Hi Robert, I just tried your telnet examples with a number of local system accounts and valid virtual users with my own postfix installation, and I always get the correct answer:
554 5.7.1 <t...@test.com>: Relay access denied Maybe your issue is caused by the settings and the order of the options in smtpd_XXX_restrictions, this is what I use (removed some milters): smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination I am not sure if this is perfect, maybe you want to give it a try. Cheers, Robert Am 23.05.2015 um 11:31 schrieb Robert Chalmers: > I may have solved it. I hope > > Connected to localhost. Escape character is '^]'. 220 zeus.localhost > ESMTP Postfix helo inmailwetrust.com <http://inmailwetrust.com> 250 > zeus.localhost mail from: _www@zeus.localhost > <mailto:www@zeus.localhost> 250 2.1.0 Ok rcpt > to:moff_yespas_1...@inmailwetrust.com <http://inmailwetrust.com> 450 > 4.1.8 <_www@zeus.localhost <mailto:www@zeus.localhost>>: Sender > address rejected: Domain not found quit 221 2.0.0 Bye > > > I added this to main.cf - straight from the documentation. > > > # Don't talk to mail systems that don't know their own hostname. # > With Postfix < 2.3, specify reject_unknown_hostname. > smtpd_helo_restrictions = reject_unknown_helo_hostname > > # Don't accept mail from domains that don't exist. > smtpd_sender_restrictions = reject_unknown_sender_domain > > This appears to stop it at the source - my system. Now, as all other > outside systems can’t relay through me, and internal accounts that > are on the localhost can’t relay - it should be ok… I hope. > > > >> On 23 May 2015, at 10:03, Robert Chalmers <racu...@icloud.com >> <mailto:racu...@icloud.com>> wrote: >> >> I’ve checked this server against the Relay Test servers about the >> place and it seems to be fine. No Relay allowed. I used a number >> of test servers around the internet. >> >> However, I came in this morning and found a list of attempted spam >> that has somehow been added to the queue. Undelivered, but rejected >> by the remote service, not my server. >> >> I can’t figure out what the configuration is, that will stop this >> sort of spam attempts. >> >> $ telnet mail.myserver.com <http://mail.myserver.com/> 25 >> >> And what is happening looks like this >> >> zeus:log robert$ telnet 192.168.0.15 25 Trying 192.168.0.15... >> Connected to zeus. Escape character is '^]'. 220 zeus.localhost >> ESMTP Postfix helo inmailwetrust.com <http://inmailwetrust.com/> >> 250 zeus.localhost mail from: _www@zeus.localhost >> <mailto:www@zeus.localhost> 250 2.1.0 Ok rcpt to: >> moff_yespas_1...@inmailwetrust.com >> <mailto:moff_yespas_1...@inmailwetrust.com> 250 2.1.5 Ok >> >> >> Now, that last response should be 554 : *Relay access denied* How >> do I stop people using my server like this? >> >> Can anyone suggest a solution please. >> >> >> >> The qmg message looks like this >> >> *May 23 07:20:21 zeus.localhost postfix/qmgr[166]: 0AC18AE7532: >> from=<_www@zeus.localhost <mailto:www@zeus.localhost>>, size=1600, >> nrcpt=1 (queue active)* >> >> and one of the attempted messages looks like this. >> >> >> *May 23 00:10:24 zeus.localhost postfix/smtp[10813]: ACF7FAE8961: >> to=<moff_yespas_1...@inmailwetrust.com >> <mailto:moff_yespas_1...@inmailwetrust.com>>, >> relay=inmailwetrust.com >> <http://inmailwetrust.com/>[208.88.226.239]:25, delay=79990, >> delays=79987/1.8/0.99/0.13, dsn=4.0.0, status=deferred (host >> inmailwetrust.com <http://inmailwetrust.com/>[208.88.226.239] >> said: 451 Temporary local problem - please try later (in reply to >> RCPT TO command))* >> >> >> Now, I can’t understand how that is even being sent if the system >> is not relaying anyway? >> >> and what I’d really like to be able to do is block anyone from >> doing that in the first place? Regardless of it failing - I don’t >> want them to be able to do it anyway? >> >> This is my postconf -n output. If it helps >> >> >> zeus:log robert$ postconf -n alias_database = hash:/etc/aliases >> alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = >> yes command_directory = /usr/sbin daemon_directory = >> /usr/libexec/postfix data_directory = /var/lib/postfix >> debug_peer_level = 2 debugger_command = >> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb >> $daemon_directory/$process_name $process_id & sleep 5 >> default_rbl_reply = $rbl_code Service unavailable; $rbl_class >> [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} - >> see http://$rbl_domain. dovecot_destination_recipient_limit = 1 >> home_mailbox = Mail/Dovecot/ html_directory = >> /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = >> all mail_owner = _postfix mailbox_command = /usr/bin/procmail -a >> "$EXTENSION" mailbox_size_limit = 0 mailq_path = /usr/bin/mailq >> manpage_directory = /usr/share/man message_size_limit = 0 >> meta_directory = /etc/postfix mydestination = localhost >> mail.