[vox-tech] postfix question
Peter Jay Salzman
vox-tech@lists.lugod.org
Wed, 21 Apr 2004 07:45:07 -0700
Hi all,
Spam has been sapping my productivity again, so I took a few hours out
to try to fix the problem.
Based on previous messages on vox-tech and some articles I've read, I
switched over from exim3 to postfix 2.0.16.
Here's what i've added to /etc/postfix/main.cf:
# By default, smtpd_client_restrictions is applied at the RCPT TO
# command. To have the restriction take effect ASAP, do this (may
# cause unexpected results with poorly impolemented client software):
#
smtpd_delay_reject = no
# Require HELO/EHLO, and disable VRFY.
#
smtpd_helo_required = yes
disable_vrfy_command = yes
# This restricts what clients this system accepts SMTP connections from.
# ORDER IMPORTANT!!!
#
smtpd_client_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
(2) reject_non_fqdn_sender,
(3) reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
(1) check_helo_access hash:/etc/postfix/helo_checks,
reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client cbl.abuseat.org
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
Here's /etc/postfix/helo_checks:
dirac.org REJECT You are not in dirac.org. Go away, spammer.
www.dirac.org REJECT You are not in dirac.org. Go away, spammer.
mail.dirac.org REJECT You are not in dirac.org. Go away, spammer.
localhost REJECT You are not my localhost. Go away, spammer.
I compiled helo_checks with "postmap helo_checks" and restarted postfix.
The error/warn logs didn't indicate any problems.
The RBL checks work (boy, do they work!):
Apr 21 07:31:45 gabriel postfix/smtpd[2375]: NOQUEUE: reject: CONNECT
from WLL-2 5-pppoe180.t-net.net.ve[200.31.139.180]: 554 Service
unavailable; Client host [200.31.139.180] blocked using list.dsbl.org;
http://dsbl.org/listing?ip=200.31.13 9.180; proto=SMTP
However, I wrote myself an email from a foreign host:
lifshitz.ucdavis.edu$ telnet dirac.org 25
Trying 64.142.25.39...
Connected to adsl-64-142-25-39.sonic.net (64.142.25.39).
Escape character is '^]'.
220 gabriel.localdomain ESMTP Postfix (Debian/GNU)
(1) helo localhost
250 gabriel.localdomain
(2) mail from: blah.foo.bar
250 Ok
(3) rcpt to: p
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
test.
.
250 Ok: queued as C4AA03DC1
quit
221 Bye
This violates a few spam controls that should be in place.
1. I used "helo localhost" from a host not on my local subnet, yet
postfix accepted it, in violation of (1) above.
2. mail from was not a FQDN sender, in violation of (2).
3. rcpt to: was not a FQDN recipient, in violation of (3).
I haven't gotten any spam in the past few minutes, so the RBLs are doing
a good job, but I do want my other spam controls to work. If something
is wrong with how I configured postfix, I'd like to know.
Any ideas on why those 3 checks seem to be ignored by postfix?
Thanks!
Pete
--
Make everything as simple as possible, but no simpler. -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D