On Wed, 29 May 2013 10:34:37 -0400, Ben Johnson <b...@indietorrent.org>
wrote:
> On 5/28/2013 1:38 PM, Wietse Venema wrote:
>> Viktor Dukhovni:
>>> On Tue, May 28, 2013 at 01:18:25PM -0400, Wietse Venema wrote:
>>>
>>>> I strongly suggest that you swap the order of the following
>>>> two rules in main.cf:
>>>>
>>>> check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
>>>> reject_unauth_destination,
>>>>
>>>> This should be:
>>>>
>>>> reject_unauth_destination,
>>>> check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
>>>>
>>>> Many open relay problems are caused by having an access table
>>>> before reject_unauth_destination.
>>>
>>> Indeed the second form is safer, and equivalent provided all the
>>> recipients are in a domain that is not rejected by
>>> reject_unauth_destination.
>>>
>>> Though in this case it is a *recipient* check, so problems are
unlikely,
>>> unless the table includes unintended remote addresses. Unlike sender
>>> addresses, recipient addresses are not subject to "forgery".
>>
>> There is no need to forge "u...@yahoo.com" if a spammer really
>> wants to send mail there :-)
>>
>> Wietse
>>
>
> Thanks, Wietse.
>
> Regarding your first reply, I've reviewed the information at
> http://www.postfix.org/DEBUG_README.html#mail and will do my best to
> adhere to protocol going forward. (That was my first post; sincere
> apologies.)
>
> I have re-ordered those two rules and will post back if that doesn't
> solve the problem. I really appreciate your time and assistance.
>
> Best regards,
>
> -Ben
For the sake of thoroughness, and because I'm expected to perform a
root-cause-analysis, I'm following-up on this after noticing that there was
a missing comma in the smtpd_recipient_restrictions directive (after
check_recipient_access on the third line):
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org
Even though the problem seems to be resolved after adding the comma and
swapping the two items as Wietse suggested, what would be the net-result of
the missing comma in my version of Postfix (2.7.0)? Would the entire list
of smtpd_recipient_restrictions be ignored? (That would certainly explain
why a bot was able to relay hundreds of thousands of messages the course of
a few days.)
Thank you!
-Ben
