LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Preventing Backscatter with Postfix (http://www.linuxquestions.org/questions/linux-server-73/preventing-backscatter-with-postfix-824466/)

SteveJenkins 08-05-2010 07:01 PM
Preventing Backscatter with Postfix
 
I have Googled and searched dozens of forums and mailing list archives for a couple days now, and I haven't found a straightforward answer to what is REALLY required in a Postfix main.cf file to stop backscatter.

A couple of our servers are stil being flagged as sending backscatter. Is it possible to send a bounce message these days without it being considered backscatter?

I keep adding suggested "fixes" to my main.cf file, but Backscatterer.org still says we're doing it.

Here's my postconf -n output:

Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
local_recipient_maps = unix:passwd.byname $alias_maps
mydestination = $myhostname, localhost.$mydomain, localhost, localhost.localdomain, $mydomain
mynetworks = 127.0.0.0/8
myorigin = xxxxxxxxx.com
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_data_restrictions =
    reject_unauth_pipelining,
    permit
smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unlisted_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    permit
smtpd_reject_unlisted_recipient = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
Am I missing something and/or have stuff in there I don't need? I'm at my wits end! :)

EDIT: Backscatterer.org gave me a timestamp for the last time my server reportedly offended, and this is the matching entry in my maillog:

Code:
Aug  4 12:06:35 zork postfix/smtp[1966]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=mail.acanthuscaput.com[69.30.193.210]
:25, delay=17478, delays=17299/0.01/23/156, dsn=5.0.0, status=bounced (host mail.acanthuscaput.com[69.30.193.210] said: 554 We don't
 take bounces from systems listed at BACKSCATTERER.ORG (in reply to DATA command))
A grep of the maillog for any line that includes that email address showed:

Code:
Aug  4 07:15:17 zork dkimproxy.in[24014]: DKIM verify - none; message-id=<e53801cb33de$1b1a2359$bc68ffa7@acanthuscaput.com>, from=<tod7shigeo@acanthuscaput.com>
Aug  4 07:15:18 zork postfix/qmgr[21673]: E7C3E107E57: from=<tod7shigeo@acanthuscaput.com>, size=3546, nrcpt=1 (queue active)
Aug  4 07:15:48 zork postfix/smtp[17610]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=none, delay=30, delays=0/0/30/0, dsn=4.4.1, status=deferred (connect to mail.acanthuscaput.com[69.30.193.210]: Connection timed out)
Aug  4 07:37:33 zork postfix/smtp[18959]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=none, delay=1335, delays=1299/0.01/36/0, dsn=4.4.1, status=deferred (connect to mail.acanthuscaput.com[69.30.193.210]: Connection timed out)
Aug  4 08:10:48 zork postfix/smtp[20889]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=none, delay=3330, delays=3299/0.02/31/0, dsn=4.4.1, status=deferred (connect to mail.acanthuscaput.com[69.30.193.210]: Connection timed out)
Aug  4 09:17:33 zork postfix/smtp[24742]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=none, delay=7336, delays=7300/0.03/36/0, dsn=4.4.1, status=deferred (connect to mail.acanthuscaput.com[69.30.193.210]: Connection timed out)
Aug  4 10:40:57 zork postfix/smtp[29543]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=none, delay=12340, delays=12299/0.03/41/0, dsn=4.4.1, status=deferred (connect to mail.acanthuscaput.com[69.30.193.210]: Connection timed out)
Aug  4 12:06:35 zork postfix/smtp[1966]: 4EE011080EA: to=<tod7shigeo@acanthuscaput.com>, relay=mail.acanthuscaput.com[69.30.193.210]:25, delay=17478, delays=17299/0.01/23/156, dsn=5.0.0, status=bounced (host mail.acanthuscaput.com[69.30.193.210] said: 554 We don't take bounces from systems listed at BACKSCATTERER.ORG (in reply to DATA command))

SteveJenkins 08-06-2010 06:21 PM
80+ views and no ideas? :( I'm running Postfix 2.3.3, btw.

I've read all the FAQs on the Postfix site (but most seem a little outdated).

Any nudges in the right direction would be appreciated.

jamrock 08-06-2010 09:36 PM
Quote:
Is it possible to send a bounce message these days without it being considered backscatter?
Are you accepting the messages and then bouncing them?

Are you rejecting the messages without accepting them?

Quote:
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
permit
smtpd_reject_unlisted_recipient = yes
Why do you need these settings?

SteveJenkins 08-29-2010 06:29 PM
Quote:
Originally Posted by jamrock (Post 4058469)
Are you accepting the messages and then bouncing them? Are you rejecting the messages without accepting them?
Frankly, I have no idea. :) That's why I pasted in those lines from the mail log. What SHOULD it be doing to properly prevent backscatter?

Quote:
Originally Posted by jamrock (Post 4058469)
Why do you need these settings?
I saw them in a post that suggested they be there to help stop backscatter (http://www.linuxquestions.org/questi...roblem-724444/). But it seems there's a whole lot of voodoo when it comes to this subject, and very few people are able to give some definitive answers. I'm really hoping for some shoves in the right direction. :)

jamrock 08-29-2010 09:41 PM
I am not an expert on this. However, I will tell you what I understand.

Mail servers receive a lot of spam. Spammers often use forged addresses when they send email.

You can either:

reject these messages
accept them, then bounce them.

If you reject them, they will not end up in your mail queue.

If you accept them then bounce them, you create backscatter. This happens because you are trying to bounce mail to addresses that do not exist.

http://www.postfix.org/BACKSCATTER_README.html

From what I understand, Postfix rejects unknown recipients by default.

http://www.postfix.org/LOCAL_RECIPIENT_README.html

I would start by finding out why this is not happening on your server.

Can you set up a test server? I would start by commenting out the following and testing the results:

Quote:
local_recipient_maps = unix:passwd.byname $alias_maps
The comments in the main.cf suggest that the default value is sufficient.

Quote:
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
permit
smtpd_reject_unlisted_recipient = yes
I hope this helps.

You may also find this document useful
http://www.postfix.org/BASIC_CONFIGURATION_README.html

SteveJenkins 08-29-2010 11:19 PM
I appreciate the reply Jamrock (especially since nobody else has!) but I was hoping for a bit more guidance than "RTFM." :) I have read all those things, and the myriad posts by others having these same problems, and there seem to be very few experts who can speak with any authority as to why it's happening. From what I can see on the tests we're running, we're rejecting the mail instead of bouncing it. But we're STILL ending up in backscatter reports.

jamrock 08-30-2010 05:50 AM
Quote:
Originally Posted by SteveJenkins (Post 4081918)
and there seem to be very few experts who can speak with any authority as to why it's happening.
I suspect that is so because it is not the norm. Postfix rejects unknown recipients by default. If you make only the changes in the basic configuration document it doesn't happen.

Quote:
Originally Posted by SteveJenkins (Post 4081918)
From what I can see on the tests we're running, we're rejecting the mail instead of bouncing it. But we're STILL ending up in backscatter reports.
Can you post the logs showing the mail being rejected?


All times are GMT -5. The time now is 05:22 AM.