$mydomain, www.$mydomain mynetworks_style = host >> newaliases_path = /usr/bin/newaliases postscreen_access_list = >> permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr >> postscreen_bare_newline_action = ignore >> postscreen_bare_newline_enable = no postscreen_bare_newline_ttl = >> 30d postscreen_blacklist_action = ignore >> postscreen_cache_cleanup_interval = 12h postscreen_cache_map = >> btree:$data_directory/postscreen_cache >> postscreen_cache_retention_time = 7d >> postscreen_client_connection_count_limit = >> $smtpd_client_connection_count_limit postscreen_command_count_limit >> = 20 postscreen_command_filter = postscreen_command_time_limit = >> ${stress?10}${stress:300}s postscreen_disable_vrfy_command = >> $disable_vrfy_command postscreen_discard_ehlo_keyword_address_maps >> = $smtpd_discard_ehlo_keyword_address_maps >> postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords >> postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = >> texthash:/etc/postfix/dnsbl_reply postscreen_dnsbl_sites = >> zen.spamhaus.org <http://zen.spamhaus.org/>*3 bl.mailspike.net >> <http://bl.mailspike.net/>*3 b.barracudacentral.org >> <http://b.barracudacentral.org/>*2 bl.spameatingmonkey.net >> <http://bl.spameatingmonkey.net/> bl.spamcop.net >> <http://bl.spamcop.net/> spamtrap.trblspam.com >> <http://spamtrap.trblspam.com/> dnsbl.sorbs.net >> <http://dnsbl.sorbs.net/>=127.0.0.[2;3;6;7;10] ix.dnsbl.manitu.net >> <http://ix.dnsbl.manitu.net/> bl.blocklist.de >> <http://bl.blocklist.de/> list.dnswl.org >> <http://list.dnswl.org/>=127.0.[0..255].0*-1 list.dnswl.org >> <http://list.dnswl.org/>=127.0.[0..255].1*-2 list.dnswl.org >> <http://list.dnswl.org/>=127.0.[0..255].[2..3]*-3 iadb.isipp.com >> <http://iadb.isipp.com/>=127.0.[0..255].[0..255]*-2 iadb.isipp.com >> <http://iadb.isipp.com/>=127.3.100.[6..200]*-2 wl.mailspike.net >> <http://wl.mailspike.net/>=127.0.0.[17;18]*-1 wl.mailspike.net >> <http://wl.mailspike.net/>=127.0.0.[19;20]*-2 >> postscreen_dnsbl_threshold = 3 postscreen_dnsbl_ttl = 1h >> postscreen_enforce_tls = $smtpd_enforce_tls >> postscreen_expansion_filter = $smtpd_expansion_filter >> postscreen_forbidden_commands = $smtpd_forbidden_commands >> postscreen_greet_action = ignore postscreen_greet_banner = >> $smtpd_banner postscreen_greet_ttl = 1d postscreen_greet_wait = >> ${stress?2}${stress:6}s postscreen_helo_required = >> $smtpd_helo_required postscreen_non_smtp_command_action = drop >> postscreen_non_smtp_command_enable = no >> postscreen_non_smtp_command_ttl = 30d postscreen_pipelining_action >> = enforce postscreen_pipelining_enable = no >> postscreen_pipelining_ttl = 30d postscreen_post_queue_limit = >> $default_process_limit postscreen_pre_queue_limit = >> $default_process_limit postscreen_reject_footer = >> $smtpd_reject_footer postscreen_tls_security_level = >> $smtpd_tls_security_level postscreen_use_tls = $smtpd_use_tls >> postscreen_watchdog_timeout = 10s queue_directory = >> /private/var/spool/postfix readme_directory = >> /usr/share/doc/postfix recipient_delimiter = + sample_directory = >> /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail >> setgid_group = _postdrop shlib_directory = /usr/lib/postfix >> smtp_sasl_auth_enable = no smtp_sasl_mechanism_filter = plain >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >> smtp_use_tls = yes smtpd_client_restrictions = check_client_access >> hash:/etc/postfix/access,reject_rbl_client bl.spamcop.net >> <http://bl.spamcop.net/>,reject_rbl_client sbl-xbl.spamhaus.org >> <http://sbl-xbl.spamhaus.org/>,reject_rbl_client cbl.abuseat.org >> <http://cbl.abuseat.org/>,reject_rbl_client