Postfix - messages from invalid domains getting through
We're using Postfix on a SuSE Linux system as our first line of defense to filter incoming email, the mail is subsequently passed on to another internal system. There are messages *to* users in invalid domains slipping through and I'm not sure why. By "invalid domains" I mean domains which are not part of my organization such as sesmail.com, psv.nl, yifan.com, etc. The invalid domains in question are not listed in the relay_domains section of the main.cf file nor are there any users listed in the relay_recipients file @ any of the invalid domains. Any Postfix experts out there have a suggestion on what to check / look for?
Thanks in advance Scott Here's the main.cf file: Note, I've removed commented out info and I've changed the data under relay_domains and myhostname. queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix unknown_local_recipient_reject_code = 550 relay_domains = <my domain> <my 2nd domain> <my 3rd domain> <my 4th domain> <my 5th domain> relay_recipient_maps = hash:/etc/postfix/relay_recipients debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = maildrop html_directory = /usr/share/doc/packages/postfix/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/packages/postfix/samples readme_directory = /usr/share/doc/packages/postfix/README_FILES inet_protocols = ipv4 biff = no mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_maps = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = <THIS SERVER NAME> program_directory = /usr/lib/postfix inet_interfaces = all masquerade_domains = mydestination = $myhostname, localhost.$mydomain defer_transports = disable_dns_lookups = no relayhost = [127.0.0.1]:10024 mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain, hash:/etc/postfix/whitelist_senders smtpd_client_restrictions = reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_helo_required = yes smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no smtpd_use_tls = no smtp_use_tls = no alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 25600000 smtp_helo_timeout = 120 smtp_data_init_timeout = 10m smtp_data_xfer_timeout = 10m |
Look into smtpd_recipient_restrictions, specifically "reject_unknown_recipient_domain"
|
Thanks but that didn't fix it.
The mail logs show destination addresses like this: <iqajikyye5444@chello.nl> -> <usera@mydomain.com> <211348@ilikeclick.com> -> <userb@mydomain.com> <phonicsm59@websitedesignforbusiness.com> -> <userc@mydomain.com> NOTE: I substituted the real user email addresses with usera@mydomain.com, userb@mydomain.com, and userc@mydomain.com. Is this the same as "sender specific routing"? It looks like this is disabled by default: http://www.postfix.org/postconf.5.ht...rusted_routing (turned off by default) but I went ahead and added the line "allow_untrusted_routing = no" just to make sure. That didn't fix the problem. Any other ideas? |
Ok, I misread. Please clarify, you only want to receive mail that is sent FROM your domain?
|
We have two locations, each has a different inbound Internet connection.
At each location we've got a system setup with SuSE Linux, Postfix, SpamAssassin, ClamAV. These are the systems I'm working on. Mail from Internet goes to one or the other SuSE server, from there, we send it to a Barracuda Spam Firewall. Any messages that make it through the Barracuda, go to our end user mail server (running MS Exchange). We do it this way for a couple reasons, first, the Barracuda provides (I believe) a better level of protection (my comment is mostly focused on their spam protection), second, by using the Linux systems as our Internet gateway devices, we only need to purchase one Barracuda. We do not filter any outbound mail so the only mail going to the Barracuda is inbound from the SuSE servers. The messages in question are making it through the SuSE system to the Barracuda. The Barracuda is stopping them. The goal is to prevent these messages from making it to the Barracuda. "These messages" are defined as messages which have a final destination email address outside my environment. Thanks again 8-) |
What is 'mynetworks' set to? I don't see it in your first post.
|
Not defined.
I was wondering about that one. Do you think I can set it to the IP of my Barracuda? |
Run "postconf -n", what is mynetworks set to? I'm guessing that "permit_mynetworks" in smtpd_recipient_restrictions is matching before "reject_unauth_destination"
|
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain
Good call. Ok, I'm trying to follow the logic of the setting to see how the messages are getting through. I know it starts on the left, and takes the first match. Are you suggesting that the lack of an explicit $mynetworks setting is allowing any destination to match "permit_mynetworks"? Sounds like I need to remove permit_mynetworks or put it at the right end of the restrictions. |
I changed the entry to:
smtpd_recipient_restrictions = reject_unauth_destination, reject_unknown_recipient_domain, permit_mynetworks It didn't work any better... |
All times are GMT -5. The time now is 11:50 PM. |