Hi there,
we are running our postfix server (2.9.6) for quite some time now and
are very happy with it. A few days ago - one of our users got hacked and
his credentials were stolen, so someone started to use or system for
spamming, which we resolved very fast.
From my understanding you could do a limiting of number of messages
that can be sent out - we will look into that next.
One thing was really strange - I looked into it and found many mails
that went through amavis and had even wrong destination domains that
didn't exist - so I decided to put reject_unknown_recipient_domain in
smtpd_recipient_restrictions.
It looks like this:
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
warn_if_reject, reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/recipient_access
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client sbl-xbl.spamhaus.org,
check_policy_service inet:127.0.0.1:10023,
permit
When I have reject_unknown_recipient_domain before
permit_sasl_authenticated - everything works like wanted - If someone
sends a mail whose destination domain does not exist - it just says
after clicking "Send" in the mailclient that the domain doesn't exist
and cannot be sent and most important it doesn't run through amavis.
But this might not be optimal - If there's a DNS problem somewhere this
is kind of permanent error, because the user hast to click and click -
and I think this is not how it is done.
So I put It after permit_sasl_authenticated - the server "takes" the
mail, but will always throw it into amavis if it is delivered in when
authenticated - then the mail comes back from amavis and gets rejected
with "unknown domain" - maybe this behavior happens, because at first
the restrictions end when permit_sasl_authenticated is reached and goes
to amavis - when it comes back - the amavis injection is not
sasl_authenticated so it reaches the restriction
reject_unknown_recipient_domain and get's a non-delivery-report which
will be a mail. Am I right?
But when I send a mail with userpart that doesn't exist - even though it
is sasl-authenticated - It does not go into amavis which is much clever,
because it shouldn't go there since your don't need to do spam-filterin
if the recipient domain does not exist or the user does not exist.
Why this different behavior - ist it because a local unknown user is
like a permanent error and a unknown_recipient_domain might be some sort
auf temporary DNS problem? Where is this controlled?
How can I make sure that only mails which passed basic checks get into
amavis, cause it is really slow when scanning mail content.
Right now amvis is setup as conten_filter =
smtp-amavis:[127.0.0.1]:10024 and with these entries in master.cf:
smtp-amavis unix - - n - 60 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
Complete "postconf -nf" as following:
alias_database = hash:/etc/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 1h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 100960000
mydestination = mx01.example.de, example.de, localhost.example.de, localhost
mydomain = example.de
myhostname = mx01.example.de
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
notify_classes = resource, software
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
show_user_unknown_table_name = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, warn_if_reject,
reject_unauth_pipelining,
warn_if_reject, reject_non_fqdn_recipient, warn_if_reject,
reject_unknown_recipient_domain, check_recipient_access
hash:/etc/postfix/recipient_access permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unlisted_recipient, check_sender_access
hash:/etc/postfix/sender_access, reject_rbl_client
sbl-xbl.spamhaus.org,
check_policy_service inet:127.0.0.1:10023 permit,
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_sender, warn_if_reject, reject_unknown_helo_hostname,
reject_unknown_recipient_domain, reject_unknown_sender_domain, permit
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_received_header = yes
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/people/mail/
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:2000
Would you recommend having another postfix and amavis on a whole
different machine - as a smarthost of some sort to only forward external
mail through it, and have the other checks done first? Or is there any
other recommended way to integrate amavis so that It get's the mail
after all the other checks habe been done. What setups do you use - Is
there an alternative to amavis?
I also like to know what you would reommend in terms of limiting mails
on a per user, per IP, # of recipient basis - but I'll put that in
another post.
Kind regards,
Thomas
