Hello I have ISPConfig 3.2 with perfect server ubuntu 20.04 I try to set limits to my postfix with postfwd. I try to limit number of mails and size of mails. Also, I set up postfwd-anti-geoip-spam-plugin as per https://www.howtoforge.com/tutorial/blocking-of-international-spam-botnets-postfix-plugin/ (modified to take into account updates) It seems it doesn't work : I send extra size mail, I have no data in my plugin-database when I send mails... First, plugin compatibility note says postfwd3. https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin But I don't see how to install and/or launch postfwd3... even though, it should work for size limitations... in /etc/postfix/postfwd.cf : Code: #limit sender id=RATE01; sasl_username=~^(.+)$ ; action=rate(sasl_username/100/600/REJECT $$sasl_username - Désolé, limite dépassée : 100 emails par heure) # recipient count limit 3 per hour per client id=RCPT01 ; sasl_username=~^(.+)$ ; action=rcpt(sasl_username/100/3600/REJECT $$sasl_username - Désolé, 100 destinataires maxi par heure) # size limit 1.5mb per hour per client id=SIZE01 ; sasl_username=~^(.+)$ ; action=size(sasl_username/20971520/3600/REJECT $$sasl_username - Désolé, maximun 20 Mo par heure) # Anti spam botnet rule: # This example shows how to limit e-mail address defined by `sasl_username` to be able to login from max. 5 different countries or 20 different IP addresses, otherwise it will be blocked from sending messages. id=BAN_BOTNET_COUNTRY ; sasl_username=~^(.+)$ ; client_uniq_country_login_count > 5 ; action=rate(sasl_username/1/3600/554 Votre email ($$sasl_username) semble avoir été attaqué. Changez votre mot de masse lors de votre prochaine connexion.) ; id=BAN_BOTNET_IP ; sasl_username=~^(.+)$ ; client_uniq_ip_login_count > 20 ; action=rate(sasl_username/1/3600/554 Votre email ($$sasl_username) semble avoir été attaqué. Changez votre mot de masse lors de votre prochaine connexion.) ; in /etc/postfix/main.cf Code: smtpd_recipient_restrictions... , check_policy_service inet:127.0.0.1:10040 (at the very end) smtpd_data_restrictions... , check_policy_service inet:127.0.0.1:10040 (at the very end - after 'permit') I saw on https://serverfault.com/questions/502910/postfwd-not-rate-limiting-sasl-users that there is a logic in 'main.cf' rules But, I don't find any documentation except on that site I didn't understand how to build smtpd_recipient_restrictions and smtpd_data_restrictions directive... My log : syslog.1:Apr 5 23:55:25 ns1 postfwd2/cache[2207556]: 2021/04/05-23:55:24 Server closing! syslog.1:Apr 5 23:55:25 ns1 postfwd2/policy[2207557]: 2021/04/05-23:55:24 Server closing! syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: warning: Use of uninitialized value $send in scalar chomp at /usr/sbin/postfwd line 367.? syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: warning: can not open socket to 127.0.0.1:10040: 'Connection refused' 'IO::Socket::INET: connect: Connection refused'? syslog.1:Apr 5 23:55:25 ns1 postfwd2/master[2207555]: postfwd2 1.35 terminating... syslog.1:Apr 5 23:55:25 ns1 systemd[1]: postfwd.service: Succeeded. syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786743]: postfwd2 1.35 starting syslog.1:Apr 5 23:55:26 ns1 postfwd[2786743]: Pid_file "/var/run/postfwd.pid" already exists. Overwriting! syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786754]: Started cache at pid 2786755 syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786755]: 2021/04/05-23:55:26 postfwd2::cache (type Net::Server::Multiplex) starting! pid(2786755) syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786754]: Started server at pid 2786756 syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786755]: Binding to UNIX socket file "/var/tmp/postfwd2-cache.socket" syslog.1:Apr 5 23:55:26 ns1 postfwd2/cache[2786755]: ready for input syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786756]: 2021/04/05-23:55:26 postfwd2::server (type Net::Server:reFork) starting! pid(2786756) syslog.1:Apr 5 23:55:26 ns1 postfwd2/master[2786756]: Binding to TCP port 10040 on host 127.0.0.1 with IPv4 syslog.1:Apr 5 23:55:26 ns1 postfwd2/policy[2786756]: warning: Subroutine inet_aton redefined at /usr/lib/x86_64-linux-gnu/perl5/5.30/NetAddr/IP/InetBase.pm line 206.? syslog.1:Apr 5 23:55:27 ns1 postfwd2/policy[2786756]: [PLUGIN] Loaded plugins file: /etc/postfix/postfwd-anti-spam.plugin items: "client_uniq_country_login_c... Many thanks
What do you have for smtpd_recipient_restrictions? Nothing will go to postfwd if it has been permitted by an earlier directive, so your smtpd_data_restrictions change means postfwd will never be used at that point; that's actually ok, as it should use smtpd_end_of_data_restrictions anyways.
Before modification, my main.cf contained ' smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix: private/quota-status smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit ' If I well understood, - As I have twice "permit" (bold text), I need my 'check_policy_service inet:127.0.0.1:10040' to be before them. - I also need 'reject_unauth_destination' (underlind) to be before 'check_policy_service inet:127.0.0.1:10040' So I gonna try : ' smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_non_fqdn_recipient, reject_unauth_destination, check_policy_service inet:127.0.0.1:10040, permit_sasl_authenticated, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix: private/quota-status smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, check_policy_service inet:127.0.0.1:10040, permit ' As a remark, I don't have 'smtpd_end_of_data_restrictions' in my main.cf... is it correct ?
I try a 60Mb attachment... My log shows : Apr 7 20:40:29 ns1 postfix/proxymap[3469476]: warning: request for unapproved table: "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf" Apr 7 20:40:29 ns1 postfix/proxymap[3469476]: warning: to approve this table for read-only access, list proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf in main.cf: proxy_read_maps Apr 7 20:40:29 ns1 postfix/trivial-rewrite[3470431]: fatal: proxymap service is not configured for table "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf" I kill something, but I don't know what !
My guess is you have an outdated conf-custom template that doesn't have proxy_read_maps. Unless you have other changes to preserve, try updating to 3.2.4, allow it to rename your custom templates (or do so manually), then set: Code: smtpd_end_of_data_restrictions = inet:127.0.0.1:10040 If that works for you, take the next step of tweaking smtpd_recipient_restrictions (which is more efficient when it can work, but not strictly necessary).
With ISPC update and Code: echo "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040" >> /etc/postfix/main.cf my postfix is back to life. It seems it works : 60Mb mail rejected ! I'll check other limitations... This restriction is much better because ispconfig update doesn't kill it... Thanks a lot
