On 01/06/2014 03:33 PM, Viktor Dukhovni wrote:
On Mon, Jan 06, 2014 at 01:17:41PM -0500, Eric Cunningham wrote:
The problem is entirely with the monstrosity below:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
Fine.
check_sender_access pcre:/etc/postfix/access/final_sender_access,
Put this *AFTER* reject_unauth_destination to close the open relay.
reject_unknown_recipient_domain,
permit_sasl_authenticated,
permit_mynetworks,
Make sure mynetworks is defined properly.
reject_unauth_destination,
reject_unknown_sender_domain,
check_recipient_access pcre:/etc/postfix/access/final_recipient_access,
check_client_access hash:/etc/postfix/access/final_client_access,
check_helo_access pcre:/etc/postfix/access/suspect_helo,
Fine.
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client autospam.whoi.edu,
reject_rhsbl_sender dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client http.dnsbl.sorbs.net,
reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net,
reject_rbl_client web.dnsbl.sorbs.net,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dyna.spamrats.com,
reject_rbl_client noptr.spamrats.com,
reject_rbl_client virbl.dnsbl.bit.nl,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client backscatter.spameatingmonkey.net,
reject_rbl_client bl.spameatingmonkey.net,
reject_rhsbl_sender fresh.spameatingmonkey.net,
reject_rhsbl_client fresh.spameatingmonkey.net,
reject_rhsbl_sender uribl.spameatingmonkey.net,
reject_rhsbl_client uribl.spameatingmonkey.net,
reject_rhsbl_sender urired.spameatingmonkey.net,
reject_rhsbl_client urired.spameatingmonkey.net,
Me thinks that 24 RBLS is approximately 20 RBLs too many. I'll
leave it to others to suggest which ones to drop.
check_sender_access hash:/etc/postfix/access/check_backscatterer,
check_policy_service inet:127.0.0.1:10023,
permit
Hello list, thanks for the help on this topic. However, the problem of
an open relay still exists after moving
check_sender_access pcre:/etc/postfix/access/final_sender_access,
after reject_unauth_destination in smtpd_recipient_restrictions and
reviewing/adjusting the mynetworks definition.
After having completed those 2 steps, I added LOGIN back to
/etc/postfix/sasl/smtpd.conf to again allow outgoing emails from
Windows-based devices as follows:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 3
After a few days, the open relay was rediscovered and we were again
blacklisted, forcing us to remove LOGIN, which, very coincidentally,
immediately closed the open relay. Something is still amiss here. Any
further help is greatly appreciated. For consideration, I'm including
postconf -n output reflecting the suggested changes above.
postconf -n
address_verify_poll_count = ${stress?1}${stress:3}
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, ldap:ldap
anvil_rate_time_unit = 60s
append_dot_mydomain = yes
body_checks = pcre:/etc/postfix/access/body_access
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_process_limit = 250
default_rbl_reply = $rbl_code Service unavailable; $rbl_class
[$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}.
Contact <postmas...@whoi.edu> if this is in error.
header_checks = pcre:/etc/postfix/access/header_access
html_directory = /usr/share/doc/postfix/html
mailbox_size_limit = 0
message_size_limit = 104857600
mime_header_checks = pcre:/etc/postfix/access/mime_header_checks
mydestination = $myhostname, $mydomain, postal2.$mydomain,
outbox.$mydomain, mail.$mydomain, localhost.$mydomain,
localhost.localdomain, localhost, beachcomberscompanion.org,
whoi.net, cinar.org, bco-dmo.org, bcodmo.org, oceanopportunities.org
myhostname = postal2.whoi.edu
mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150
myorigin = $mydomain
parent_domain_matches_subdomains =
permit_mx_backup_networks = $mynetworks
rbl_reply_maps = hash:/etc/postfix/access/dnsbl_replies
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = hash:/etc/postfix/mx_host_relays, oceanus.whoi.edu,
atlantis.whoi.edu knorr.whoi.edu, tioga.whoi.edu, bosun.whoi.edu,
striker.whoi.edu, striker2.whoi.edu, sssg1.whoi.edu, wbc.whoi.edu
relayhost =
relocated_maps = hash:/etc/postfix/relocated
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_rate_limit = 60
smtpd_client_message_rate_limit = 250
smtpd_client_new_tls_session_rate_limit = 60
smtpd_client_recipient_rate_limit = 300
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access/connect_client_access
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/access/final_helo_access
smtpd_junk_command_limit = ${stress?1}${stress:100}
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_sender_access
pcre:/etc/postfix/access/final_sender_access,
reject_unknown_sender_domain, check_recipient_access
pcre:/etc/postfix/access/final_recipient_access,
check_client_access hash:/etc/postfix/access/final_client_access,
check_helo_access pcre:/etc/postfix/access/suspect_helo,
reject_rbl_client b.barracudacentral.org, reject_rbl_client
zen.spamhaus.org, reject_rbl_client autospam.whoi.edu,
reject_rbl_client dnsbl.ahbl.org, reject_rbl_client
dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org, reject_rbl_client
dyna.spamrats.com, reject_rbl_client noptr.spamrats.com,
reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_cl
ient backscatter.spameatingmonkey.net, reject_rbl_client
bl.spameatingmonkey.net, reject_rhsbl_sender
fresh.spameatingmonkey.net, reject_rhsbl_client
fresh.spameatingmonkey.net, reject_rhsbl_sender
uribl.spameatingmonkey.net, reject_rhsbl_client
uribl.spameatingmonkey.net, reject_rhsbl_sender
urired.spameatingmonkey.net, reject_rhsbl_client
urired.spameatingmonkey.net, check_sender_access
hash:/etc/postfix/access/check_backscatterer, check_policy_service
inet:127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile = /etc/postfix/tls/whoi-inCommon-interim.cer
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/whoi-inCommon-certificate.cer
smtpd_tls_key_file = /etc/postfix/tls/whoi-inCommon-private.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:vldap