dnsbl.njabl.org >> <http://dnsbl.njabl.org/>,reject_rbl_client zen.spamhaus.org >> <http://zen.spamhaus.org/> smtpd_helo_required = yes >> smtpd_recipient_restrictions = check_sender_access >> hash:/etc/postfix/access, check_client_access >> hash:/etc/postfix/access, permit_mynetworks, >> permit_sasl_authenticated, reject_unauth_destination, >> check_recipient_access hash:/etc/postfix/access, >> check_relay_domains smtpd_relay_restrictions = permit_mynetworks, >> permit_sasl_authenticated, defer_unauth_destination >> smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth >> smtpd_sasl_security_options = noanonymous smtpd_sasl_type = >> dovecot smtpd_tls_CAfile = >> /private/etc/ssl/certs/sub.class1.server.ca.pem smtpd_tls_auth_only >> = yes smtpd_tls_cert_file = >> /private/etc/ssl/certs/chalmers.com.au.crt smtpd_tls_ciphers = >> medium smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL >> smtpd_tls_key_file = /private/etc/ssl/private/chalmers.com.au.key >> smtpd_tls_security_level = may smtpd_use_tls = yes soft_bounce = >> no tls_random_source = dev:/dev/urandom >> unknown_local_recipient_reject_code = 550 virtual_alias_maps = >> mysql:/etc/postfix/mysql-virtual-alias-maps.cf virtual_gid_maps = >> static:5000 virtual_mailbox_base = /var/mail/vhosts >> virtual_mailbox_domains = >> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf >> virtual_mailbox_limit = 0 virtual_mailbox_maps = >> mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf >> virtual_minimum_uid = 100 virtual_transport = >> lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000 >> zeus:log robert$ >> >> >> >> and if it’s of any help the doveconf -n output… >> >> zeus:log robert$ sudo doveconf -n Password: # 2.2.16: >> /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 14.3.0 x86_64 >> hfs auth_debug = yes auth_debug_passwords = yes auth_mechanisms = >> plain login auth_verbose = yes auth_verbose_passwords = plain >> debug_log_path = /var/log/dovecot-debug.log default_internal_user = >> _dovecot default_login_user = _dovenull info_log_path = >> /var/log/dovecot-info.log log_path = /var/log/dovecot.log >> mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n >> mail_max_userip_connections = 30 mail_privileged_group = mail >> namespace inbox { inbox = yes location = mailbox Drafts { >> special_use = \Drafts } mailbox Junk { special_use = \Junk } >> mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { >> special_use = \Sent } mailbox Trash { special_use = \Trash } prefix >> = separator = / } passdb { args = >> /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } passdb >> { args = %s driver = pam } postmaster_address = >> postmas...@chalmers.com.au <mailto:postmas...@chalmers.com.au> >> service auth-worker { user = vmail } service auth { executable = >> /usr/local/libexec/dovecot/auth unix_listener >> /var/spool/postfix/private/auth { group = _postfix mode = 0600 user >> = _postfix } user = _dovecot } service imap-login { executable = >> /usr/local/libexec/dovecot/imap-login inet_listener imap { address >> = * port = 143 } inet_listener imaps { address = * port = 993 ssl = >> yes } process_limit = 128 } service imap { executable = >> /usr/local/libexec/dovecot/imap process_limit = 128 } service lmtp >> { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = >> _postfix mode = 0660 user = _postfix } unix_listener lmtp { group = >> _postfix mode = 0600 user = _postfix } } service pop3-login { >> executable = /usr/local/libexec/dovecot/pop3-login inet_listener >> pop3 { address = * port = 110 } inet_listener pop3s { address = * >> port = 995 ssl = yes } process_limit = 128 } service pop3 { >> executable = /usr/local/libexec/dovecot/pop3 process_limit = 128 } >> ssl_cert = </etc/ssl/certs/chalmers.com.au.crt ssl_key = >> </etc/ssl/private/chalmers.com.au.key ssl_require_crl = no userdb >> { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = >> static } userdb { driver = passwd } verbose_ssl = yes protocol lmtp >> { mail_plugins = } protocol lda { mail_plugins = " sieve" >> postmaster_address = postmas...@chalmers.com.au >> <mailto:postmas...@chalmers.com.au> } zeus:log robert$ >> >> >> >> >> >> thanks >> >> > -- Robert Senger <robert.sen...@microscopium.de> PGP/GPG Public Key ID: 24E78B5E
