LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Spam, Postfix, and Unknown Users (http://www.linuxquestions.org/questions/linux-server-73/spam-postfix-and-unknown-users-590875/)

zok 10-10-2007 03:23 PM

Spam, Postfix, and Unknown Users
 
This may be a familiar problem to many sysadmins, but we get tons of spam to non-existent users. Our mail server (running postfix 2.0.16-14) then generates an "unknown user" bounce back message. The problem, of course, is that the reply-to address in the spam message is spoofed; so our queue gets filled with messages that are destined to domains that time out.

Any suggestions on how to handle this? I came across a site that describes my problem and proposes a solution:
62. I get lots of mail for non-existent users that comes from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?

You must not accept messages for non-existent users. Since From addresses are usually forged, your system will be bouncing messages to people who never sent them. You must configure Postfix to reject them without accepting them into the queue. Set local_recipient_maps or relay_recipient_maps as appropriate for your situation. You might also want to include the restriction rule reject_unknown_sender_domain among your smtpd restrictions. See LOCAL_RECIPIENT_README for more information. (http://www.seaglass.com/postfix/faq.html#ubenousr)
We already have local_recipient_maps set, though, in our main.cf:

Quote:

local_recipient_maps = unix:passwd.byname $alias_maps
But the problem persists. Also, according to postfix's site, when local_recipient_maps is set, it should reject a message with the error: "Unknown user in local recpient table"; but our mail server actually generates a different message. An example would be:

Quote:

Final-Recipient: rfc822; asdfasdf@<ourdomain.com>
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "asdfasdf"
Anyone have any suggestions?

Thanks.

clau_bolson 10-12-2007 08:39 AM

Can you post the related log entry?

Look for a line like this:

Oct 12 10:38:36 server postfix/smtpd[12654]: NOQUEUE: reject: RCPT from 78.130.28.155.rev.optimus.pt[78.130.28.155]: 550<atalon@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<khayroll@accu-type.com> to=<atalon@domain.com> proto=ESMTP helo=<78.130.28.155.rev.optimus.pt>

zok 10-12-2007 12:35 PM

Quote:

Originally Posted by clau_bolson (Post 2921899)
Can you post the related log entry?

Look for a line like this:

Oct 12 10:38:36 server postfix/smtpd[12654]: NOQUEUE: reject: RCPT from 78.130.28.155.rev.optimus.pt[78.130.28.155]: 550<atalon@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<khayroll@accu-type.com> to=<atalon@domain.com> proto=ESMTP helo=<78.130.28.155.rev.optimus.pt>

Here's one. A quick note about our set up: when our postfix server receives the message, it passes it onto another machine to be scanned for viruses as set by the following line in our main.cf:

content_filter=smtp-amavis:[scan.ourdomain.com]:10024


Here are the log entries relevant to that for my test message:

Oct 12 13:12:29 mail postfix/smtpd[5786]: C64573FCFF: client=exprod8mx94.postini.com[64.18.3.206]
Oct 12 13:12:30 mail postfix/cleanup[5780]: C64573FCFF: message-id=<846895.95153.qm@web58911.mail.re1.yahoo.com>
Oct 12 13:12:31 mail postfix/nqmgr[29311]: C64573FCFF: from=<tumoip@yahoo.com>, size=1960, nrcpt=1 (queue active)
Oct 12 13:12:33 mail postfix/smtp[28351]: C64573FCFF: to=<asdfasdf@ourdomain.com>, relay=scan.ourdomain.com[scan.ourdomain.com], delay=4, status=sent (250 2.6.0 Ok, id=08945-02, from MTA([mail]:10025): 250 Ok: queued as E3A693FD0F)


Note that postini.com is the external service we use for virus scanning, which is why that appears at the beginning.

Once it's been scanned for viruses, it's passed the message back to the postfix server, where it bounces:

Oct 12 13:12:32 mail postfix/smtpd[6119]: E3A693FD0F: client=scan.ourdomain.com[scan.ourdomain.com]
Oct 12 13:12:32 mail postfix/cleanup[5831]: E3A693FD0F: message-id=<846895.95153.qm@web58911.mail.re1.yahoo.com>
Oct 12 13:12:33 mail postfix/smtp[28351]: C64573FCFF: to=<asdfasdf@ourdomain.com>, relay=scan.ourdomain.com[scan.ourdomain.com], delay=4, status=sent (250 2.6.0 Ok, id=08945-02, from MTA([mail]:10025): 250 Ok: queued as E3A693FD0F)
Oct 12 13:12:33 mail postfix/nqmgr[29311]: E3A693FD0F: from=<tumoip@yahoo.com>, size=2454, nrcpt=1 (queue active)
Oct 12 13:12:33 mail postfix/local[6015]: E3A693FD0F: to=<asdfasdf@ourdomain.com>, relay=local, delay=1, status=bounced (unknown user: "asdfasdf")


And then we see the bounce back message sent back:

Oct 12 13:12:33 mail postfix/cleanup[5819]: C2EF63FCF1: message-id=<20071012171233.C2EF63FCF1@mail.ourdomain.com>
Oct 12 13:12:33 mail postfix/nqmgr[29311]: C2EF63FCF1: from=<>, size=4142, nrcpt=1 (queue active)
Oct 12 13:12:34 mail postfix/smtp[30477]: C2EF63FCF1: to=<tumoip@yahoo.com>, relay=e.mx.mail.yahoo.com[216.39.53.1], delay=1, status=sent (250 ok dirdel)

clau_bolson 10-12-2007 01:02 PM

I have the same setup, but mail to unknown recipients is rejected BEFORE the message is passed to amavis.
I think there is a configuration error here.
Can you post the result of postconf-n ?

zok 10-12-2007 02:56 PM

Quote:

Originally Posted by clau_bolson (Post 2922122)
I have the same setup, but mail to unknown recipients is rejected BEFORE the message is passed to amavis.
I think there is a configuration error here.
Can you post the result of postconf-n ?

Here it is. Thanks for looking at it.

alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.webnames, hash:/etc/postfix/aliases.majordomo, hash:/etc/postfix/aliases.majordomo.reserved-students, hash:/etc/postfix/aliases.users, hash:/etc/postfix/aliases.mailman
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[scan.ourdomain.com]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks
header_size_limit = 102400
home_mailbox = Maildir/
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -f-
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, cc.$mydomain, imap.$mydomain
mydomain = ourdomain.com
mynetworks = <our_subnet>.0.0/16, 127.0.0.0/8, 10.0.80.11, 10.0.80.12, 10.0.80.15, 64.18.0.0/16, 10.0.80.22, 10.0.80.24, 172.31.0.5, 10.0.80.41, 172.31.255.254, 172.31.88.71, 172.31.88.72, 172.31.142.71
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smt pd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES
relay_domains = $mydomain, imap.ourdomain.com, cc.ourdomain.com, palantir.ourdomain.com, domain2.org, domain3.org
sample_directory = /usr/share/doc/postfix-2.0.16/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP for <our institution> no UCE permitted
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, warn_if_reject REJECT, permit
smtpd_recipient_restrictions = check_recipient_maps, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access,
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_non_fqdn_sender, hash:/etc/postfix/access.spammers
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/smtp.ourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/smtp.ourdomain.com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550


All times are GMT -5. The time now is 04:41 PM.