log search for that ID you noted.
> May 24 15:59:06 mail2 postfix/smtpd[21216]: 610E03595566:
> client=unknown[184.82.181.3]
This client is not on your "mynetworks" list.
> May 24 15:59:06 mail2 postfix/cleanup[21219]: 610E03595566: message-id=<
> 201105250351138904...@4nova.net>
> May 24 15:59:08 mail2 postfix/qmgr[20404]: 610E03595566: from=<
> hwli...@4nova.net>, size=209340, nrcpt=1 (queue active)
This sender is in your domain, likely listed in the sender lookup table.
> May 24 15:59:08 mail2 postfix/smtp[20897]: 610E03595566: to=<jyfr...@163.com>,
> relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.4/0/0.01/0.11,
> dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21180-02, from
> MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA561359557D)
This recipient is remote, so you are relaying spam. The solution is to
ditch the rule.
> May 24 15:59:08 mail2 postfix/qmgr[20404]: 610E03595566: removed
> > > mydestination = $myhostname, localhost.$mydomain, localhost,
> > > mail2.4nova.net, $mydomain
> >
> > So 4nova.net is your domain.
> >
> > > mynetworks = 74.84.205.0/24, 74.95.99.16/28, 65.254.210.137,
> > 74.84.205.84
> >
> > And these are your trusted client networks.
> >
> > > smtpd_recipient_restrictions =
> > > permit_sasl_authenticated,
> > > permit_mynetworks,
> > > check_sender_access hash:/etc/postfix/sender_access,
> > > reject_unauth_destination
> > > permit
> >
> > This is broken. DO NOT use "check_sender_access" *above*
> > reject_unauth_destination. This can create an open-relay with
> > forged sender addresses. Move the "check_sender_access" below
> > "reject_unauth_destination" and make sure it only contains "REJECT"
> > rules (contains no OK rules).
> >
> > > May 24 15:59:08 mail2 postfix/smtpd[20542]: AA561359557D:
> > > client=localhost[127.0.0.1]
> >
> > Wrong queue-id, instead find the logs for "610E03595566:"
> > which is the upstream for "AA561359557D".
> >
> > > May 24 15:59:08 mail2 postfix/smtp[20897]: 610E03595566: to=<
> > jyfr...@163.com>,
> > > relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.4/0/0.01/0.11,
> > > dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21180-02, from
> > > MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA561359557D)
--
Viktor.
