thanks noel...
On Wed, Dec 11, 2013 at 6:20 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 12/11/2013 4:52 PM, don magnify wrote: > > > > > > hi all.... > > > > i have a machine heavily hit with a bunch of from=<> messages... > > [Please post in plain text only - the HTML markup makes the logs > difficult to read] > > > For non-delivery notices, the BACKSCATTER_README is helpful. > http://www.postfix.org/BACKSCATTER_README.html > > > > > > i read around and implemented the access solution as in: > > > > /etc/postfix/main.cf <http://www.postfix.org/postconf.5.html>: > > smtpd_client_restrictions < > http://www.postfix.org/postconf.5.html#smtpd_client_restrictions> = > > check_client_access < > http://www.postfix.org/postconf.5.html#check_client_access> hash < > http://www.postfix.org/DATABASE_README.html#types>:/etc/postfix/access > > > > /etc/postfix/access: > > 1.2.3 REJECT > > 1.2.3.4 OK > > > > > > my /etc/postfix/access looks like: > > > > > > .eigbox.net <http://eigbox.net> DISCARD > > .yourhostingaccount.com <http://yourhostingaccount.com> DISCARD > > > > and did the postmap command > > > > > > how do i know it's working? i still get lots of these in my maillog: > > > > > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[23960]: 0495F4352D: > client=mail-yh0-f43.google.com <http://mail-yh0-f43.google.com> > [209.85.213.43] > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: connect from > mail-qc0-f175.google.com <http://mail-qc0-f175.google.com>[209.85.216.175] > > Dec 11 17:52:11 ip-10-114-59-124 postfix/cleanup[14901]: 0495F4352D: > message-id=<e1vqr1u-0000kr...@mailscan22.yourhostingaccount.com <mailto: > e1vqr1u-0000kr...@mailscan22.yourhostingaccount.com>> > > Dec 11 17:52:11 ip-10-114-59-124 postfix/qmgr[12941]: 0495F4352D: > from=<>, size=3277, nrcpt=1 (queue active) > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[23960]: disconnect from > mail-yh0-f43.google.com <http://mail-yh0-f43.google.com>[209.85.213.43] > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: 1A8B34355B: client= > mail-qc0-f175.google.com <http://mail-qc0-f175.google.com>[209.85.216.175] > > Dec 11 17:52:11 ip-10-114-59-124 postfix/cleanup[9395]: 1A8B34355B: > message-id=<e1vqlgm-0005pe...@mailscan20.yourhostingaccount.com <mailto: > e1vqlgm-0005pe...@mailscan20.yourhostingaccount.com>> > > Dec 11 17:52:11 ip-10-114-59-124 postfix/qmgr[12941]: 1A8B34355B: > from=<>, size=3280, nrcpt=1 (queue active) > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[7889]: disconnect from > mail-qc0-f175.google.com <http://mail-qc0-f175.google.com>[209.85.216.175] > > Dec 11 17:52:11 ip-10-114-59-124 postfix/smtpd[1060]: connect from > mail-qc0-f176.google.com <http://mail-qc0-f176.google.com>[209.85.216.176] > > > > Assuming the above is not obfuscated, it's probably not working. > > - The check_client_access checks the information logged by postfix > as "smtpd[...]: connect from CLIENTHOSTNAME[CLIENTIP]" > In the above examples, it's mail-...google.com > > - Never DISCARD mail if you can get rid of it with a REJECT. Using > DISCARD intentionally breaks the principal that mail shouldn't > disappear into a black hole -- don't use DISCARD unless REJECT is > somehow ineffective. > > - Default postfix settings assume access files without a leading > dot, ie: > eigbox.net REJECT > yourhostingaccount.com REJECT > http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains > > And finally, it appears you're trying to block based on the > Message-ID: logged by postfix. I don't know if that will be > effective or not, but header_checks is the tool: > http://www.postfix.org/header_checks.5.html > a simple example: > # main.cf > header_checks = regexp:/etc/postfix/header_checks > > # /etc/postfix/header_checks > IF /^Message-ID: / > /\.eigbox\.net/ REJECT > /\.yourhostingaccount\.com/ REJECT > ENDIF > > > If you need more help, please see: > http://www.postfix.org/DEBUG_README.html#mail > > > -- Noel Jones >
