LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-17-2006, 12:25 PM   #1
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Rep: Reputation: 0
Question how to configure postfix to reject spams


Hi, lately I have been getting lots of spams ( who doesn't these days? ), and I noticed that these spams are easy to detect, since from the following header information, you can see the sender's address is a fake one:

Message-ID: <000901c6c1b3$38dafc30$67b20c48@ryjcud.znx>
From: "Joshua Buchanan" <inb@statusproperty.co.uk>


So I am thinking to REJECT such spams from postfix. The rule would be simple:

extract sender's actual sending domain and claimed domain from Message-ID field and From field, and compare them. Normally these two should be same ( is it true? ). Otherwise, reject.

However, I am not an expert in postfix. Anyone could help how to configure postfix to do this task efficiently?

Thanks.
 
Old 08-18-2006, 10:05 AM   #2
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
If you only want to reject invalid sender domains, you'll need this in your /etc/postfix/main.cf:

Code:
smtpd_sender_restrictions = reject_uknown_sender_domain
Or simply add the reject_unknown_sender_domain if you already have smtpd_sender_restrictions in your main.cf.

There are a lot more ways to use Postfix to block spam. If you post your main.cf file I could show you things you could add to it.
 
Old 08-18-2006, 12:13 PM   #3
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Cool

Here are relate lines in my main.cf:

smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

and Here is access:

enews.buy.com REJECT
lmsa.hinet.net REJECT
online.costco.com REJECT
orbitz.com REJECT


My questions are:

1) can you have both lines in main.cf

Code:
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_sender_restrictions = reject_uknown_sender_domain

2) how does postfix decide unknown_sender_domain? Is there any false positive possibility?

Thanks.

Quote:
Originally Posted by Child of Wonder
If you only want to reject invalid sender domains, you'll need this in your /etc/postfix/main.cf:

Code:
smtpd_sender_restrictions = reject_uknown_sender_domain
Or simply add the reject_unknown_sender_domain if you already have smtpd_sender_restrictions in your main.cf.

There are a lot more ways to use Postfix to block spam. If you post your main.cf file I could show you things you could add to it.
 
Old 08-18-2006, 12:58 PM   #4
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
You could change things to this for some good spam blocking. I also rearranged it a bit so it's easier to read and flows better.

Code:
smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions =
        reject_invalid_hostname  (rejects helo with invalid characters like !, $, etc.)
        reject_non_fqdn_hostname (reject helo that is not in domain.com format)

smtpd_sender_restrictions = 
        hash:/etc/postfix/access
        reject_non_fqdn_sender  (reject email address not in user@domain.com format)
        reject_uknown_sender_domain  (reject mail domain.com if domain.com does not exist)

smtpd_recipient_restrictions = 
        permit_mynetworks
        reject_unauth_destination
        reject_unlisted_recipient  (reject mail to users that don't exist)

smtpd_data_restrictions =
        reject_unauth_pipelining  (stops bulk mail senders)

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
I work for an ISP with about 40,000 users and we use these settings and more. We get very few false positives because of these settings.

The way it checks the reject_unknown_sender_domain is by seeing if the domain has an A or MX DNS record. The only reason the from domain wouldn't have one of those records is if they're spoofing.
 
Old 08-18-2006, 02:47 PM   #5
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Wink

Thanks a lot. I will change accordingly and see how that works.

A few more questions:

1) Any changes in other postfix files?

2) How to log postfix actions so that I can see if it works properly for a few days?

3) Instead of reject right away, how to set up postfix so that it puts those deemed spams to another folder for later inspection?
( I am trying to be very cautious. )

4)
Code:
 smtpd_helo_required = yes
will this cause my domain on black list of other domains since I probe too much? What is your experience?

Thanks again.



Quote:
Originally Posted by Child of Wonder
You could change things to this for some good spam blocking. I also rearranged it a bit so it's easier to read and flows better.

Code:
smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions =
        reject_invalid_hostname  (rejects helo with invalid characters like !, $, etc.)
        reject_non_fqdn_hostname (reject helo that is not in domain.com format)

smtpd_sender_restrictions = 
        hash:/etc/postfix/access
        reject_non_fqdn_sender  (reject email address not in user@domain.com format)
        reject_uknown_sender_domain  (reject mail domain.com if domain.com does not exist)

smtpd_recipient_restrictions = 
        permit_mynetworks
        reject_unauth_destination
        reject_unlisted_recipient  (reject mail to users that don't exist)

smtpd_data_restrictions =
        reject_unauth_pipelining  (stops bulk mail senders)

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
I work for an ISP with about 40,000 users and we use these settings and more. We get very few false positives because of these settings.

The way it checks the reject_unknown_sender_domain is by seeing if the domain has an A or MX DNS record. The only reason the from domain wouldn't have one of those records is if they're spoofing.
 
Old 08-18-2006, 03:06 PM   #6
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
1. Main.cf is the only file you need to change for now. If you want to do more advanced configurations of Postfix you might need to create/change other ones.

2. Postfix should automatically log to /var/log/mail.log. Depending on how your syslog is set up, you should have a few days of logs in there.

3. Postfix can't move files based on whether it thinks they're spam. You'd need a filter like procmail to do that. You could simply set up the rules and then place warn_if_reject right in front of them to have Postfix not actually reject email that would hit these new rules, but only place a warning in your log file so you can see what mail would have been rejected.

For example:

Code:
smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions =
        warn_if_reject reject_invalid_hostname  
        warn_if_reject reject_non_fqdn_hostname 

smtpd_sender_restrictions = 
        hash:/etc/postfix/access
        warn_if_reject reject_non_fqdn_sender  
        warn_if_reject reject_uknown_sender_domain 

smtpd_recipient_restrictions = 
        permit_mynetworks
        warn_if_reject reject_unauth_destination
        warn_if_reject reject_unlisted_recipient

smtpd_data_restrictions =
        warn_if_reject reject_unauth_pipelining

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
4. No, all that command does is reject mail from servers that do not issue a HELO command, which is required by RFC standards. All properly configured mail servers should give a HELO command.
 
Old 08-18-2006, 03:11 PM   #7
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks a lot again.


Quote:
Originally Posted by Child of Wonder
1. Main.cf is the only file you need to change for now. If you want to do more advanced configurations of Postfix you might need to create/change other ones.

2. Postfix should automatically log to /var/log/mail.log. Depending on how your syslog is set up, you should have a few days of logs in there.

3. Postfix can't move files based on whether it thinks they're spam. You'd need a filter like procmail to do that. You could simply set up the rules and then place warn_if_reject right in front of them to have Postfix not actually reject email that would hit these new rules, but only place a warning in your log file so you can see what mail would have been rejected.

For example:

Code:
smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions =
        warn_if_reject reject_invalid_hostname  
        warn_if_reject reject_non_fqdn_hostname 

smtpd_sender_restrictions = 
        hash:/etc/postfix/access
        warn_if_reject reject_non_fqdn_sender  
        warn_if_reject reject_uknown_sender_domain 

smtpd_recipient_restrictions = 
        permit_mynetworks
        warn_if_reject reject_unauth_destination
        warn_if_reject reject_unlisted_recipient

smtpd_data_restrictions =
        warn_if_reject reject_unauth_pipelining

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
4. No, all that command does is reject mail from servers that do not issue a HELO command, which is required by RFC standards. All properly configured mail servers should give a HELO command.
 
Old 08-18-2006, 03:38 PM   #8
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
My pleasure.
 
Old 08-18-2006, 03:40 PM   #9
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Hi, I just tested by sending an email bwteen my accounts on differnt domains, but got following error:

postfix/smtpd[27154]: warning: unknown smtpd restriction: "reject_uknown_sender_domain"
postfix/smtpd[27154]: NOQUEUE: reject: RCPT from destination.domain: 451 Server configuration error; from=<me@origin> to=<me@destination> proto=ESMTP helo=<destination_mail_server>

How to fix it? Thanks.


Quote:
Originally Posted by Child of Wonder
1. Main.cf is the only file you need to change for now. If you want to do more advanced configurations of Postfix you might need to create/change other ones.

2. Postfix should automatically log to /var/log/mail.log. Depending on how your syslog is set up, you should have a few days of logs in there.

3. Postfix can't move files based on whether it thinks they're spam. You'd need a filter like procmail to do that. You could simply set up the rules and then place warn_if_reject right in front of them to have Postfix not actually reject email that would hit these new rules, but only place a warning in your log file so you can see what mail would have been rejected.

For example:

Code:
smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions =
        warn_if_reject reject_invalid_hostname  
        warn_if_reject reject_non_fqdn_hostname 

smtpd_sender_restrictions = 
        hash:/etc/postfix/access
        warn_if_reject reject_non_fqdn_sender  
        warn_if_reject reject_uknown_sender_domain 

smtpd_recipient_restrictions = 
        permit_mynetworks
        warn_if_reject reject_unauth_destination
        warn_if_reject reject_unlisted_recipient

smtpd_data_restrictions =
        warn_if_reject reject_unauth_pipelining

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
4. No, all that command does is reject mail from servers that do not issue a HELO command, which is required by RFC standards. All properly configured mail servers should give a HELO command.
 
Old 08-18-2006, 03:43 PM   #10
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
My mistake... it's a spelling error. Left out an "n" in unknown.

Change it in your main.cf file to:

reject_unknown_sender_domain
 
Old 08-18-2006, 03:47 PM   #11
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Thumbs up

Yep, works. Actually mistake was mine. I just copied your lines without looking more carefully.

Thanks a lot again.


Quote:
Originally Posted by Child of Wonder
My mistake... it's a spelling error. Left out an "n" in unknown.

Change it in your main.cf file to:

reject_unknown_sender_domain
 
Old 08-18-2006, 10:34 PM   #12
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Question

Now here came a real test. I got another spam, and here are related header information:

Code:
Return-Path: <rymub@xbeyond.fsnet.co.uk>

Received: from c-67-172-119-93.hsd1.ca.comcast.net (c-67-172-119-93.hsd1.ca.comcast.net
    [67.172.119.93])

Received: from [67.172.105.180] (helo=qtp)
    by c-67-172-119-93.hsd1.ca.comcast.net with smtp (Exim 4.43)
    id 1GEFaX-0003IA-V2; Fri, 18 Aug 2006 18:25:25 -0700

Message-ID: <001f01c6c32d$aa82c87e$b469ac43@qtp>
From: "Eveline Richards" <rymub@xbeyond.fsnet.co.uk>
To me it is obvious the sender address is a fake one, since it is very different from the comcast cable used.

When postfix checks the sender's address, how does it know the sender's address is a known (maybe valid instead) address? And how to catech this type of spams? Probably back to my original questions?

Thanks.

Quote:
Originally Posted by Child of Wonder
My mistake... it's a spelling error. Left out an "n" in unknown.

Change it in your main.cf file to:

reject_unknown_sender_domain
 
Old 08-18-2006, 11:18 PM   #13
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
A sender address can be spoofed very easily. Postfix has no way of knowing whether the email address the sender provides is a real email address or not. All Postfix can do is check to see if the domain.com portion of the email address exists using the reject_unknown_sender_domain rule and, in this case, this domain does exist and has an MX record so it passes that check.

Code:
dig mx xbeyond.fsnet.co.uk

; <<>> DiG 9.3.2 <<>> mx xbeyond.fsnet.co.uk
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;xbeyond.fsnet.co.uk.           IN      MX

;; ANSWER SECTION:
xbeyond.fsnet.co.uk.    86400   IN      MX      2 mail-in.freeserve.com.

;; AUTHORITY SECTION:
fsnet.co.uk.            28800   IN      NS      pridns1.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns2.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns3.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns4.svr.pol.co.uk.

;; ADDITIONAL SECTION:
pridns1.svr.pol.co.uk.  14058   IN      A       195.92.193.4
pridns2.svr.pol.co.uk.  14058   IN      A       195.92.195.161
pridns3.svr.pol.co.uk.  14058   IN      A       195.92.67.18
pridns4.svr.pol.co.uk.  14058   IN      A       195.92.168.157

;; Query time: 138 msec
;; SERVER: 192.168.0.250#53(192.168.0.250)
;; WHEN: Fri Aug 18 22:17:23 2006
;; MSG SIZE  rcvd: 234
 
Old 08-18-2006, 11:57 PM   #14
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
For my SPAM, and I get lots of it, I use a combination of spamassassin and sieve. All the messages identified as SPAM go from my Inbox to my SPAM mailbox automatically. A couple of times per week I check my SPAM folder to see if there are any false/positives. If I do get a repeating false/negative then I use SPAMCop to report it.
 
Old 08-19-2006, 12:25 AM   #15
xlh3110
LQ Newbie
 
Registered: Nov 2005
Posts: 19

Original Poster
Rep: Reputation: 0
Is there anyway for postfix to check the sender's domain against the sending address, i.e., the IP in the received from field? Since as you said, a sender's address can be spoofed easily, while the sending address is not unless the ISP is collaborating.



Quote:
Originally Posted by Child of Wonder
A sender address can be spoofed very easily. Postfix has no way of knowing whether the email address the sender provides is a real email address or not. All Postfix can do is check to see if the domain.com portion of the email address exists using the reject_unknown_sender_domain rule and, in this case, this domain does exist and has an MX record so it passes that check.

Code:
dig mx xbeyond.fsnet.co.uk

; <<>> DiG 9.3.2 <<>> mx xbeyond.fsnet.co.uk
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;xbeyond.fsnet.co.uk.           IN      MX

;; ANSWER SECTION:
xbeyond.fsnet.co.uk.    86400   IN      MX      2 mail-in.freeserve.com.

;; AUTHORITY SECTION:
fsnet.co.uk.            28800   IN      NS      pridns1.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns2.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns3.svr.pol.co.uk.
fsnet.co.uk.            28800   IN      NS      pridns4.svr.pol.co.uk.

;; ADDITIONAL SECTION:
pridns1.svr.pol.co.uk.  14058   IN      A       195.92.193.4
pridns2.svr.pol.co.uk.  14058   IN      A       195.92.195.161
pridns3.svr.pol.co.uk.  14058   IN      A       195.92.67.18
pridns4.svr.pol.co.uk.  14058   IN      A       195.92.168.157

;; Query time: 138 msec
;; SERVER: 192.168.0.250#53(192.168.0.250)
;; WHEN: Fri Aug 18 22:17:23 2006
;; MSG SIZE  rcvd: 234
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
emails and spams alaios Linux - Networking 7 02-25-2006 02:54 PM
Postfix, reject some system users? Chowroc Linux - Networking 3 02-01-2005 08:54 AM
unable to configure postfix syl20 Linux - Networking 5 11-17-2004 04:03 AM
My victory over spams J_Szucs Linux - Networking 15 09-23-2004 03:11 AM
Starting Mozilla spams /var/log/messages Tinkster Slackware 7 08-22-2004 04:39 AM


All times are GMT -5. The time now is 02:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration