LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-10-2007, 03:23 PM   #1
zok
Member
 
Registered: Sep 2006
Posts: 42

Rep: Reputation: 15
Spam, Postfix, and Unknown Users


This may be a familiar problem to many sysadmins, but we get tons of spam to non-existent users. Our mail server (running postfix 2.0.16-14) then generates an "unknown user" bounce back message. The problem, of course, is that the reply-to address in the spam message is spoofed; so our queue gets filled with messages that are destined to domains that time out.

Any suggestions on how to handle this? I came across a site that describes my problem and proposes a solution:
62. I get lots of mail for non-existent users that comes from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?

You must not accept messages for non-existent users. Since From addresses are usually forged, your system will be bouncing messages to people who never sent them. You must configure Postfix to reject them without accepting them into the queue. Set local_recipient_maps or relay_recipient_maps as appropriate for your situation. You might also want to include the restriction rule reject_unknown_sender_domain among your smtpd restrictions. See LOCAL_RECIPIENT_README for more information. (http://www.seaglass.com/postfix/faq.html#ubenousr)
We already have local_recipient_maps set, though, in our main.cf:

Quote:
local_recipient_maps = unix:passwd.byname $alias_maps
But the problem persists. Also, according to postfix's site, when local_recipient_maps is set, it should reject a message with the error: "Unknown user in local recpient table"; but our mail server actually generates a different message. An example would be:

Quote:
Final-Recipient: rfc822; asdfasdf@<ourdomain.com>
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "asdfasdf"
Anyone have any suggestions?

Thanks.

Last edited by zok; 10-10-2007 at 03:25 PM.
 
Old 10-12-2007, 08:39 AM   #2
clau_bolson
Member
 
Registered: Nov 2003
Location: Argentina
Distribution: Debian Sarge
Posts: 52

Rep: Reputation: 15
Can you post the related log entry?

Look for a line like this:

Oct 12 10:38:36 server postfix/smtpd[12654]: NOQUEUE: reject: RCPT from 78.130.28.155.rev.optimus.pt[78.130.28.155]: 550<atalon@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<khayroll@accu-type.com> to=<atalon@domain.com> proto=ESMTP helo=<78.130.28.155.rev.optimus.pt>

Last edited by clau_bolson; 10-12-2007 at 08:41 AM.
 
Old 10-12-2007, 12:35 PM   #3
zok
Member
 
Registered: Sep 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by clau_bolson View Post
Can you post the related log entry?

Look for a line like this:

Oct 12 10:38:36 server postfix/smtpd[12654]: NOQUEUE: reject: RCPT from 78.130.28.155.rev.optimus.pt[78.130.28.155]: 550<atalon@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<khayroll@accu-type.com> to=<atalon@domain.com> proto=ESMTP helo=<78.130.28.155.rev.optimus.pt>
Here's one. A quick note about our set up: when our postfix server receives the message, it passes it onto another machine to be scanned for viruses as set by the following line in our main.cf:

content_filter=smtp-amavis:[scan.ourdomain.com]:10024


Here are the log entries relevant to that for my test message:

Oct 12 13:12:29 mail postfix/smtpd[5786]: C64573FCFF: client=exprod8mx94.postini.com[64.18.3.206]
Oct 12 13:12:30 mail postfix/cleanup[5780]: C64573FCFF: message-id=<846895.95153.qm@web58911.mail.re1.yahoo.com>
Oct 12 13:12:31 mail postfix/nqmgr[29311]: C64573FCFF: from=<tumoip@yahoo.com>, size=1960, nrcpt=1 (queue active)
Oct 12 13:12:33 mail postfix/smtp[28351]: C64573FCFF: to=<asdfasdf@ourdomain.com>, relay=scan.ourdomain.com[scan.ourdomain.com], delay=4, status=sent (250 2.6.0 Ok, id=08945-02, from MTA([mail]:10025): 250 Ok: queued as E3A693FD0F)


Note that postini.com is the external service we use for virus scanning, which is why that appears at the beginning.

