[vox-tech] postfix question

Peter Jay Salzman vox-tech@lists.lugod.org
Wed, 21 Apr 2004 07:45:07 -0700 

Hi all,

Spam has been sapping my productivity again, so I took a few hours out
to try to fix the problem.

Based on previous messages on vox-tech and some articles I've read, I
switched over from exim3 to postfix 2.0.16.

Here's what i've added to /etc/postfix/main.cf:


   # By default, smtpd_client_restrictions is applied at the RCPT TO
   # command.  To have the restriction take effect ASAP, do this (may
   # cause unexpected results with poorly impolemented client software):
   #
   smtpd_delay_reject = no

   # Require HELO/EHLO, and disable VRFY. 
   #
   smtpd_helo_required = yes
   disable_vrfy_command = yes

   # This restricts what clients this system accepts SMTP connections from.
   # ORDER IMPORTANT!!!
   # 
   smtpd_client_restrictions =
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
(2)   reject_non_fqdn_sender,
(3)   reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      reject_unauth_destination,
(1)   check_helo_access hash:/etc/postfix/helo_checks,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client cbl.abuseat.org
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client opm.blitzed.org,
      reject_rbl_client dul.dnsbl.sorbs.net,
      permit

   smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit



Here's /etc/postfix/helo_checks:

   dirac.org      REJECT You are not in dirac.org.  Go away, spammer.
   www.dirac.org  REJECT You are not in dirac.org.  Go away, spammer.
   mail.dirac.org REJECT You are not in dirac.org.  Go away, spammer.
   localhost      REJECT You are not my localhost.  Go away, spammer.



I compiled helo_checks with "postmap helo_checks" and restarted postfix.
The error/warn logs didn't indicate any problems.


The RBL checks work (boy, do they work!):

   Apr 21 07:31:45 gabriel postfix/smtpd[2375]: NOQUEUE: reject: CONNECT
   from WLL-2 5-pppoe180.t-net.net.ve[200.31.139.180]: 554 Service
   unavailable; Client host [200.31.139.180] blocked using list.dsbl.org;
   http://dsbl.org/listing?ip=200.31.13 9.180; proto=SMTP


However, I wrote myself an email from a foreign host:

     lifshitz.ucdavis.edu$ telnet dirac.org 25
     Trying 64.142.25.39...
     Connected to adsl-64-142-25-39.sonic.net (64.142.25.39).
     Escape character is '^]'.
     220 gabriel.localdomain ESMTP Postfix (Debian/GNU)
(1)  helo localhost
     250 gabriel.localdomain
(2)  mail from: blah.foo.bar
     250 Ok
(3)  rcpt to: p
     250 Ok
     data
     354 End data with <CR><LF>.<CR><LF>
     test.
     .
     250 Ok: queued as C4AA03DC1
     quit
     221 Bye

This violates a few spam controls that should be in place.

1. I used "helo localhost" from a host not on my local subnet, yet
   postfix accepted it, in violation of (1) above.

2. mail from was not a FQDN sender, in violation of (2).

3. rcpt to: was not a FQDN recipient, in violation of (3).


I haven't gotten any spam in the past few minutes, so the RBLs are doing
a good job, but I do want my other spam controls to work.  If something
is wrong with how I configured postfix, I'd like to know. 

Any ideas on why those 3 checks seem to be ignored by postfix?

Thanks!
Pete

-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D