Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm getting a bunch of spam that is getting through spamassasin, and amavis, and zen.spamhaus.org. It all seems to end with .review .work or .science domain suffix, so I'm trying to not accept mail with any of these, but my attempts have failed so far.
I am trying to use smtpd_recipient_restrictions, but either my syntax is wrong in the hash, or the order of my restrictions is allowing it through. I'm hoping someone much better at this than me can help.
main.cf
Code:
# See /usr/share/postfix/main.cf.orig for a commented, more complete version
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.dept.domain.com
mydomain = mydomain.com
mydestination = $myhostname, localhost, localhost.$mydomain, $mydomain, localhost.dept.domain.com, dept2.domain.com, dept3.domain.com, dept4.domain.com
myorigin = $myhostname
inet_interfaces = all
inet_protocols = ipv4
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8
relay_domains = $mydestination
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#mtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo
recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
content_filter=amavis-feed:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
message_size_limit=1024000000
mailbox_size_limit=0
smtpd_restriction_classes =
has_our_domain_as_sender
has_our_domain_as_sender =
check_sender_access hash:/etc/postfix/our_domain_as_sender
reject
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unlisted_recipient
# you should reject all unknown recipients, otherwise you will be
# inundated with hundreds of spam / day to jibberish @ yourdomain.com
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_helo_access pcre:/etc/postfix/helo_checks.pcre
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.
reject_invalid_helo_hostname
# this rejects helo/ehlo names that violate RFC standards
check_client_access hash:/etc/postfix/client_checks
# This is where you can block by client IP or hostname
check_sender_access hash:/etc/postfix/sender_checks
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map. Obviously, you have to make these map files.
reject_sender_login_mismatch
reject_multi_recipient_bounce
check_sender_access hash:/etc/postfix/common_spam_senderdomains
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org
check_sender_access hash:/etc/postfix/sender_access
check_sender_access hash:/etc/postfix/not_our_domain_as_sender
check_recipient_access hash:/etc/postfix/protect_internal_aliases
check_recipient_access hash:/etc/postfix/role_account_exceptions
check_helo_access pcre:/etc/postfix/helo_checks
#reject_unknown_helo_hostname
check_sender_mx_access cidr:/etc/postfix/bogus_mx
check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
reject_rhsbl_sender dsn.rfc-ignorant.org
check_sender_access hash:/etc/postfix/common_spam_senderdomains
check_sender_access regexp:/etc/postfix/common_spam_senderdomain_keywords
permit
smtpd_data_restrictions =
reject_unauth_pipelining
permit
# SASL/SMTP AUTH configuration
smtpd_sasl_auth_enable = yes
# force noplaintext auth without tls
# A side effect of this is that in sasl/smtpd.conf we must list
# more SASL mechanisms than just PLAIN and LOGIN
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# force noplaintext auth without tls as a client
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
# Following allows machines on $mynetworks to send email without SMTP AUTH
# A side effect of this is that clients on these network do not see
# 250 AUTH PLAIN ... and 250 AUTH=PLAIN ... responces, outside clients do.
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
# Following sets SASL realm, for now keep empty
smtpd_sasl_local_domain =
# TLS configuration
#
smtpd_tls_security_level = may
# To enforce
# smtpd_tls_security_level = encrypt
#
# Obsolete, but still supported
smtpd_use_tls = yes
# To enforce
# smtpd_enforce_tls = yes
#
# Enforce TLS when using SMTP AUTH as we use PLAIN and LOGIN
smtpd_tls_auth_only = yes
#
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
#
# Certificates and keys
smtpd_tls_cert_file=/etc/postfix/ssl/mail.mydomain.crt
smtpd_tls_key_file= /etc/postfix/ssl/mail.mydomain.unencrypt.key
smtpd_tls_CAfile = /etc/postfix/ssl/mail_mydomain_interm.crt
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix-2.6.6/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
Using client_checks and sender_checks
Code:
/etc/postfix/client_checks
.work REJECT we don't want your mail
.review REJECT we don't want your mail
.date REJECT we don't want your mail
/etc/postfix/sender_checks
.date REJECT env. from addr any@any.date rejected
.work REJECT env. from addr any@any.work rejected
.review REJECT env. from addr any@any.review rejected
Last edited by deathsfriend99; 08-04-2015 at 01:01 PM.
I had the same issue trying to block a TLD that i was getting a bunch of spam from with randomized domain names. I also tried ".top" in sender_checks to no avail. Turns out you just need to remove the dot. It is explained in the postfix "access" man page under Email Address Patterns:
domain.tld
Matches domain.tld as the domain part of an email address.
The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting.
.domain.tld
Matches subdomains of domain.tld, but only when the string
smtpd_access_maps is not listed in the Postfix par-
ent_domain_matches_subdomains configuration setting.
The way is is explained is a little confusing so I just added two REJECT lines to be safe: a ".top" and "top"
Reloaded postfix and the spam stopped. Hope this helps someone else.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
