We have a postfix system that accepts mail from our internal network. It scans
emails for virusses and spam before delivering it.
It's listening on port 26 and so far everything works.
Last night one of our users's mailbox got hacked and they tried to send a lot
of spam emails. Most of it got blocked but the postfix system does send a
notification to the sender about the blocked message.
The hackers forged the from address so our notifications were sent to that
address instead, and we want to prevent that from happening again.
For this the system should only accept email if the sender's domain is known.
For example by checking if it is listed in the relay maps.
After some googling I found that the "reject_unknown_sender_domain" option
should reject mail if Postfix isn't the sender's domain final destination so
that sounds good too. I enabled that option but it doesn't seem to work?
It seems to only block email if the sender's domain is non-existing but accepts
all other mails.
Can anyone help us out please? We've been working on this for 12 hours already
and I can't find the right documentation on how to do this and the proxmox IRC
channel hasn't been helpful either :(
# Postfix log example of email not getting blocked:
May 13 12:00:34 mx10 postfix/smtpd[2770]: 1827D101963: client=mailhost[x.x.x.x]
May 13 12:00:35 mx10 postfix/cleanup[2777]: 1827D101963: message-id=<>
May 13 12:00:35 mx10 postfix/qmgr[2754]: 1827D101963:
from=<sen...@domain1.com>, size=224, nrcpt=1 (queue active)
May 13 12:00:36 mx10 postfix/lmtp[2778]: 1827D101963:
to=<recei...@domain2.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=13,
delays=12/0/0.05/1.2, dsn=2.7.0, status=sent (250 2.5.0 OK
(101CA25CD940A75417C))
May 13 12:00:36 mx10 postfix/qmgr[2754]: 1827D101963: removed
(domain1.com was not in our system's configuration, so it should have been
blocked?)
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
best_mx_transport = local
biff = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = scan:127.0.0.1:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 40
delay_warning_time = 4h
lmtp_destination_concurrency_limit = 20
mail_name = Proxmox
mailbox_size_limit = 104857600
message_size_limit = 52428800
mydestination = localhost, $myhostname
mydomain = isphost.com
myhostname = mx10.isphost.com
mynetworks = 127.0.0.0/8 [::1]/128 xx.xx.xx.xx/25 xx.xx.xx.xx/25 10.10.2.0/24
xx.xx.xx.xx/29 10.10.1.0/24 xx.xx.xx.xx/25 xx.xx.xx.xx/27
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
recipient_delimiter = +
relay_destination_concurrency_limit = 20
relay_domains = hash:/etc/pmg/domains
smtp_destination_concurrency_limit = 20
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
reject_non_fqdn_recipient check_recipient_access regexp:/etc/postfix/rcptaccess
check_sender_access regexp:/etc/postfix/senderaccess check_client_access
cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess check_sender_access
regexp:/etc/postfix/senderaccess check_recipient_access
regexp:/etc/postfix/rcptaccess
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
transport_maps = hash:/etc/pmg/transport
virtual_destination_concurrency_limit = 20
# postconf -nf:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
best_mx_transport = local
biff = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = scan:127.0.0.1:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 40
delay_warning_time = 4h
lmtp_destination_concurrency_limit = 20
mail_name = Proxmox
mailbox_size_limit = 104857600
message_size_limit = 52428800
mydestination = localhost, $myhostname
mydomain = isphost.com
myhostname = mx10.isphost.com
mynetworks = 127.0.0.0/8 [::1]/128 xx.xx.xx.xx/25 xx.xx.xx.xx/25
10.10.2.0/24 xx.xx.xx.xx/29 10.10.1.0/24 xx.xx.xx.xx/25 xx.xx.xx.xx/27
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
recipient_delimiter = +
relay_destination_concurrency_limit = 20
relay_domains = hash:/etc/pmg/domains
smtp_destination_concurrency_limit = 20
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
reject_non_fqdn_recipient check_recipient_access
regexp:/etc/postfix/rcptaccess check_sender_access
regexp:/etc/postfix/senderaccess check_client_access
cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess check_sender_access
regexp:/etc/postfix/senderaccess check_recipient_access
regexp:/etc/postfix/rcptaccess
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
transport_maps = hash:/etc/pmg/transport
virtual_destination_concurrency_limit = 20
# postconf -Mf:
scan unix - - n - 31 lmtp
-o lmtp_send_xforward_command=yes
-o lmtp_connection_cache_on_demand=no
-o disable_dns_lookups=yes
26 inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_sender_restrictions=reject_unknown_sender_domain
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_milters=unix:/var/run/opendkim/signer.sock
25 inet n - - - 1 postscreen
smtpd pass - - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10024
-o receive_override_options=no_address_mappings
-o smtpd_discard_ehlo_keywords=silent-discard,dsn
-o mynetworks=127.0.0.0/8,x.x.x.x
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_restriction_classes=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_tls_security_level=none
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o message_size_limit=104857600
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
-o message_size_limit=104857600
qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
verify unix - - - - 1 verify
trace unix - - n - 0 bounce
tlsmgr unix - - - 1000? 1 tlsmgr
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
discard unix - - - - - discard
retry unix - - - - - error
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
