The Foz
December 17th, 2007, 07:00 AM
My postfix email server is being attacked by spammers trying to relay vast quantities of spam.
I thought my postfix setup was pretty secure, but apparently not. I have had to shut down postfix.
In a 24 hour period close to 4GB of mail logs (mail.log & mail.info) were generated.
I tightened up the security settings, to the point where I can no longer send email myself, but the spammer(s) keep getting in. The spamming seems to be intelligent - the nature of the traffic seems to adapt after a few seconds to any changes that I make to security settings. I am finding hundreds of emails arriving in /var/spool/postfix/active, every minute. It looks like these are not just failure notifications being sent back to the supposed source (the majority of attempts are being rejected), but also real outbound spam emails waiting to be sent.
I need my email server to:
Receive emails for holders of local domain accounts
Allow holders of local accounts to send emails (including from remote clients like Outlook)
Not act as an open relay
I am using SASL2 for authentication.
This is my (anonymised) postfix main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myhostname = mail.mydomainname.com
mydomain = mydomainname.com
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
maximal_queue_lifetime = 30d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
# smtpd_recipient_limit = 16
# how many error before back off.
# smtpd_soft_error_limit = 3
# how many max errors before blocking it.
# smtpd_hard_error_limit = 12
# TLS parameters
# smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# smtpd_use_tls=yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# myhostname = df-server1
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and their user id
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
# and group id
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is there)
# not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
myorigin = /etc/mailname
mydestination = $myhostname, df-server1, localhost.$mydomain
relay_domains = billing-components.com, gmx.net, plus.cablesurf.de
relayhost =
#mynetworks = 127.0.0.0/8, 192.168.0.0/24, 194.105.97.206/32, 88.217.0.0/16, 0.0.0.0/0
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
#masquerade_domains = mydomainname.com
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname , permit
#smtpd_helo_restrictions = permit
# Requirements for the sender details
#smtpd_sender_restrictions = permit
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, reject_sender_login_mismatch, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_sender_login_mismatch
#smtpd_client_restrictions = permit
# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
#smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_destination
# check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
# then add these
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
broken_sasl_auth_clients = yes
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
# smtpd_sasl_path = smtpd
smtpd_sasl_application_name = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
Can someone help, please?
I thought my postfix setup was pretty secure, but apparently not. I have had to shut down postfix.
In a 24 hour period close to 4GB of mail logs (mail.log & mail.info) were generated.
I tightened up the security settings, to the point where I can no longer send email myself, but the spammer(s) keep getting in. The spamming seems to be intelligent - the nature of the traffic seems to adapt after a few seconds to any changes that I make to security settings. I am finding hundreds of emails arriving in /var/spool/postfix/active, every minute. It looks like these are not just failure notifications being sent back to the supposed source (the majority of attempts are being rejected), but also real outbound spam emails waiting to be sent.
I need my email server to:
Receive emails for holders of local domain accounts
Allow holders of local accounts to send emails (including from remote clients like Outlook)
Not act as an open relay
I am using SASL2 for authentication.
This is my (anonymised) postfix main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myhostname = mail.mydomainname.com
mydomain = mydomainname.com
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
maximal_queue_lifetime = 30d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
# smtpd_recipient_limit = 16
# how many error before back off.
# smtpd_soft_error_limit = 3
# how many max errors before blocking it.
# smtpd_hard_error_limit = 12
# TLS parameters
# smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# smtpd_use_tls=yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# myhostname = df-server1
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and their user id
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
# and group id
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is there)
# not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
myorigin = /etc/mailname
mydestination = $myhostname, df-server1, localhost.$mydomain
relay_domains = billing-components.com, gmx.net, plus.cablesurf.de
relayhost =
#mynetworks = 127.0.0.0/8, 192.168.0.0/24, 194.105.97.206/32, 88.217.0.0/16, 0.0.0.0/0
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
#masquerade_domains = mydomainname.com
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname , permit
#smtpd_helo_restrictions = permit
# Requirements for the sender details
#smtpd_sender_restrictions = permit
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, reject_sender_login_mismatch, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_sender_login_mismatch
#smtpd_client_restrictions = permit
# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
#smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_destination
# check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
# then add these
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
broken_sasl_auth_clients = yes
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
# smtpd_sasl_path = smtpd
smtpd_sasl_application_name = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
Can someone help, please?