If you don't already have a smtpd_sender_restrictions section in your main.cf file, it can go just about anywhere.
Are you using some kind of address verification?
If you don't already have a smtpd_sender_restrictions section in your main.cf file, it can go just about anywhere.
Are you using some kind of address verification?
Forum DOs and DON'Ts
Please use CODE tags
Including your email address in a post is not recommended
My Blog
Here is my current main.cf
Code:# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.truckstop24.no mydomain = truckstop24.no alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = $mydomain, $myhostname myorigin = $mydomain mynetworks = 0.0.0.0/0 [::/0] relayhost = smtp.nenett.no mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname check_helo_access pcre:/etc/postfix/helo_checks check_sender_mx_access cidr:/etc/postfix/bogus_mx reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl-1.uceprotect.net permit smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client bl.spamcop.net permit
Last edited by lisati; November 17th, 2012 at 12:19 AM. Reason: Code tags preserve formatting better than quote tags
OK. You already had a "smtpd_recipient_restrictions" entry. Postfix only uses one. You can probably safely remove the bit you added from my previous post. What I'd suggest for the line you already had is to add commas "," between the individual restrictions you have listed, so that it looks something like this:
Code:smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname check_helo_access pcre:/etc/postfix/helo_checks, check_sender_mx_access cidr:/etc/postfix/bogus_mx, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl-1.uceprotect.net, permit
Last edited by lisati; November 17th, 2012 at 12:26 AM. Reason: gave example
Forum DOs and DON'Ts
Please use CODE tags
Including your email address in a post is not recommended
My Blog
Thanks, fixed that now But to prevent others from using my mailserver to spam. Is there something I can do in the IPtables ?
Last edited by AvengerX9; November 17th, 2012 at 12:53 AM.
Do you have any more recent logs of this spam being sent through your server?
It's certainly not acting as an open relay right now.
You might want to consider enforcing SMTP Auth and TLS. Your conf file suggests you have TLS configured already. SMTP Auth would require all users wanting to send via your server to authenticate.
I'm not really familiar with postfix so I'll just point at a googled how to: http://postfix.state-of-mind.de/patr...tter/smtpauth/
Thanks. I will check that out.
Here is the most recent mail.log
Nov 17 02:36:58 roger-G31T-M7 postfix/cleanup[14379]: 15FF2143E3D: message-id=<20121117013658.15FF2143E3D@mail.truckstop24.no >
Nov 17 02:36:58 roger-G31T-M7 postfix/bounce[14384]: 9AC61143D8B: sender non-delivery notification: 15FF2143E3D
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 15FF2143E3D: from=<>, size=2458, nrcpt=1 (queue active)
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 9AC61143D8B: removed
Nov 17 02:36:58 roger-G31T-M7 postfix/smtp[14383]: 15FF2143E3D: to=<test@testie.com>, relay=smtp.nenett.no[81.167.36.150]:25, delay=0.18, delays=0.06/0/0.04/0.08, dsn=5.7.1, status=bounced (host smtp.nenett.no[81.167.36.150] said: 554 5.7.1 <test@testie.com>: Recipient address rejected: Policy Rejection- This ip has been blacklisted. Contact your service provider if you have questions. (in reply to RCPT TO command))
Nov 17 02:36:58 roger-G31T-M7 postfix/qmgr[9049]: 15FF2143E3D: removed
Nov 17 02:37:01 roger-G31T-M7 postfix/smtpd[14370]: disconnect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: error: unsupported dictionary type: pcre
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: error: open /etc/postfix/bogus_mx: No such file or directory
Nov 17 02:40:53 roger-G31T-M7 postfix/smtpd[14481]: connect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:41:38 roger-G31T-M7 postfix/smtpd[14481]: A7465140831: client=87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 02:41:52 roger-G31T-M7 postfix/cleanup[14487]: A7465140831: message-id=<>
Nov 17 02:41:52 roger-G31T-M7 postfix/qmgr[9049]: A7465140831: from=<me@truckstop24.no>, size=244, nrcpt=1 (queue active)
Nov 17 02:41:53 roger-G31T-M7 postfix/smtp[14490]: A7465140831: to=<bzgigley@sharklasers.com>, relay=smtp.nenett.no[81.167.36.150]:25, delay=30, delays=30/0/0.05/0.08, dsn=5.7.1, status=bounced (host smtp.nenett.no[81.167.36.150] said: 554 5.7.1 <bzgigley@sharklasers.com>: Recipient address rejected: Policy Rejection- This ip has been blacklisted. Contact your service provider if you have questions. (in reply to RCPT TO command))
Nov 17 02:41:53 roger-G31T-M7 postfix/cleanup[14487]: 15535143E3D: message-id=<20121117014153.15535143E3D@mail.truckstop24.no >
Nov 17 02:41:53 roger-G31T-M7 postfix/bounce[14491]: A7465140831: sender non-delivery notification: 15535143E3D
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: 15535143E3D: from=<>, size=2470, nrcpt=1 (queue active)
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: A7465140831: removed
Nov 17 02:41:53 roger-G31T-M7 postfix/local[14492]: 15535143E3D: to=<me@truckstop24.no>, relay=local, delay=0.12, delays=0.05/0.02/0/0.05, dsn=5.1.1, status=bounced (unknown user: "me")
Nov 17 02:41:53 roger-G31T-M7 postfix/qmgr[9049]: 15535143E3D: removed
Nov 17 02:42:00 roger-G31T-M7 postfix/smtpd[14481]: disconnect from 87-194-210-230.bethere.co.uk[87.194.210.230]
Nov 17 07:45:47 roger-G31T-M7 postfix/pickup[16996]: 7FEC4143E40: uid=0 from=<root>
Nov 17 07:45:47 roger-G31T-M7 postfix/cleanup[17609]: 7FEC4143E40: message-id=<20121117064547.7FEC4143E40@mail.truckstop24.no >
Nov 17 07:45:47 roger-G31T-M7 postfix/qmgr[9049]: 7FEC4143E40: from=<root@truckstop24.no>, size=490, nrcpt=1 (queue active)
Nov 17 07:45:47 roger-G31T-M7 postfix/local[17611]: 7FEC4143E40: to=<Roger@truckstop24.no>, orig_to=<root>, relay=local, delay=0.35, delays=0.22/0.01/0/0.12, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Nov 17 07:45:47 roger-G31T-M7 postfix/qmgr[9049]: 7FEC4143E40: removed
Nov 17 08:16:11 roger-G31T-M7 postfix/postfix-script[17984]: warning: not owned by postfix: /var/lib/postfix/./verify_cache
That's interesting - those are the logs from the couple of tests I did to see if your server would relay (hope you don't mind! ).
The bad thing there is that your server accepted the mail and attempted to relay it - even though it doesn't know who I am. It was your ISP's mail relay that actually blocked it based on the recipient being @sharklasers.com which is a domain used for throwaway email addresses at guerrillamail.com - so no surpise that is in a blacklist somewhere.
I more used to exim than postfix, however from here http://www.postfix.org/SMTPD_ACCESS_README.html this config section looks like it should be what is required:
That will allow anyone in your $mynetworks range and anyone who authenticates to use your server to send mail to any destination.Code:# Relay control (Postfix 2.10 and later): local clients and # authenticated clients may specify any destination domain. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
It will also allow any mail for @truckstop24.no addresses to be accepted from anywhere.
One thing that concerns me is that you have $mynetworks set as:
That looks to me to be a wildcard setting allowing any IP to send. I think you need to tighten that control up. See here:Code:mynetworks = 0.0.0.0/0 [::/0]
http://www.postfix.org/postconf.5.html#mynetworks
Thanks. I will update my main.cf file. It should look like this now
I will check out the links you gave me too# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.truckstop24.no
mydomain = truckstop24.no
#alias_maps = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
#alias_database = hash:/etc/aliases
alias_database = hash:/etc/postfix/aliases
mydestination = $mydomain, $myhostname
myorigin = $mydomain
#mynetworks = 0.0.0.0/0 [::/0]
mynetworks = 79.161.88.51/24, 127.0.0.1/8
#relayhost = smtp.nenett.no
relayhost = smtp.gmail.com
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# SASL SUPPORT FOR CLIENTS
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, check_helo_access, pcre:/etc/postfix/helo_checks, check_sender_mx_access, cidr:/etc/postfix/bogus_mx, reject_rbl_client, zen.spamhaus.org, reject_rbl_client, cbl.abuseat.org, reject_rbl_client, dnsbl-1.uceprotect.net, permit
# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Last edited by AvengerX9; November 17th, 2012 at 10:34 PM.
That looks better
One thing though.....
You have two smtpd_recipient_restrictions = entries.
You should add the check_relay_domains option to the first one and remove the second instance (in the SASL section).
Just shout if you want me to test it for open relay once you have your new settings in place
Another question - will google allow you to relay through their smtp??
The answer is NO unless you are somehow using authenticated SMTP using STARTTLS.
This is what happens when trying straight SMTP:
As it should be really - otherwise it would also be an open relayCode:crypto@ubulaptop1204:~$ telnet smtp.gmail.com 25 Trying 173.194.66.109... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP gk9sm6755645wib.4 HELO google.com 250 mx.google.com at your service MAIL FROM: tester@google.co.uk 530 5.7.0 Must issue a STARTTLS command first. gk9sm6755645wib.4
Bookmarks