One server I maintain receives huge amounts of spam. In my ongoing
attempts at killing as many spam-mails as possible, among others I've
been using dns blacklists under the reject_rbl_client option umbrella.
For years this worked really well, combined with clamsmtpd, plus some
header and body checks. DNS caching also works on the server, the RBLs
allow my server to use their lists, yet when I check the mail.log, I'm
missing the entries related to RBL blocking entirely. I'm not sure
when this changed (has to be longer than 3 months since that's how far
back my logs go).
Could someone check the config below? (I reformatted the
smtpd_recipient_restrictions option to make it easier to skim/check,
and x-ed the vital IP/domain info)
# postconf -n
anvil_rate_time_unit = 60s
anvil_status_update_time = 1800s
append_at_myorigin = yes
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
body_checks_size_limit = 4096
bounce_size_limit = 150000
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = scan:127.0.0.1:10025
daemon_directory = /usr/lib/postfix
default_minimum_delivery_slots = 4
default_process_limit = 64
default_recipient_limit = 10000
delay_warning_time = 8h
disable_vrfy_command = yes
empty_address_recipient = admin
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 102400
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 1s
inet_interfaces = x.x.x.x, 127.0.0.1
inet_protocols = ipv4
invalid_hostname_reject_code = 554
local_destination_concurrency_limit = 6
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_backoff_time = 3601s
maximal_queue_lifetime = 14d
message_size_limit = 36000000
mime_header_checks = regexp:/etc/postfix/mime_header_checks
minimal_backoff_time = 180s
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain, mail.$mydomain, x.com, x.nl, x.net, x.in, x.org, x.pm
mydomain = x.net
myhostname = x.net
mynetworks = x.x.x.0/24 127.0.0.0/8 x.x.x.x
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 554
qmgr_message_active_limit = 12000
queue_directory = /var/spool/postfix
queue_minfree = 122880000
queue_run_delay = 180s
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_bind_address = x.x.x.x
smtp_connect_timeout = 60s
smtp_destination_concurrency_limit = 18
smtp_destination_recipient_limit = 24
smtp_helo_name = x.net
smtp_helo_timeout = 60s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_ciphers = export
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = x.net ESMTP
smtpd_client_connection_count_limit = 40
smtpd_client_connection_rate_limit = 200
smtpd_client_message_rate_limit = 20
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 18
smtpd_helo_required = yes
smtpd_recipient_limit = 80
smtpd_recipient_overshoot_limit = 120
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/whitelist,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_auth_destination,
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1,
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.5,
reject_rbl_client badconf.rhsbl.sorbs.net,
reject_rbl_client new.spam.dnsbl.sorbs.net,
reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client all.s5h.net,
reject_rbl_client bl.blocklist.de,
reject_rbl_client dnsbl.inps.de,
reject_rbl_client ubl.unsubscore.com,
reject_rbl_client virbl.dnsbl.bit.nl,
reject_rbl_client mail-abuse.blacklist.jippg.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/sender_access, permit
smtpd_soft_error_limit = 8
smtpd_tls_CAfile = /etc/postfix/ssl/ca-certificates.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/x.net.crt
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/ssl/x.net.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
undisclosed_recipients_header = To: (Probably SPAM or SCAM)
undisclosed-recipients:;
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
and # cat master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# SMTP (25/TCP)
smtp inet n - y - - smtpd -o
smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n - y - - smtpd -o
smtpd_sasl_auth_enable=yes
smtp inet n - n - 24 smtpd
# raised from 10 (2014-07):
-o smtpd_client_connection_count_limit=16
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
# [ ClamSMTP begin scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# Clamsmtpd end ]
retry unix - - - - - error
Any insights into what could be wrong?
