LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 08-19-2008, 09:34 AM   #16
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59

Quote:
Originally Posted by schmidtedv View Post
Just some questions on this nice howto:

For the line in helo_checks.pcre should I put (in case i got goofy.de)

/^goofy\.de$/ REJECT Hijacked my domain "goofy.de" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....
You place your domain name(s). The idea is that other systems should not be HELO'ing your system with any of the domain names your own mail server hosts. Btw. "sure", not "shure".
Quote:
Originally Posted by schmidtedv View Post
Another one is client_checks:

Can I just put a list of country-endings I would never expect mail from inside like this:

Code:
.ad REJECT I don't expect mail from you!
.ru REJECT I don't expect mail from you!
Yes, you can do this. client_checks is the client's IP or DNS hostname. Postfix determines this information from the IP connecting to your system. Be aware that at some point, legitimate email may be lost with such a overarching restriction.

In an indexed table (hash), the bare hostname "ru" matches domains that end in .ru. If you want its subdomains, use .ru, like this:
Code:
ru   REJECT don't want mail from .ru
.ru  REJECT don't want mail from anything.ru
Quote:
Originally Posted by schmidtedv View Post
And last question in my case for main.cf:

Code:
mime_header_checks = pcre:/etc/postfix/mime-header-checks

qmgr_fudge_factor = 70

queue_minfree = 102400000
Don't change from default values unless you know what you are doing.  Tune when you have a problem, not by guessing


bounce_size_limit = 30720
bounce_template_file = /etc/postfix/bounce.cf

delay_warning_time = 30m
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

default_recipient_limit = 300
Do you see evidence that you need this?

default_destination_recipient_limit = 30
default_destination_concurrency_limit = 10

smtpd_helo_required = yes
smtpd_delay_reject = yes
Comment this out, since it is the default value anyway.   Remove comments when you actually assign something to them.  This keeps postconf -n output clean, helping others help you debug.


smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

These are defaults.  Comment out.
Don't change from default values unless you know what you are doing.

smtpd_data_restrictions =
 reject_unauth_pipelining

smtpd_client_restrictions = 

smtpd_helo_restrictions = 

smtpd_sender_restrictions = 
Comment out until actually assigned and used.


smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_non_fqdn_sender,
 reject_unlisted_recipient,
 permit_sasl_authenticated,

I'll suggest you move sasl authentication to the Submission port, 587.  Then you can leave port 25 SMTP as a straight MX.

 permit_mynetworks,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 check_helo_access pcre:/etc/postfix/helo_checks.pcre,
 reject_invalid_helo_hostname,
 check_client_access hash:/etc/postfix/client_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 reject_rbl_client zen.spamhaus.org,
 check_policy_service inet:127.0.0.1:60000,
 permit

Is this config a working example :-) ?
This looks OK, see red comments above. See also comments in this thread link:

http://tech.groups.yahoo.com/group/p...message/242299

Quote:
Originally Posted by schmidtedv View Post
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

too?
Because you have smtpd_delay_reject = yes, the reject doesn't happen until the client sends RCPT TO as part ot SMTP conversation. By placing all your restrictions in smtpd_recipient_restrictions, it is easier to track and manage.

However, there will be times when you want to blacklist or whitelist certain clients based upon earlier stages. Then you can add a specific check at one of these stages. So, until you need something, leaving your checks where they are now is fine.
 
Old 08-20-2008, 03:37 AM   #17
schmidtedv
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
Thanks, I'm still learning what to do about spam and my little server...

Let's take a closer look. I gt a PIII 733MHZ with 256MB. This system takes care of my domain by having a debian etch with bind9, apache2, postfix, courier, proftpd, php5, mysql5, spamassassin, clamav installed and gets controlled by ISPConfig.

Although there is only 1 domain splitted into a webpage, a phpbb-forum and 2 mail-users right now, it is still (256MB) a very small system.

I have about 1500 SPAM-Mails a day (they got me :-) ) and every 3 days I get 450 mailer-daemons at once from all over the world 2 times a week by saying the mail (me@mydomain.de) I sended to "you@yourdomain.ru" could not be accepted (no such user...). It looks like my mail is used for some stupid mailing-lists and I cannot do anything about it. Thats why I desided to block all the funny mailer-daemons from countries I never send mail to ( ...and never expect mail from).

Maybe my restrictions where a bit stupid by using default_recipient_limit and some others...just thought it might be good to give postfix some restrictions itself with my poor system.

However, I changed back now to a smaller config because helo-restrictions where too much for some servers I expect getting mail from :-)

I also now made a hash-list for the countries that i would like to block and, like you said, left out the dot, so the list is only showing:

ab RESTRICT blabla
zz RESTRICT blabla

I called it smtpd-tld-checks and put it in twice (check_client_access and check_sender_access...useless?) in smtpd_recipient_restrictions....

I hope, I'm doing better now with this?

Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
virtual_maps = hash:/etc/postfix/virtusertable

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 51200000

mydestination = /etc/postfix/local-host-names
myhostname = s50.deinprovider.de
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname

recipient_delimiter = +
relayhost = 

smtpd_banner = $myhostname ESMTP $mail_name
mime_header_checks = pcre:/etc/postfix/mime-header-checks

bounce_size_limit = 30720
bounce_template_file = /etc/postfix/bounce.cf

delay_warning_time = 30m
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

smtpd_helo_required = yes

disable_vrfy_command = yes

strict_rfc821_envelopes = yes

invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_use_tls=yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

tls_random_source = dev:/dev/urandom

smtpd_data_restrictions =
 reject_unauth_pipelining

smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_non_fqdn_sender,
 reject_unlisted_recipient,
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 check_client_access hash:/etc/postfix/smtpd-tld-checks,
 check_sender_access hash:/etc/postfix/smtpd-tld-checks,
 check_policy_service inet:127.0.0.1:60000,
 permit
permit_sasl_authenticated I leave in there like it is because that's how the setup from ISPConfig does it and I don't wanna break something I still not understand good enough. Would be great to get another feedback/help on this!

Actually the post you linked is saying "I do *not* recommend changing
unknown_client_reject_code from its default of 450." would it belong to my config as well?

Last edited by schmidtedv; 08-20-2008 at 04:20 AM.
 
Old 08-21-2008, 11:01 PM   #18
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by schmidtedv View Post
I have about 1500 SPAM-Mails a day (they got me :-) ) and every 3 days I get 450 mailer-daemons at once from all over the world 2 times a week by saying the mail (me@mydomain.de) I sended to "you@yourdomain.ru" could not be accepted (no such user...). It looks like my mail is used for some stupid mailing-lists and I cannot do anything about it. Thats why I desided to block all the funny mailer-daemons from countries I never send mail to ( ...and never expect mail from).
The common Joe Job.

Quote:
Originally Posted by schmidtedv View Post
Maybe my restrictions where a bit stupid by using default_recipient_limit and some others...just thought it might be good to give postfix some restrictions itself with my poor system.
Tune after measuring first, the measure again after tuning. Only tune when you have identified the bottleneck through measurement.

Quote:
Originally Posted by schmidtedv View Post
However, I changed back now to a smaller config because helo-restrictions where too much for some servers I expect getting mail from :-)
This would be a good place for client whitelists that bypass helo checks. Don't dumb down your system entirely just to suit a few dumb clients.

Quote:
Originally Posted by schmidtedv View Post
I called it smtpd-tld-checks and put it in twice (check_client_access and check_sender_access...useless?) in smtpd_recipient_restrictions....
Be clear in your mind the difference between check_sender_access and check_client_access. Sender access is the name provided in the MAIL FROM stage of the SMTP dialog. That's the Envelope Sender, and is not to be trusted. Client access is the IP address and its looked-up host name of the connecting client. This is not provided in the SMTP dialog, and can be sufficiently trusted for reject control. So your sender and client access lists will usually be different (I can send mail from my home machine (client), but specify a gmail envelope (sender) address.

Quote:
Originally Posted by schmidtedv View Post
I hope, I'm doing better now with this?

Code:
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
Use the postfix defaults. DNS errors will happen. You'll be permanently rejecting good mail when DNS errors occur.

Quote:
Originally Posted by schmidtedv View Post
Code:
smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_non_fqdn_sender,
 reject_unlisted_recipient,
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 check_client_access hash:/etc/postfix/smtpd-tld-checks,
 check_sender_access hash:/etc/postfix/smtpd-tld-checks,
 check_policy_service inet:127.0.0.1:60000,
 permit
The tables in red above will likely be different. Use different tables.
Quote:
Originally Posted by schmidtedv View Post
permit_sasl_authenticated I leave in there like it is because that's how the setup from ISPConfig does it and I don't wanna break something I still not understand good enough. Would be great to get another feedback/help on this!
You'll use the submission entry in master.cf. It will look something like:

Code:
submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_auth_only=yes
   -o smtpd_sasl_auth_enable=yes
   -o broken_sasl_auth_clients=yes
   -o receive_override_options=no_header_body_checks,no_address_mappings
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   -o content_filter=lmtp-amavis:[127.0.0.1]:10026
Tailor to your needs. Then, clients submitting mail to your server for relay do so through the submission port 587. And you disable the tls and sasl settings in main.cf (which act as defaults for all services, since you're explicitly setting them above in the submission service).
Quote:
Originally Posted by schmidtedv View Post
Actually the post you linked is saying "I do *not* recommend changing
unknown_client_reject_code from its default of 450." would it belong to my config as well?
Right! As I mentioned above, DNS errors WILL occur, so you don't want to perm-reject mail when it does.
 
Old 08-21-2008, 11:45 PM   #19
uncle_philip
Member
 
Registered: Apr 2008
Location: sydney
Distribution: centos5.2
Posts: 50

Rep: Reputation: 15
Is this config a working example :-) ?
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

too?

yes, you need to fill up your own.
 
Old 08-22-2008, 04:00 PM   #20
schmidtedv
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
Well, thanks a lot for now :-)

I will give it a try and see what happens. After certain time I might ask again :-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blacklist Email Sending on Postfix carlosinfl Linux - Server 1 04-15-2010 05:14 PM
Postfix blacklist crxssi Linux - Server 7 09-23-2009 03:34 PM
Blocking mails from specific email addresses/domains in postfix jomy Linux - Networking 1 07-15-2008 09:32 PM
LXer: Postfix mail server block Malware with blacklist LXer Syndicated Linux News 0 06-27-2007 09:31 AM
How do I configure postfix master to forward all email to an email server ? hello321_1999 Linux - Software 1 11-18-2004 05:43 AM


All times are GMT -5. The time now is 04:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration