On 07/12/16 10:30, Bill Cole wrote:
> On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
>
>> I'm getting spam leaking through from sites with non-resolving IP or
>> invalid DNS, sending mail to myself as me.
>
> You COULD use reject_unknown_client_hostname but it has substantial
> false positives.
>
> More directly, you could enforce your own SPF record:
>
> caerllewys.net. 259200 IN TXT "v=spf1
> ip4:216.246.132.90 -all"
I'm trying to. :)
> It's more than slightly hypocritical to publish a "-all" SPF record when
> you don't pay attention to it yourself. There are a wide variety of
> tools that can be used to enforce SPF in various ways. I use
> SpamAssassin (via MIMEDefang, which isn't important) because SA has a
> deep capacity to deal with the fact that SPF records are often not worth
> anything for a variety of reasons, including domain owners who don't
> understand what "-all" should mean in principle. There are also
> free-standing milters and policy daemons available for SPF enforcement.
>
> In this case it also appears that the IP address was in the CBL and
> hence SpamHaus Zen when you accepted it. Maybe not, but if you are not
> killing such IPs in postscreen you're going to have a lot of spam
> getting further in than it needs to. Also, if you're running a smallish
> mail system with a limited audience that does not include a need to
> communicate with Vietnamese correspondents, you can probably block all
> email traffic from 14.160.0.0/11.
I considered that option, yes. I ... could have sworn I *was* using
the Zen RBL, actually. It looks as though I took it out for some reason
at some time in the past and never restored it.
I haven't deployed postscreen yet, as I simply don't know enough about
it. I've been working on various additional services (including DKIM)
to try to tighten things up, but I have limited time to work on my own
stuff and - I admit - it tends to get attention mainly when something is
obviously broken.
> Why are you signing mail that came from a random bot in Vietnam? If
> OpenDKIM can't be made to require authentication in order to sign mail,
> it is broken. I'm not familiar with it, so I expect you're just missing
> some setting that exists...
Quite likely, yes. I'm fairly new to OpenDKIM and don't know all of the
best practices for it yet. It certainly SHOULDN'T have been signing it.
> You've been here long enough to have seen this request before:
>
> Please provide 'postconf -n' output as described in the last section of
> Postfix's DEBUG_README file.
>
> The above snippets do not draw a full enough picture of your config to
> offer a proper specific fix. However, IN GENERAL, you should avoid
> duplicating 'reject_*' settings in different restriction lists unless
> you have a concrete reason to do that. It is also pointless to put
> sender restrictions in smtpd_helo_restrictions.
Good point. I plead tiredness when I tried that change. Just removed
those.
>> OpenDKIM is picking up that 14.167.212.244 is falsely trying to send
>> mail as caerllewys.net,
>
> It doesn't seem to me like OpenDKIM is noticing any sort of falsity,
> since it claims to be adding a signature.
Which is probably a configuration error on my part.
>> [...] but surely there should be some straightforward
>> directive to tell Postfix not to allow a site outside of $mynetworks
>> to send me mail using my own email address as sender.
>
> Yes, there are such directives, and you're not showing the most suitable
> places for them.
>
> You should have smtpd_recipient_restrictions and maybe
> smtpd_relay_restrictions lists, one or both of which end with "reject".
I'm quite possibly doing some checks in the wrong (or sub-optimal)
places. And it's been a while since I last read through the full
documentation, and I know I haven't kept up with changes.
Postconf -n output follows; I'd appreciate any tips on errors I'm making
or places where I could improve my configuration. There's always room
to learn more.
access_map_reject_code = 553
alias_database = btree:/etc/postfix/aliases
btree:/var/lib/mailman/data/aliases
alias_maps = btree:/etc/postfix/aliases btree:/var/lib/mailman/data/aliases
allow_untrusted_routing = no
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_database_type = btree
default_destination_concurrency_limit = 10
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/smtp_header_checks
regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-3.1.1/html
in_flow_delay = 0
inet_interfaces = all
inet_protocols = ipv4
invalid_hostname_reject_code = 501
local_destination_concurrency_limit = 2
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mail_version = 3.1.1
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_reject_code = 553
message_size_limit = 40960000
meta_directory = /etc/postfix
milter_default_action = tempfail
mydestination = $myhostname localhost.$mydomain $mydomain
mydomain = caerllewys.net
myhostname = smtp.caerllewys.net
mynetworks = 127.0.0.0/8 10.24.32.0/24 10.24.33.0/24 10.24.34.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:8891
parent_domain_matches_subdomains = debug_peer_list fast_flush_domains
mynetworks permit_mx_backup_networks qmqpd_authorized_clients
relay_domains smtpd_access_maps
qmqpd_authorized_clients = $mynetworks $relay_domains
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.1.1-r1/readme
recipient_delimiter = +
reject_code = 550
relay_domains = $mydestination novylen.net flambe.org myschyf.net
thegaminghall.com toontownhall.com freerealmsforums.com
downwardspiral.net third-design.net
relay_domains_reject_code = 553
relay_recipient_maps = btree:/etc/postfix/relay_recipients
relay_transport = relay
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks
smtpd_error_sleep_time = 5
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
reject_unknown_reverse_client_hostname pcre:/etc/postfix/helo.pcre
smtpd_milters = inet:localhost:8891
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination reject_unknown_reverse_client_hostname
smtpd_sender_restrictions = permit_mynetworks reject_invalid_hostname
reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access
btree:/etc/postfix/block-local-sender
smtpd_soft_error_limit = 10
smtpd_tls_cert_file = /etc/postfix/cert-20160508-183210.pem
smtpd_tls_key_file = /etc/postfix/key-20160508-183210.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = btree:/etc/postfix/transport
unknown_address_reject_code = 551
unknown_client_reject_code = 450
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
--
Phil Stracchino
Babylon Communications
ph...@caerllewys.net
p...@co.ordinate.org
Landline: 603.293.8485
