Bob Proulx wrote:
decoder wrote:
We recently discovered that even our own mailserver (Postfix) was a
backscatter source (and 1-2 weeks ago spammers started to actively use
it), there were several reasons and I'd like to share these points with
the list so nobody does the same mistakes.
Thanks for the discussion.
2) By default, Postfix happily seems to accept email addresses refering
to subdomains of domains listed in $mydestination. The option
responsible for this cruel behavior is
"parent_domain_matches_subdomains" which is by default not empty. We've
set it to an empty string and after that, Postfix finally rejected mails
to bogus recipients on our subdomains.
The default value is:
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
I don't think that any of those should match and therefore is safe by
default.
the trouble comes from the default (compatibility) value of
relay_domains and relay_recipient_maps. For this reason, it is
recommended to set
parent_domain_matches_subdomains =
This parameter is deprecated and setting it to an empty value is now
recommended.
It is also recommended to set relay_domains explictely. and if you have
the list of relay recipients, set relay_recipient_maps. otherwise, use
reject_unverified_recipient in access checks (only for relay domains,
not for every domain).
I poked at my server and couldn't trick it into accepting
mail to subdomains. If yours is allowing messages through by matching
one of them then I suspect that the configurations for it is the
problem and should be fixed. In other words, you might not be done
debugging yet and may still have another problem to figure out. :-}
