I've made one change to my configuration which may help handle the locally generated spam problem, at least in the case of the "fake open relay" mail.
I have removed permit_mynetworks from my smtpd_relay_restrictions. (I still have permit_mynetworks in the smtpd client, HELO, sender, and recipient restrictions.) In case this change might have broken something (which it doesn't appear to have done), I also enabled soft_bounce=yes. Shortly thereafter, I found one (and, so far, only one) incident in my log where an open relay message apparently originated from my server itself. It looks strange, though. Check out the following log excerpt and note particularly what happened with regard to the postscreen process: Oct 21 20:22:33 memoryalpha postfix/postscreen[4751]: CONNECT from [193.169.253.190]:63634 to [10.0.229.197]:25 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4752]: addr 193.169.253.190 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4752]: addr 193.169.253.190 listed by domain hostkarma.junkemailfilter.com as 127.0.0.2 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4758]: addr 193.169.253.190 listed by domain zen.spamhaus.org as 127.0.0.4 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4758]: addr 193.169.253.190 listed by domain zen.spamhaus.org as 127.0.0.3 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4752]: addr 193.169.253.190 listed by domain dnsbl.justspam.org as 127.0.0.2 Oct 21 20:22:33 memoryalpha postfix/dnsblog[4757]: addr 193.169.253.190 listed by domain bl.spamcop.net as 127.0.0.2 Oct 21 20:22:33 memoryalpha postfix/postscreen[4751]: CONNECT from [127.0.0.1]:40434 to [127.0.0.1]:25 Oct 21 20:22:33 memoryalpha postfix/postscreen[4751]: WHITELISTED [127.0.0.1]:40434 Oct 21 20:22:33 memoryalpha postfix/smtpd[4764]: connect from localhost[127.0.0.1] Oct 21 20:22:33 memoryalpha postfix/dnsblog[4759]: addr 193.169.253.190 listed by domain score.senderscore.com as 127.0.4.0 Oct 21 20:22:34 memoryalpha postfix/dnsblog[4760]: addr 193.169.253.190 listed by domain truncate.gbudb.net as 127.0.0.2 Oct 21 20:22:34 memoryalpha postfix/smtpd[4764]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 454 4.7.1 <spam...@tiscali.it>: Relay access denied; from=<spam...@tiscali.it> to=<spam...@tiscali.it> proto=ESMTP helo=<WIN-NT9DHV1HPCJ> Oct 21 20:22:34 memoryalpha postfix/smtpd[4764]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5 Oct 21 20:22:39 memoryalpha dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Tvvn+TmyNq9/AAAB> Oct 21 20:22:39 memoryalpha postfix/postscreen[4751]: DNSBL rank 78 for [193.169.253.190]:63634 Oct 21 20:22:40 memoryalpha postfix/postscreen[4751]: NOQUEUE: reject: RCPT from [193.169.253.190]:63634: 450 4.7.1 Service unavailable; client [193.169.253.190] blocked using zen.spamhaus.org; from=<spam...@tiscali.it>, to=<spam...@tiscali.it>, proto=ESMTP, helo=<WIN-NT9DHV1HPCJ> Oct 21 20:22:40 memoryalpha postfix/postscreen[4751]: DISCONNECT [193.169.253.190]:63634 The postscreen process (PID 4751) initially fielded a connection from 193.169.253.190 (port 63634) -- an IP address, btw and fwiw, which is assigned to a hosting service in Estonia. But before rejecting this connection (because the IP address was blacklisted), another connection sprang into life from 127.0.0.1 (port 40434). Basically, it looks to me as if the connection from 127.0.0.1 was somehow nested inside the connection from 193.169.253.190. This could just be a coincidence, but the fact that all this activity happened within a single postscreen process (PID 4751) confuses me -- can anyone explain this? For what it's worth, there is no other activity with PID 4751 anywhere else in sight in my log. Also, the sender and recipient e-mail addresses for the 193.169.253.190 and 127.0.0.1 connections are the same -- another seemingly very strong indication that they are somehow related, though it's not clear to me how. Correlating the above with other logs on my server, an inbound SMTP connection from 193.169.253.190 on remote port 63634 was accepted and logged by iptables. No connections from 193.169.253.190 show up in my server's Apache logs. So, again, can anyone suggest an explanation for why a complete Postfix connection from 127.0.0.1 is seemingly embedded inside a complete Postfix connection from 193.169.253.190? In case it matters, I'm running Postfix 3.3.0, installed as a package on an Ubuntu 18.04.5 LTS system. I'm not knowingly enabling XCLIENT in my Postfix configuration for what this might be worth. Thanks for any thoughts. Rich Wales ri...@richw.org
