Postfix logs flooded from excessive mails

noden · 04-18-2010, 12:58 PM

I think they are already in your queue for outbound mail. But there could already be thousinds. So maybe no more are comming in but as your mail server is unable to deliver those that are already there it might try to resend them. If memory serves me right there should be some delay before next delivery attempt.
Spam is a neverending story so you might want to look at block/blacklists.

What is your "mynetworks_style=" set to in main.cf?
And your "mynetworks="?
Maybe you are allowing mail relay. That is a sure way to have your mailserver be used for sending smap mail.

As far as I remember SA should work out of the box but always need some finetuning and stuff to do. Open relay, keyword filters, blacklists etc.
Sorry I dont run SA or Postfix atm.

moimel · 04-18-2010, 01:04 PM

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = finsbess.com
myhostname = web.finsbess.co.il
mynetworks = 212.120.126.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = regexp:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = no
smtpd_peername_lookup = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_uid_maps = static:89

it's ok thanks for the help,
ok, postsuper -d ALL , done postsuper: Deleted: 93010 messages this is alot of messages (:

I don't know man it seems like spamd is fighting them, I don't know who's winning 20%wa , 10%wa omg 7%wa damn 20%wa I think we are going to loose!

well it seems to be bit better. will try to send mail..

how I can improve SpamA?

noden · 04-18-2010, 01:16 PM

It looks like you allow your outside ip address to send mail to remote destinations.
mynetworks = 212.120.126.0/24, 127.0.0.0/8
Only local users should be allowed to send emails to the world. Emails coming to you should only be to you and not relayed to remote destinations.
I think you need to set mynetworks to your local addresses.

If you set mynetworks_style to "host" postfix will permit only ipadresses on the host it runs on to send messages to remote locations.
If you set it to "class" it will allow only for the network class (local ip range) it is in. 10.0.0.0/8, 172.16.0.0/16 or 192.168.0.0/24 or what ever ip class you are in.
If you set it to subnet only the hosts in the same subnet as postfix will be allowed to relay to remote destinations.

Or you could set mynetworks=127.0.0.0/8, 10.0.0.0/24, 192.168.1.10/32 #localhost, the whole 10 subnet or only host 192.168.1.10
Or what ever your subnet is.

Hope it works.

noden · 04-18-2010, 01:22 PM

And you might want to set:
smtpd_recipient_restrictions=permit_mynetworks, reject_unauth_destination

As far as I remember.

moimel · 04-18-2010, 01:34 PM

I dont know I tried all of it...it keeps coming I hate them

Tinkster · 04-18-2010, 01:35 PM

You restarted postfix after those config changes, right?

moimel · 04-18-2010, 01:56 PM

Maybe I post this at the Newbie section but im not that noob - -
I did restarted.

I think i'll use check_sender_access hash:$config_directory/sender_client to identify my clients...it's the only thing blocking them. it seems to be the only manner to block them completely.
or maybe block all those clients. thanks anyway

moimel · 04-18-2010, 02:11 PM

i'm open to better solutions, I think the approach of using SpamA is useless because what's happenning in the /vsr/spool/postfix directory is chaos, new file opened and deleted each second...so the SA deletes the spam, so what? it still takes all the queue and loads the heck of the server!

need some kind of firewall blocking...iptables or something but I don't understand why it isn't blocking them?

theoretically, if i'll extract all the hosts bombarding the server from the log, and:

Code:

for x in `cat hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
done

and leave it to work every 10 minutes, after the night it should block them all, not?
please fix me if i'm wrong.

moimel · 04-18-2010, 05:01 PM

OK somthing very very weird is happening please help me,

after giving about 10,000 bans in iptables it seems to do somthing: now in the logs :
I see that every bot login from localhost
Apr 19 01:00:01 game3 postfix/smtpd[9399]: connect from localhost.localdomain[127.0.0.1]

EVERY ONE!

what is it means?!

unSpawn · 04-18-2010, 05:54 PM

Adding to what noden already suggested (smtpd_recipient_restrictions) http://www.postfix.org/SMTPD_ACCESS_README.html more or less suggests the following lines. Do check if these are OK for your Postfix version then add them to main.cf and restart:

Code:

smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_unknown_helo_hostname, reject_non_fqdn_hostname
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy

OTOH would it be a good idea to just shut your MTA down until you've got a fix on things? How about setting "mynetworks = 127.0.0.1" and "inet_interfaces = lo"? That way your MTA won't be exposed (OK, unless there's something fishy running locally). And manually adding IP addresses will only consume RAM since there's no way of knowing if and when a specific IP address will return: instead try something like fail2ban. IIGC it has a configuration for Postfix. Just thinking out loud...

moimel · 04-19-2010, 05:48 AM

unSpawn those directive are negligible in contrast to what I put in my main.cf:

Code:

smtpd_client_restrictions = reject_rbl_client cbl.abuseat.org,
                            reject_rbl_client sbl.spamhaus.org,
                            reject_rbl_client zen.spamhaus.org,
                            permit
smtpd_peername_lookup = no
smtpd_helo_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        permit
smtpd_sender_restrictions = reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
strict_rfc821_envelopes = yes
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        check_client_access hash:$config_directory/access_client,
        check_sender_access hash:$config_directory/access_sender,
        permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = fingbes.co.il
smtpd_delay_reject = yes

Nevertheless, nothing is working this attack is unStoppable! anyway settings inet_interface to localhost stops it (: so I guess it's not from the inside or somthing like this but still it's fucking weird I blocked all of them and they still can connect .

moimel · 04-19-2010, 06:18 AM

Well, it seem to be fading now it's standing on 5%wa~ and less and less attacks are coming in,

Maybe is the combination of SpamAssassin and the following codes I runed during the night, i'll explain for the next generations:

Create log.php file in /root/ and it's content

Code:

<?php
        function validate_ip($ip_addr)
        {
                        if(preg_match("/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/",$ip_addr))
                        {
                                        $parts=explode(".",$ip_addr);
                                        foreach($parts as $ip_parts)
                                        {
                                                        if(intval($ip_parts)>255 || intval($ip_parts)<0)
                                                                        return false;
                                        }
                                        return true;
                        }
                        else
                                        return false;
        }
        $lines = file('/var/log/maillog');
        $fp = fopen('/root/hosts', 'w');
        foreach ($lines as $line_num => $line) {
                        $host = substr($line, (strrpos($line, '[')+1), strrpos($line, ']')-(strrpos($line, '[')+1));
                        if (strpos($host, '--YOUR SUBNET--') === false && strpos($host, '127.0.0.1') === false && validate_ip($host) == true)
                                fwrite($fp, $host." ");
        }
        fclose($fp);
        $fp = fopen('/var/log/maillog', 'w');
        ftruncate($fp, 0);
        fclose($fp);
?>

then create bash file called 'kill' (in /root/) or whatever put inside:

Code:

for x in `cat hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
done

rm -rf /root/hosts

create file 'ddos' in /root/ :

Code:

php -q log.php
./kill
echo "Done in `date`" >> /root/ddos.log

Enter the following:
# echo "*/10 0-23 1-31 1-12 0-7 root ./ddos" >> /etc/crontab
# crontab /etc/crontab

Remember to : service iptables save . on restart.

Optionally another one but unproven one (I don't know if it actually did somthing):

Code:

<?php
        $lines = file('/root/tcp25.log');
        $fp = fopen('/root/tcp25hosts', 'w');
        foreach ($lines as $line_num => $line) {
                        $exp = explode(' ', $line);
                        $h1 = $exp[2];
                        $h2 = $exp[4];
                        if (strpos($h1, 'yourhost.tld'))
                                $host = $h2;
                        else
                                $host = $h1;
                        $host = substr($host, 0, strrpos($host, '.'));
                        if (strpos($host, '--YOUR SUBNET--') === false && strpos($host, 'yourhost.tld') === false && strpos($host, '127.0.0.1') === false)
                                fwrite($fp, $host." ");
        }
        fclose($fp);
        $fp = fopen('/root/tcp25.log', 'w');
        ftruncate($fp, 0);
        fclose($fp);
?>

Run
# tcpdump -i eth0 'tcp port 25' >> /root/tcp25.log

Enter the following:
# echo "*/10 0-23 1-31 1-12 0-7 root ./tcp25" >> /etc/crontab
# crontab /etc/crontab

create tcp25 bash file:

Code:

php -q tcp25log.php
./tcp25kill
echo "Done in `date`" >> /root/tcp25kill.log

and kill file (tcp25kill):

Code:

for x in `cat tcp25hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
        iptables -A OUTPUT -p tcp -s $x --dport 25 -j DROP
done

rm -rf /root/tcp25hosts

GO TO sleep and hope that in the morning they'll be dead.

noden · 04-19-2010, 01:23 PM

Did you try with the "postsuper" command? To empty your mail queue?

moimel · 04-20-2010, 02:32 PM

Hey I'm using iptables to block smtp port like this:

Code:

[root@ ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp

with this commands:
iptables -A INPUT -p tcp --dport 25 --sport 25 -j DROP

yet when monitoring traffic:

Code:

[root@game3 ~]# tcpdump -n tcp port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:23:32.339792 IP 121.35.170.181.can-ferret > MY-IP.smtp: S 3636350420:3636350420(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:32.638640 IP 121.34.200.183.slush > MY-IP.smtp: S 2084693075:2084693075(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:33.256984 IP 121.35.168.87.vpntpp > MY-IP.smtp: S 3096707673:3096707673(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:34.430466 IP 121.34.200.189.a16-an-an > MY-IP.smtp: S 2972377123:2972377123(0) win 65535 <mss 1440,nop,nop,sackOK>

4 packets captured
30 packets received by filter
0 packets dropped by kernel

I can see a lot of packets inside and outside in port 25.

However, when checking netstat I CAN'T see even one connection on smtp port!

How come?

p.s. I cannot access with telnet to port 25. (from my own pc)

Thanks

unSpawn · 04-20-2010, 05:29 PM

Moved: This thread is more suitable in the Linux Newbie forum and has been moved accordingly to help your thread/question get the exposure it deserves and awaiting merge with related threads http://www.linuxquestions.org/questi...-mails-801847/ and http://www.linuxquestions.org/questi...nd-out-803113/.