On 12/11/2013 4:52 PM, don magnify wrote: > > > hi all.... > > i have a machine heavily hit with a bunch of from=<> messages...
[Please post in plain text only - the HTML markup makes the logs difficult to read] For non-delivery notices, the BACKSCATTER_README is helpful. http://www.postfix.org/BACKSCATTER_README.html > > i read around and implemented the access solution as in: > > /etc/postfix/main.cf <http://www.postfix.org/postconf.5.html>: > smtpd_client_restrictions > <http://www.postfix.org/postconf.5.html#smtpd_client_restrictions> = > check_client_access > <http://www.postfix.org/postconf.5.html#check_client_access> hash > <http://www.postfix.org/DATABASE_README.html#types>:/etc/postfix/access > > /etc/postfix/access: > 1.2.3 REJECT > 1.2.3.4 OK > > > my /etc/postfix/access looks like: > > > .eigbox.net <http://eigbox.net> DISCARD > .yourhostingaccount.com <http://yourhostingaccount.com> DISCARD > > and did the postmap command > > > how do i know it's working? i still get lots of these in my maillog: > > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[23960]: 0495F4352D: > client=mail-yh0-f43.google.com <http://mail-yh0-f43.google.com>[209.85.213.43] > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: connect from > mail-qc0-f175.google.com <http://mail-qc0-f175.google.com>[209.85.216.175] > Dec 11 17:52:11 ip-10-114-59-124 postfix/cleanup[14901]: 0495F4352D: > message-id=<e1vqr1u-0000kr...@mailscan22.yourhostingaccount.com > <mailto:e1vqr1u-0000kr...@mailscan22.yourhostingaccount.com>> > Dec 11 17:52:11 ip-10-114-59-124 postfix/qmgr[12941]: 0495F4352D: from=<>, > size=3277, nrcpt=1 (queue active) > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[23960]: disconnect from > mail-yh0-f43.google.com <http://mail-yh0-f43.google.com>[209.85.213.43] > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: 1A8B34355B: > client=mail-qc0-f175.google.com > <http://mail-qc0-f175.google.com>[209.85.216.175] > Dec 11 17:52:11 ip-10-114-59-124 postfix/cleanup[9395]: 1A8B34355B: > message-id=<e1vqlgm-0005pe...@mailscan20.yourhostingaccount.com > <mailto:e1vqlgm-0005pe...@mailscan20.yourhostingaccount.com>> > Dec 11 17:52:11 ip-10-114-59-124 postfix/qmgr[12941]: 1A8B34355B: from=<>, > size=3280, nrcpt=1 (queue active) > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: disconnect from > mail-qc0-f175.google.com <http://mail-qc0-f175.google.com>[209.85.216.175] > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[1060]: connect from > mail-qc0-f176.google.com <http://mail-qc0-f176.google.com>[209.85.216.176] > Assuming the above is not obfuscated, it's probably not working. - The check_client_access checks the information logged by postfix as "smtpd[...]: connect from CLIENTHOSTNAME[CLIENTIP]" In the above examples, it's mail-...google.com - Never DISCARD mail if you can get rid of it with a REJECT. Using DISCARD intentionally breaks the principal that mail shouldn't disappear into a black hole -- don't use DISCARD unless REJECT is somehow ineffective. - Default postfix settings assume access files without a leading dot, ie: eigbox.net REJECT yourhostingaccount.com REJECT http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains And finally, it appears you're trying to block based on the Message-ID: logged by postfix. I don't know if that will be effective or not, but header_checks is the tool: http://www.postfix.org/header_checks.5.html a simple example: # main.cf header_checks = regexp:/etc/postfix/header_checks # /etc/postfix/header_checks IF /^Message-ID: / /\.eigbox\.net/ REJECT /\.yourhostingaccount\.com/ REJECT ENDIF If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
