Noel Jones-2 wrote
> On 10/20/2016 12:57 AM, Ross Naheedy wrote:
>> I am having a peculiar issue in not being able to lock down my
>> postfix 2.10. This is on a server that is on the Internet and must
>> receive emails and relay email for authenticated users. My main.cf
>> <http://main.cf> relevant portions look like this:
>>
>
> show "postconf -n" rather than random snippings.
Here's the output of "postconf -n":
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = example.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/example.crt
smtpd_tls_key_file = /etc/postfix/example.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
Noel Jones-2 wrote
>> Looking at my maillog, it looks like the server is being used to a
>> relay, although I'm not sure why.
>
>
> Please show us the log entries.
And here's what I see in the logs:
Oct 15 06:54:49 example postfix/smtpd[29114]: warning: hostname
185-163-46-244.mivocloud.com does not resolve to address 185.163.46.244
Oct 15 06:54:49 example postfix/smtpd[29114]: connect from
unknown[185.163.46.244]
Oct 15 06:54:49 example postfix/smtpd[29114]: 7F31B1805EFD9:
client=unknown[185.163.46.244]
Oct 15 06:54:50 example postfix/cleanup[29115]: 7F31B1805EFD9:
message-id=<0.0.6900600747.evkrtb19b4ecfabsowkik54092...@gretofrr.us>
Oct 15 06:54:50 example postfix/qmgr[24064]: 7F31B1805EFD9:
from=<8467-6900600747-824-sales=example....@mail.gretofrr.us>, size=6461,
nrcpt=1 (queue active)
Oct 15 06:54:51 example postfix/smtpd[29114]: disconnect from
unknown[185.163.46.244]
Some delay here because I didn't have amavisd configured properly
Oct 15 07:11:02 example amavis[29000]: (29000-05) Blocked BAD-HEADER-0
{BouncedInbound,Quarantined}, [185.163.46.244]:54047 [185.163.46.244]
<8467-69006
00747-824-sales=example....@mail.gretofrr.us> -> <sa...@example.com>,
Queue-ID: 7F31B1805EFD9, Message-ID:
<0.0.6900600747.evkrtb19b4ecfabsowkik540927.0@gr
etofrr.us>, mail_id: zmu4ScvmJWiZ, Hits: -, size: 6455, 297800 ms
Oct 15 07:11:02 example postfix/lmtp[29094]: 7F31B1805EFD9:
to=<sa...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=973,
delays=1.3/397/277/298, dsn=2.5.0, status=sent (250 2.5.0 Ok
<sa...@example.com>, DSN was sent (554 5.6.0 Bounce, id=29000-05 - BAD
HEADER))
Oct 15 07:11:02 example postfix/qmgr[24064]: 7F31B1805EFD9: removed
And there's a bunch of the following (one every hour), trying to deliver the
mail:
Oct 20 01:12:10 example postfix/smtp[31538]: connect to
mail.cancrrtrtmnt.us[104.18.54.81]:25: Connection timed out
Oct 20 01:12:10 example postfix/smtp[31537]: connect to
mail.gretofrr.us[2400:cb00:2048:1::681b:8fb4]:25: Connection timed out
Oct 20 01:12:10 example postfix/smtp[31538]: DCFD01805EFD2:
to=<8569-6900600747-621-sales=example....@mail.cancrrtrtmnt.us>, relay=none,
delay=150425, dela
ys=150305/0.02/120/0, dsn=4.4.1, status=deferred (connect to
mail.cancrrtrtmnt.us[104.18.54.81]:25: Connection timed out)
Oct 20 01:12:10 example postfix/smtp[31537]: 8715B18321C38:
to=<8467-6900600747-824-sales=example....@mail.gretofrr.us>, relay=none,
delay=410468, delays=410348/0.02/120/0, dsn=4.4.1, status=deferred (connect
to mail.gretofrr.us[2400:cb00:2048:1::681b:8fb4]:25: Connection timed out)
Noel Jones-2 wrote
>>
>> It looks to me that postfix accepted a message destined to
>> 8467-6900600747-824-sales=
> example.com@.gretofrr
>> <mailto:
> example.com@.gretofrr
> > and is attempting to deliver
>> it.
>
> Yes, or maybe it's undeliverable mail postfix is trying to return.
I think you may be right. The email coming to sa...@example.com is actually
a valid email address, but if I'm reading the logs right, amavisd rejected
the email, so it's trying to bounce the message back and it's failing.
Is there any way for me to limit the number of times postfix tries to bounce
a message like this? I figure after a couple of tries, I'd want it to give
up.
Noel Jones-2 wrote
>> Looks to me a different form of sender-specified routing based
>> on what I've read
>
> No. See VERP.
I checked VERP and fail to see how it might solve my problem if my server is
trying to bounce an undeliverable message.
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Hardening-relay-and-sender-specified-routing-tp86772p86793.html
Sent from the Postfix Users mailing list archive at Nabble.com.
