Hello there,

I'm running a webserver with slackware 10.1 and mailserver postfix/courier-imap with Mysql. There are 8 sites hosted, and only 2 of them busy.

I have the maillog rotating daily.

In one day it outputs approx 20 - 25 MB!

The entries are rather common - I'd say - like (MY_DOMAIN replaced):

Dec 16 07:12:48 fortuner postfix/smtpd[26636]: NOQUEUE: reject: RCPT from unknown[218.111.47.109]: 550 <603rampageousa@MY_DOMAIN.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<SuzanneCartwrightmiasmal@crosstownarts.com> to=<603rampageousa@MY_DOMAIN.com> proto=SMTP helo=<xx.141.56.xx>
Dec 16 07:12:49 fortuner postfix/smtpd[26636]: NOQUEUE: reject: RCPT from unknown[218.111.47.109]: 550 <rudolph@MY_DOMAIN.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<SuzanneCartwrightmiasmal@crosstownarts.com> to=<rudolph@MY_DOMAIN.com> proto=SMTP helo=<xx.141.56.xx>

There are many repeating senders - I'm not (yet) using any $rbl_ Black-Listing check.

Any helping advice on the topic is most appreciated. Thanks

It looks as though you are being trawled for email addresses. You could try slowing the spammers down by introducing a soft error limit and sleep time. Try the following in your main.cf file:

smtpd_soft_error_limit = 2
smtpd_error_sleep_time = 200

i.e. 2 errors and we're not talking to you for 200 seconds.

Hope that helps,

Carl.

Thanks, Carl,

however, that didn't solve the problem...
I actually got lots of warning mails to the postmaster-box...

"temporarily unavailable lookup"

So for the moment, I use some rbl sources, to cut down the load on the mysql-server.

The size of the maillog remains huge (20 - 25 MB a day).....

Any further ideas?

Sulee,

Could you post some more of the headers around the "temporarily unavailable lookup" area please? Also what's in the messages to postmaster?

Carl.

Hi Carl,

thanks for coming in again...

using
smtpd_soft_error_limit = 2
smtpd_error_sleep_time = 200
as you suggested, is not a good solution for me, because - fro sure - I also receive mails to the domains which are trawled for email addresses.

So, the moment the service "sleeps" it cannot deliver to an existing box. Therefor I had to check all postmaster-warnings for possible existing-mailbox-names...

Thanks again - but at present I use a couple of rbl_client commands, which -so far- does sort out a lot of the junk....

Sulee,

Sounds like you should be contacting the postmaster for the errant mail server.

Carl.

Hi,

since I'm the postmaster - I can only contact myself ;-)

I re-tried the "soft_error_limit & error_sleep_time" commands - this time took it off again, cause the number of smtpd proccesses running went up to 30 (instead of the usual 2 - 7), which scared me cause somewhere I've read that postfix gets in trouble once this number exceeds 50.

I manage to reject those 159.whoever@ mails using a pcre check (see main.cf below).

I get (IMO too many) "lost connection after RCPT..." messages in my log - maybe about every 10th process.

QUESTION remains - how to block these multi senders at the earliest stage?

See below my main.cf and (relevant) pcre check:

===========POSTFIX===main.cf===ACTUAL VERSION

# Global Postfix configuration file. 4 more see the postconf(5) manual
#soft_bounce = no

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix

myhostname = fortuner.big-tree.org

mydomain = big-tree.org

myorigin = $mydomain

mydestination = $myhostname, localhost

unknown_local_recipient_reject_code = 550

#relay_domains = $mydestination

#recipient_delimiter = +

#home_mailbox = Maildir/

mail_spool_directory = /var/spool/mail

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

#mailbox_command = /some/where/procmail -a "$EXTENSION"

# ***SASL AND TLS RULES***

smtpd_sasl_auth_enable = yes
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_sasl_security_options = noanonymous

# ****GENERAL SETTINGS****

show_user_unknown_table_name = no

# ***SMTPD RESTRICTION RULES***

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_client_restrictions =
reject_unauth_pipelining,
permit

smtpd_helo_restrictions =
check_helo_access
pcre:/etc/postfix/checks/helo,
reject_invalid_hostname,
reject_non_fqdn_hostname,
permit

smtpd_sender_restrictions =
reject_unlisted_sender,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
check_recipient_access
pcre:/etc/postfix/checks/abyss,
reject_unlisted_recipient,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
# check_recipient_access
# hash:/etc/postfix/maps/whitelist_ips.cf,
# check_policy_service inet:127.0.0.1:2525,
check_policy_service inet:127.0.0.1:10023,
permit

smtpd_data_restrictions =
reject_unauth_pipelining

disable_vrfy_command = yes
strict_rfc821_envelopes = yes

# ***HEADER CHECKS***
header_checks = pcre:/etc/postfix/checks/header

# ***MIME HEADER CHECKS***
mime_header_checks = pcre:/etc/postfix/checks/mime_header

# ***BODY CHECKS***
body_checks = pcre:/etc/postfix/checks/body

# ***MAPS AND MAPPING***
#proxy_read_maps = $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $virtual_uid_maps $virtual_gid_maps

# virtual_alias_domains =
alias_maps =
alias_database =
virtual_alias_maps =
proxy:mysql:/etc/postfix/maps/mysql_virtual_standards.cf
proxy:mysql:/etc/postfix/maps/mysql_virtual_forwardings.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/maps/mysql_virtual_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/maps/mysql_virtual_mailboxes.cf
virtual_uid_maps =
proxy:mysql:/etc/postfix/maps/mysql_virtual_uids.cf
virtual_gid_maps =
proxy:mysql:/etc/postfix/maps/mysql_virtual_gids.cf
# relay_domains =

virtual_transport = virtual
virtual_mailbox_base = /

# ***DEBUGGING CONTROL***
debug_peer_level = 2

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

# ***OTHER STUFF***
html_directory = no

manpage_directory = /usr/local/man

sample_directory = /etc/postfix

readme_directory = no

=================================abyss

/^([A-Za-z._-]*[0-9]+[A-Za-z._-]*[0-9]*)[@](TROUBLED_DOMAIN\.com)/ REJECT No!

/^([A-Za-z0-9._-]{11,})[@](TROUBLED_DOMAIN\.com)/ REJECT no such user!