Hi there. Somehow a few messages are still getting delivered. I thought this was bounce spam, but I'm not sure. Can some check out this header information, and give me any hints about the nature of these spam messages? Code: Received: (qmail 93169 invoked by uid 102); 30 Mar 2014 12:06:13 -0000 Received: from unknown (HELO mtaq4.grp.bf1.yahoo.com) (10.xxx.xxx.xxx) by m1.grp.bf1.yahoo.com with SMTP; 30 Mar 2014 12:06:13 -0000 Received: (qmail 20003 invoked from network); 30 Mar 2014 12:06:13 -0000 Received: from unknown (HELO cloud3.megabotix.com) (192.xxx.xxx.xxx) by mtaq4.grp.bf1.yahoo.com with SMTP; 30 Mar 2014 12:06:13 -0000 Received: from localhost (localhost [127.0.0.1]) by cloud3.megabotix.com (Postfix) with ESMTP id 80C2470248; Sun, 30 Mar 2014 08:06:13 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at cloud3.megabotix.com Received: from cloud3.megabotix.com ([127.0.0.1]) by localhost (megabotix.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku-7AeN_2r8H; Sun, 30 Mar 2014 08:06:12 -0400 (EDT) Received: from megabotix.com (unknown [37.238.110.142]) (Authenticated sender: [email protected]) by cloud3.megabotix.com (Postfix) with ESMTPA id 0A50170247; Sun, 30 Mar 2014 08:06:10 -0400 (EDT) From: "steve" <[email protected]> To: "Braless Ladies unsubscribe" <[email protected]>, "clubclit unsubscribe" <[email protected]> Subject: steve Date: Sat, 30 Mar 2014 01:06:10 +0100 MIME-Version: 1.0 X-mailer: Microsoft Office Outlook, Build 11.0.5510 Reply-To: [email protected] Content-type: multipart/alternative; boundary="----=_NextPart_000_B47E_24C0548D.7663BB37" Message-Id: <[email protected]> X-eGroups-Remote-IP: 192.xxx.xxx.xxx X-eGroups-Remote-IP: 10.xxx.xxx.xxx This is a multi-part message in MIME format. ------=_NextPart_000_B47E_24C0548D.7663BB37 Content-type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable http://radgeber-lindau.de/mjww/ejowbrvce.oto ------=_NextPart_000_B47E_24C0548D.7663BB37 Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;= charset= =3DUTF-8></head><body>http://radgeber-lindau.de/mjww/ejowbrvce.oto</body></htm= l> ------=_NextPart_000_B47E_24C0548D.7663BB37-- main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = cloud3.megabotix.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = $myhostname, localhost.$mydomain, localhost relayhost = mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 #smtpd_recipient_restrictions = permit_mynetworkds, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhause.org, check_policy_service inet:127.0.0.1:10023 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth message_size_limit = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes #policy-spf_time_limit = 3600s strict_rfc821_envelopes = yes content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings queue_directory = /var/spool/postfix master.cf Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=no # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl Thanks a ton.
You might what to add postgrey and postscreen into your mix. Decent postscreen with proper rbl works wonders. Also double check you main.cf file. Just glancing at it I am seeing two "smtpd_client_restrictions = " lines. smtpd_recipient_restrictions is commented out. Did you intend this? postgrey instructions http://www.howtoforge.com/greylisting_postfix_postgrey its pretty simple setup but can be annoying if you are expecting mail from new locations. postscrreen. http://www.postfix.org/POSTSCREEN_README.html A little trickier to setup. Still try to balance it out myself. But I am really aggressive with my settings.
Nice, thank you! Postgrey is on, don't know if I have the best settings in there, also have fail2ban. I'm taking a look at postscreen and rbl now. I corrected the main.cf by commenting out one of the smtpd_client_restrictions, and un-commenting smtpd_recipient_restrictions. Thank you very much. I will report back shortly, with an update. This has been a real challenge for me, I can't wait to get this working solid.
Make sure you remove the rbls from your smtpd_client_restrictions. Don't need them in both. If it helps below is my postscreen section from main.cf As you can see me threshold is 2 and some of the sites I trust more jump spam right across it. Still trying to iron out the white list to reduce false positives. Good site to check if ip is on blacklist is http://whatismyipaddress.com/blacklist-check It also gives some info on how the blacklist works. Code: # Postscreen settings # --------------------------------- postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_blacklist_action = enforce #postscreen_pipelining_enable = yes postscreen_dnsbl_ttl = 1h postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3 rep.mailspike.net=127.0.0.[13;14]*1 b.barracudacentral.org*2 bl.spamcop.net bl.spameatingmonkey.net ix.dnsbl.manitu.net bl.blocklist.de # dnsbl.sorbs.net=127.0.0.[2;3;6;7;10] dnsbl.sorbs.net spam.dnsbl.sorbs.net*2 dnsbl-2.uceprotect.net hostkarma.junkemailfilter.com=127.0.0.3 hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 # l1.apews.org*2 # l2.apews.org*2 # Whitelist # list.dnswl.org=127.0.[0..255].0*-1 # list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2;3]*-1 rep.mailspike.net=127.0.0.[17;18]*-1 rep.mailspike.net=127.0.0.[19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-1 Here is some of my postscreen_access.cidr Code: # Postscreen rules # Facebook Crap 66.220.144.128/27 permit 66.220.144.160/29 permit 66.220.144.168/29 permit 66.220.155.128/27 permit 66.220.155.160/29 permit 66.220.155.168/29 permit # Outlook.com 65.52.0.0/14 permit # Gmail 209.85.128.0/17 permit # Spam 207.211.61.0/24 reject 69.175.0.0/17 reject # Polictical crap 74.121.48.0/21 reject 208.73.4.0/22 reject Hope that helps. And use at your own risk. I am still learning myself.
That's cool, I added to my main.cf I'm getting a mess ton of these now: Code: Transcript of session follows. Out: 220 cloud3.megabotix.com ESMTP Postfix (Ubuntu) In: EHLO LanixPC Out: 250-cloud3.megabotix.com Out: 250-PIPELINING Out: 250-SIZE Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN LOGIN Out: 250-AUTH=PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 220 2.0.0 Ready to start TLS In: EHLO megabotix.com Out: 250-cloud3.megabotix.com Out: 250-PIPELINING Out: 250-SIZE Out: 250-VRFY Out: 250-ETRN Out: 250-AUTH PLAIN LOGIN Out: 250-AUTH=PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: AUTH PLAIN AGFkYW1AbWVnYWJvdGl4LmNvbQBmYXJjaGluYQ== Out: 235 2.7.0 Authentication successful In: MAIL FROM:<[email protected]> Out: 250 2.1.0 Ok In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: RCPT TO:<[email protected]> Out: 451 4.3.5 Server configuration error In: MAIL FROM:<[email protected]> Out: 503 5.5.1 Error: nested MAIL command Session aborted, reason: lost connection For other details, see the local mail logfile I've got them filtered to a side box. I looked up the code, and I'm not sure it's a bad thing yet. Thanks for your help.
You may want to set "postscreen_dnsbl_action = ignore" until you are sure you have it configured correctly. Same with postscreen_greet_action See section Turning on postscreen(8) without blocking mail from http://www.postfix.org/POSTSCREEN_README.html Make sure you setup master.cf also
You want me to remove the reject_rbl_client from this code right? Code: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
Yes remove both of them. You can migrate them to the postscreen section. I think I have b.barracudacentral.org already in my example above.
enforce --> ignore Found the following, and I think I like the sound of enforce, but I went ahead and changed it to ignore for the greet_action and the dnsbl_action. Code: postscreen_greet_action (default: ignore) The action that postscreen(8) takes when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter. Specify one of the following: ignore (default) Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail. enforce Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. drop Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. In either case, postscreen(8) will not whitelist the remote SMTP client IP address. This feature is available in Postfix 2.8.
Once you are done testing set both back to enforce. This is just so you don't bounce any mail during testing. Just look at your mail.log and you will see entries from postscreen.
Whoa! What the heck is this? Code: Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: CONNECT from [202.68.85.62]:16947 to [xxx.xxx.xxx.xxx]:25 Mar 30 19:35:00 cloud3 postfix/postscreen[1637]: PASS OLD [202.68.85.62]:16947 Mar 30 19:35:01 cloud3 postfix/smtpd[1643]: connect from remote.realsure.co.nz[202.68.85.62] Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: CONNECT from [127.0.0.1]:39234 to [127.0.0.1]:25 Mar 30 19:35:01 cloud3 postfix/postscreen[1637]: WHITELISTED [127.0.0.1]:39234 or this? Mar 30 21:54:25 cloud3 amavis[6221]: (06221-17) Passed CLEAN {RelayedOpenRelay} I don't want be an open relay.
This looks promising. Mar 30 21:58:10 cloud3 postfix/postscreen[5828]: DNSBL rank 6 for [180.235.186.199]:1377
The first section is normal, postscreen has already seen that address and passed it. Temporary white list. Second section kind of worries me. Might help if I saw more of the logs around that entry. Mine always shows "Passed CLEAN {RelayedInbound}" The one thing that comes to mind is make sure your end users are sending mail via port 587 so postscreen doesn't look at them. Goto http://www.mailradar.com/openrelay/ enter your ip it does several open relay test.
Nice! All tested completed! No relays accepted by remote host! I will keep monitoring the logs. Glancing at some of the other posts, I wonder if I have my amavis setup correctly. Regards, Adam
Just wanted to say thank you! e-mail server status is TOO TIGHT! Had some clients getting rejected from sorbs, so I #'d it. I'm really excited to say though, my undelivered folder looks to have stabilized. Just out of curiosity, what kind of fail2ban settings are you using? No worries, not trying to give you another errand, but you REALLY HELPED me! Thanks a ton! This looks to be stemming the tide of spam.
This is something you differently have to tweak. I just added the spam.dnsbl.sorbs.net*2 since the two aqews.org keep timing out. They had a lot a false positives but the threshold seem to compensate nicely. Without them I started to see more spam so I added the spam.dnsbl.sorbs.net a lot of them showed up on that list. I have seen conflicting reports that this list is part of dnsbl.sorbs.net You could try removing the "*2" or change the postscreen_dnsbl_threshold to 3 or 4. Since this is my personal email server I am able to get away with things like reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, check_policy_service unixrivate/policy-spf, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, reject_unknown_client_hostname All as part of my spam blocking. Much more work you would be surprised how many companies don't setup helo and reverse dns or even spf records correctly. Have to have whitelist for them. As far as fail2ban goes I basically just turned on the sections that I needed ssh dovecot etc. But pretty much the default ubuntu 13.10 config.
