Re: Unexpected Mail (Spam) Delivery

[/dev/rob0]

On Fri, Mar 02, 2012 at 02:46:03PM -0500, Gary Chambers wrote:
> I had a piece of spam slip through this morning and I'm hoping it's 
> beneficial that I post this information.  Specifically, I'm 
> wondering why the mail was delivered from a host without rDNS.  The 
> relevant portion of the log is as follows:
> 
> Mar  2 10:28:52 lollipop postfix/smtpd[3621]: warning: 88.151.91.185: 
> hostname ab88-151-91-185.mxc.ru verification failed: Name or service not known

$ host 88.151.91.185
185.91.151.88.in-addr.arpa domain name pointer ab88-151-91-185.mxc.ru.

88.151.91.185 has a PTR record ...

$ host ab88-151-91-185.mxc.ru.
Host ab88-151-91-185.mxc.ru. not found: 3(NXDOMAIN)

... but the value of that PTR does not resolve.

> Mar  2 10:28:52 lollipop postfix/smtpd[3621]: connect from 
> unknown[88.151.91.185]
> Mar  2 10:28:53 lollipop postfix/smtpd[3621]: 1D6ED24B7: 
> client=unknown[88.151.91.185]
> Mar  2 10:28:53 lollipop postfix/cleanup[3632]: 1D6ED24B7: 
> message-id=<96-4023-MN1.NQAg18AW362W+9895+69N73B7/0...@ab88-151-91-185.mxc.ru>
> Mar  2 10:28:53 lollipop postfix/qmgr[5554]: 1D6ED24B7: from=<d...@ahme.net>, 
> size=940, nrcpt=1 (queue active)
> Mar  2 10:28:53 lollipop dovecot: deliver(m...@example.com): sieve: 
> msgid=<96-4023-MN1.NQAg18AW362W+9895+69N73B7/0...@ab88-151-91-185.mxc.ru>: 
> stored mail into mailbox 'INBOX'
> Mar  2 10:28:53 lollipop postfix/pipe[3635]: 1D6ED24B7: 
> to=<m...@example.com>, relay=dovecot, delay=1.3, delays=1.2/0.01/0/0.08, 
> dsn=2.0.0, status=sent (delivered via dovecot service)
> Mar  2 10:28:53 lollipop postfix/qmgr[5554]: 1D6ED24B7: removed
> Mar  2 10:28:53 lollipop postfix/smtpd[3621]: lost connection after RSET from 
> unknown[88.151.91.185]
> Mar  2 10:28:53 lollipop postfix/smtpd[3621]: disconnect from 
> unknown[88.151.91.185]
> 
> postconf -n output is as follows:
> 
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> inet_interfaces = $myhostname, localhost
> mailbox_command = /usr/lib/dovecot/deliver
> mailbox_size_limit = 0
> message_size_limit = 33554432
> mydestination = $myhostname,    $mydomain,    lollipop.$mydomain,    
> localhost.$mydomain,    localhost,    mail.$mydomain,    smtp.$mydomain
> myhostname = mx1.example.com
> mynetworks = 127.0.0.0/8 192.168.1.0/24
> myorigin = /etc/mailname
> readme_directory = no
> recipient_bcc_maps = hash:/etc/postfix/recipient-bccs
> relay_domains = lists.example.com
> relay_recipient_maps = hash:/etc/postfix/mailman_listnames
> relayhost =
> smtp_bind_address = 192.168.1.7
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_restrictions = permit_mynetworks,    permit_sasl_authenticated,  
>   check_client_access hash:/etc/postfix/client-access,    
> reject_unknown_reverse_client_hostname,    reject_rbl_client 
> zen.spamhaus.org,    reject_rhsbl_client dbl.spamhaus.org

reject_unknown_reverse_client_hostname only rejects if there is no 
PTR at all. reject_unknown_client_hostname is the more aggressive 
check which you seem to think you are using.

I would not recommend reject_unknown_client_hostname, because it 
*will* block real mail.

> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated,    
> reject_non_fqdn_helo_hostname,    reject_invalid_helo_hostname,    
> reject_rhsbl_helo dbl.spamhaus.org
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,    
> permit_mynetworks,    permit_sasl_authenticated,    reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks,    
> reject_unknown_sender_domain,    permit_sasl_authenticated,    
> reject_rhsbl_sender dbl.spamhaus.org
> smtpd_timeout = 30s
> smtpd_tls_CAfile = /etc/ssl/certs/Example_Root_CA.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/certs/postfix-server-wildcarded.crt
> smtpd_tls_key_file = /etc/ssl/private/postfix-server-wildcarded.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = pgsql:/etc/postfix/virtual-aliases-pg.cf
> virtual_gid_maps = static:60008
> virtual_mailbox_base = /vhome
> virtual_mailbox_domains = pgsql:/etc/postfix/virtual-mailbox-domains-pg.cf
> virtual_mailbox_maps = pgsql:/etc/postfix/virtual-mailboxes-pg.cf
> virtual_transport = dovecot
> virtual_uid_maps = static:60008

-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: