On 7/21/2014 10:34 AM, Thijssen wrote:
> One server I maintain receives huge amounts of spam. In my ongoing
> attempts at killing as many spam-mails as possible, among others I've
> been using dns blacklists under the reject_rbl_client option umbrella.
> For years this worked really well, combined with clamsmtpd, plus some
> header and body checks. DNS caching also works on the server, the RBLs
> allow my server to use their lists, yet when I check the mail.log, I'm
> missing the entries related to RBL blocking entirely. I'm not sure
> when this changed (has to be longer than 3 months since that's how far
> back my logs go).
> Could someone check the config below? (I reformatted the
> smtpd_recipient_restrictions option to make it easier to skim/check,
> and x-ed the vital IP/domain info)
>
> # postconf -n
> anvil_rate_time_unit = 60s
> anvil_status_update_time = 1800s
> append_at_myorigin = yes
> append_dot_mydomain = no
> biff = no
> body_checks = regexp:/etc/postfix/body_checks
> body_checks_size_limit = 4096
> bounce_size_limit = 150000
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = scan:127.0.0.1:10025
> daemon_directory = /usr/lib/postfix
> default_minimum_delivery_slots = 4
> default_process_limit = 64
> default_recipient_limit = 10000
> delay_warning_time = 8h
> disable_vrfy_command = yes
> empty_address_recipient = admin
> header_checks = regexp:/etc/postfix/header_checks
> header_size_limit = 102400
> home_mailbox = Maildir/
> html_directory = no
> in_flow_delay = 1s
> inet_interfaces = x.x.x.x, 127.0.0.1
> inet_protocols = ipv4
> invalid_hostname_reject_code = 554
> local_destination_concurrency_limit = 6
> local_recipient_maps =
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maximal_backoff_time = 3601s
> maximal_queue_lifetime = 14d
> message_size_limit = 36000000
> mime_header_checks = regexp:/etc/postfix/mime_header_checks
> minimal_backoff_time = 180s
> mydestination = $myhostname, localhost.$mydomain, localhost,
> $mydomain, mail.$mydomain, x.com, x.nl, x.net, x.in, x.org, x.pm
> mydomain = x.net
> myhostname = x.net
> mynetworks = x.x.x.0/24 127.0.0.0/8 x.x.x.x
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases
> non_fqdn_reject_code = 554
> qmgr_message_active_limit = 12000
> queue_directory = /var/spool/postfix
> queue_minfree = 122880000
> queue_run_delay = 180s
> readme_directory = /usr/share/doc/postfix
> receive_override_options = no_address_mappings
> recipient_delimiter = +
> sample_directory = /usr/share/doc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_bind_address = x.x.x.x
> smtp_connect_timeout = 60s
> smtp_destination_concurrency_limit = 18
> smtp_destination_recipient_limit = 24
> smtp_helo_name = x.net
> smtp_helo_timeout = 60s
> smtp_tls_CAfile = $smtpd_tls_CAfile
> smtp_tls_ciphers = export
> smtp_tls_loglevel = 1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_protocols = !SSLv2
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_banner = x.net ESMTP
> smtpd_client_connection_count_limit = 40
> smtpd_client_connection_rate_limit = 200
> smtpd_client_message_rate_limit = 20
> smtpd_data_restrictions = reject_multi_recipient_bounce,
> reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_error_sleep_time = 2s
> smtpd_hard_error_limit = 18
> smtpd_helo_required = yes
> smtpd_recipient_limit = 80
> smtpd_recipient_overshoot_limit = 120
>
> smtpd_recipient_restrictions =
> reject_invalid_hostname,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> permit_mynetworks,
> permit_sasl_authenticated,
> check_client_access hash:/etc/postfix/whitelist,
Danger! any client you OK in this whitelist also gets relay
permission. This should be below reject_unauth_destination.
If this is a list of clients you intend to give relay access to, it
should be renamed to make its function clear to prevent accidents --
maybe relay_clients.
> reject_unauth_destination,
Ok, now rejecting unauth destinations.
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> permit_auth_destination,
And here you permit auth destinations. There's no mail left after
this; none of the rules below will ever fire.
It should be safe to remove it.
-- Noel Jones
> permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1,
> permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.5,
> reject_rbl_client badconf.rhsbl.sorbs.net,
> reject_rbl_client new.spam.dnsbl.sorbs.net,
> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client all.s5h.net,
> reject_rbl_client bl.blocklist.de,
> reject_rbl_client dnsbl.inps.de,
> reject_rbl_client ubl.unsubscore.com,
> reject_rbl_client virbl.dnsbl.bit.nl,
> reject_rbl_client mail-abuse.blacklist.jippg.org,
> permit
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
> reject_unknown_sender_domain, check_sender_access
> hash:/etc/postfix/sender_access, permit
> smtpd_soft_error_limit = 8
> smtpd_tls_CAfile = /etc/postfix/ssl/ca-certificates.crt
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/x.net.crt
> smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
> smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
> smtpd_tls_eecdh_grade = strong
> smtpd_tls_key_file = /etc/postfix/ssl/x.net.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> tls_preempt_cipherlist = yes
> tls_random_source = dev:/dev/urandom
> undisclosed_recipients_header = To: (Probably SPAM or SCAM)
> undisclosed-recipients:;
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 554
> unknown_virtual_alias_reject_code = 554
> unknown_virtual_mailbox_reject_code = 554
> unverified_recipient_reject_code = 554
> unverified_sender_reject_code = 554
>
> and # cat master.cf
>
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
>
> # SMTP (25/TCP)
> smtp inet n - y - - smtpd -o
> smtpd_sasl_auth_enable=yes
> # Submission (587/TCP+UDP)
> submission inet n - y - - smtpd -o
> smtpd_sasl_auth_enable=yes
> smtp inet n - n - 24 smtpd
> # raised from 10 (2014-07):
> -o smtpd_client_connection_count_limit=16
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> #qmgr fifo n - n 300 1 oqmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
> relay unix - - n - - smtp
> -o fallback_relay=
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - n - - showq
> error unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
>
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
>
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
> ${extension} ${user}
> cyrus unix - n n - - pipe
> user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
> ${extension} ${user}
>
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
>
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
>
>
> # [ ClamSMTP begin scan filter (used by content_filter)
> scan unix - - n - 16 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o smtp_enforce_tls=no
> # For injecting mail back into postfix from the filter
> 127.0.0.1:10026 inet n - n - 16 smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks_style=host
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> # Clamsmtpd end ]
>
> retry unix - - - - - error
>
>
> Any insights into what could be wrong?
>
