Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think they are already in your queue for outbound mail. But there could already be thousinds. So maybe no more are comming in but as your mail server is unable to deliver those that are already there it might try to resend them. If memory serves me right there should be some delay before next delivery attempt.
Spam is a neverending story so you might want to look at block/blacklists.
What is your "mynetworks_style=" set to in main.cf?
And your "mynetworks="?
Maybe you are allowing mail relay. That is a sure way to have your mailserver be used for sending smap mail.
As far as I remember SA should work out of the box but always need some finetuning and stuff to do. Open relay, keyword filters, blacklists etc.
Sorry I dont run SA or Postfix atm.
It looks like you allow your outside ip address to send mail to remote destinations.
mynetworks = 212.120.126.0/24, 127.0.0.0/8
Only local users should be allowed to send emails to the world. Emails coming to you should only be to you and not relayed to remote destinations.
I think you need to set mynetworks to your local addresses.
If you set mynetworks_style to "host" postfix will permit only ipadresses on the host it runs on to send messages to remote locations.
If you set it to "class" it will allow only for the network class (local ip range) it is in. 10.0.0.0/8, 172.16.0.0/16 or 192.168.0.0/24 or what ever ip class you are in.
If you set it to subnet only the hosts in the same subnet as postfix will be allowed to relay to remote destinations.
Or you could set mynetworks=127.0.0.0/8, 10.0.0.0/24, 192.168.1.10/32 #localhost, the whole 10 subnet or only host 192.168.1.10
Or what ever your subnet is.
Maybe I post this at the Newbie section but im not that noob - -
I did restarted.
I think i'll use check_sender_access hash:$config_directory/sender_client to identify my clients...it's the only thing blocking them. it seems to be the only manner to block them completely.
or maybe block all those clients. thanks anyway
i'm open to better solutions, I think the approach of using SpamA is useless because what's happenning in the /vsr/spool/postfix directory is chaos, new file opened and deleted each second...so the SA deletes the spam, so what? it still takes all the queue and loads the heck of the server!
need some kind of firewall blocking...iptables or something but I don't understand why it isn't blocking them?
theoretically, if i'll extract all the hosts bombarding the server from the log, and:
Code:
for x in `cat hosts`
do
iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
done
and leave it to work every 10 minutes, after the night it should block them all, not?
please fix me if i'm wrong.
OK somthing very very weird is happening please help me,
after giving about 10,000 bans in iptables it seems to do somthing: now in the logs :
I see that every bot login from localhost
Apr 19 01:00:01 game3 postfix/smtpd[9399]: connect from localhost.localdomain[127.0.0.1]
Adding to what noden already suggested (smtpd_recipient_restrictions) http://www.postfix.org/SMTPD_ACCESS_README.html more or less suggests the following lines. Do check if these are OK for your Postfix version then add them to main.cf and restart:
OTOH would it be a good idea to just shut your MTA down until you've got a fix on things? How about setting "mynetworks = 127.0.0.1" and "inet_interfaces = lo"? That way your MTA won't be exposed (OK, unless there's something fishy running locally). And manually adding IP addresses will only consume RAM since there's no way of knowing if and when a specific IP address will return: instead try something like fail2ban. IIGC it has a configuration for Postfix. Just thinking out loud...
Nevertheless, nothing is working this attack is unStoppable! anyway settings inet_interface to localhost stops it (: so I guess it's not from the inside or somthing like this but still it's fucking weird I blocked all of them and they still can connect .
Run
# tcpdump -i eth0 'tcp port 25' >> /root/tcp25.log
Enter the following:
# echo "*/10 0-23 1-31 1-12 0-7 root ./tcp25" >> /etc/crontab
# crontab /etc/crontab
create tcp25 bash file:
Code:
php -q tcp25log.php
./tcp25kill
echo "Done in `date`" >> /root/tcp25kill.log
and kill file (tcp25kill):
Code:
for x in `cat tcp25hosts`
do
iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
iptables -A OUTPUT -p tcp -s $x --dport 25 -j DROP
done
rm -rf /root/tcp25hosts
GO TO sleep and hope that in the morning they'll be dead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.