l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2004 Apr 21 09:37

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] postfix question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] postfix question



Hi all,

Spam has been sapping my productivity again, so I took a few hours out
to try to fix the problem.

Based on previous messages on vox-tech and some articles I've read, I
switched over from exim3 to postfix 2.0.16.

Here's what i've added to /etc/postfix/main.cf:


   # By default, smtpd_client_restrictions is applied at the RCPT TO
   # command.  To have the restriction take effect ASAP, do this (may
   # cause unexpected results with poorly impolemented client software):
   #
   smtpd_delay_reject = no

   # Require HELO/EHLO, and disable VRFY. 
   #
   smtpd_helo_required = yes
   disable_vrfy_command = yes

   # This restricts what clients this system accepts SMTP connections from.
   # ORDER IMPORTANT!!!
   # 
   smtpd_client_restrictions =
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
(2)   reject_non_fqdn_sender,
(3)   reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      reject_unauth_destination,
(1)   check_helo_access hash:/etc/postfix/helo_checks,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client cbl.abuseat.org
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client opm.blitzed.org,
      reject_rbl_client dul.dnsbl.sorbs.net,
      permit

   smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit



Here's /etc/postfix/helo_checks:

   dirac.org      REJECT You are not in dirac.org.  Go away, spammer.
   www.dirac.org  REJECT You are not in dirac.org.  Go away, spammer.
   mail.dirac.org REJECT You are not in dirac.org.  Go away, spammer.
   localhost      REJECT You are not my localhost.  Go away, spammer.



I compiled helo_checks with "postmap helo_checks" and restarted postfix.
The error/warn logs didn't indicate any problems.


The RBL checks work (boy, do they work!):

   Apr 21 07:31:45 gabriel postfix/smtpd[2375]: NOQUEUE: reject: CONNECT
   from WLL-2 5-pppoe180.t-net.net.ve[200.31.139.180]: 554 Service
   unavailable; Client host [200.31.139.180] blocked using list.dsbl.org;
   http://dsbl.org/listing?ip=200.31.13 9.180; proto=SMTP


However, I wrote myself an email from a foreign host:

     lifshitz.ucdavis.edu$ telnet dirac.org 25
     Trying 64.142.25.39...
     Connected to adsl-64-142-25-39.sonic.net (64.142.25.39).
     Escape character is '^]'.
     220 gabriel.localdomain ESMTP Postfix (Debian/GNU)
(1)  helo localhost
     250 gabriel.localdomain
(2)  mail from: blah.foo.bar
     250 Ok
(3)  rcpt to: p
     250 Ok
     data
     354 End data with <CR><LF>.<CR><LF>
     test.
     .
     250 Ok: queued as C4AA03DC1
     quit
     221 Bye

This violates a few spam controls that should be in place.

1. I used "helo localhost" from a host not on my local subnet, yet
   postfix accepted it, in violation of (1) above.

2. mail from was not a FQDN sender, in violation of (2).

3. rcpt to: was not a FQDN recipient, in violation of (3).


I haven't gotten any spam in the past few minutes, so the RBLs are doing
a good job, but I do want my other spam controls to work.  If something
is wrong with how I configured postfix, I'd like to know. 

Any ideas on why those 3 checks seem to be ignored by postfix?

Thanks!
Pete

-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.