Once it's been scanned for viruses, it's passed the message back to the postfix server, where it bounces:

Oct 12 13:12:32 mail postfix/smtpd[6119]: E3A693FD0F: client=scan.ourdomain.com[scan.ourdomain.com]
Oct 12 13:12:32 mail postfix/cleanup[5831]: E3A693FD0F: message-id=<846895.95153.qm@web58911.mail.re1.yahoo.com>
Oct 12 13:12:33 mail postfix/smtp[28351]: C64573FCFF: to=<asdfasdf@ourdomain.com>, relay=scan.ourdomain.com[scan.ourdomain.com], delay=4, status=sent (250 2.6.0 Ok, id=08945-02, from MTA([mail]:10025): 250 Ok: queued as E3A693FD0F)
Oct 12 13:12:33 mail postfix/nqmgr[29311]: E3A693FD0F: from=<tumoip@yahoo.com>, size=2454, nrcpt=1 (queue active)
Oct 12 13:12:33 mail postfix/local[6015]: E3A693FD0F: to=<asdfasdf@ourdomain.com>, relay=local, delay=1, status=bounced (unknown user: "asdfasdf")


And then we see the bounce back message sent back:

Oct 12 13:12:33 mail postfix/cleanup[5819]: C2EF63FCF1: message-id=<20071012171233.C2EF63FCF1@mail.ourdomain.com>
Oct 12 13:12:33 mail postfix/nqmgr[29311]: C2EF63FCF1: from=<>, size=4142, nrcpt=1 (queue active)
Oct 12 13:12:34 mail postfix/smtp[30477]: C2EF63FCF1: to=<tumoip@yahoo.com>, relay=e.mx.mail.yahoo.com[216.39.53.1], delay=1, status=sent (250 ok dirdel)
 
Old 10-12-2007, 01:02 PM   #4
clau_bolson
Member
 
Registered: Nov 2003
Location: Argentina
Distribution: Debian Sarge
Posts: 52

Rep: Reputation: 15
I have the same setup, but mail to unknown recipients is rejected BEFORE the message is passed to amavis.
I think there is a configuration error here.
Can you post the result of postconf-n ?
 
Old 10-12-2007, 02:56 PM   #5
zok
Member
 
Registered: Sep 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by clau_bolson View Post
I have the same setup, but mail to unknown recipients is rejected BEFORE the message is passed to amavis.
I think there is a configuration error here.
Can you post the result of postconf-n ?
Here it is. Thanks for looking at it.

alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.webnames, hash:/etc/postfix/aliases.majordomo, hash:/etc/postfix/aliases.majordomo.reserved-students, hash:/etc/postfix/aliases.users, hash:/etc/postfix/aliases.mailman
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[scan.ourdomain.com]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks
header_size_limit = 102400
home_mailbox = Maildir/
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -f-
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, cc.$mydomain, imap.$mydomain
mydomain = ourdomain.com
mynetworks = <our_subnet>.0.0/16, 127.0.0.0/8, 10.0.80.11, 10.0.80.12, 10.0.80.15, 64.18.0.0/16, 10.0.80.22, 10.0.80.24, 172.31.0.5, 10.0.80.41, 172.31.255.254, 172.31.88.71, 172.31.88.72, 172.31.142.71
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smt pd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES
relay_domains = $mydomain, imap.ourdomain.com, cc.ourdomain.com, palantir.ourdomain.com, domain2.org, domain3.org
sample_directory = /usr/share/doc/postfix-2.0.16/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP for <our institution> no UCE permitted
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, warn_if_reject REJECT, permit
smtpd_recipient_restrictions = check_recipient_maps, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access,
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_non_fqdn_sender, hash:/etc/postfix/access.spammers
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/smtp.ourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/smtp.ourdomain.com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix, dovecot, spamassassin SPAM to a spam folder breitscott Linux - Server 30 02-17-2007 02:47 PM
how can postfix redirect unknown users mail to postmaster LinuxLover Linux - Software 1 05-16-2006 08:54 AM
Help: Qmail unknown users spam ~=gr3p=~ Linux - Software 2 03-13-2006 06:44 AM
Postfix/Unknown Users ]SK[ Linux - Software 1 07-05-2005 05:24 PM
Postfix sending mail for unknown users to other server? Phaethar Linux - Software 2 03-18-2004 01:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration