[PLUG] Postfix mailq
Darkhorse
plug_0 at robinson-west.com
Fri Nov 12 21:32:31 UTC 2004
On Fri, 2004-11-12 at 09:32, Scott Van Hoosen wrote:
> Two Postfix servers that I take care of, both on Red Hat/Fedora, queue
> up attempts at relaying through my servers. I would like Postfix to
> simply discard e-mail not addressed to my domain, but it seems to try
> to bounce these back to the sender, which of course are always forged.
> I haven't been able to find the setting to change this by Googling. Any
> ideas?
>
> If this is helpful, here's a section of output from mailq:
>
> F201B1EE38C 3832 Fri Nov 12 06:58:31 svanhoosen
> (connect to mail2.saveinternet.net[69.42.112.7]: Connection
> timed out)
> dallasburchfield at weabc.net
>
> F2E1B1EE282 3558 Thu Nov 11 02:56:30 svanhoosen
> (connect to pjn.qsrch.net[64.94.29.14]: Connection
> timed out)
> Vazqueziyf at pjn.qsrch.net
>
> F1C7A1EE2CD 3631 Thu Nov 11 10:22:43 svanhoosen
> (connect to a.mx.emlcampaign.com[63.79.4.17]: Connection
> timed out)
>
> brilliantmarketinginc at emlcampaign.com
>
> F422A1EE3A1 3787 Fri Nov 12 07:30:53 svanhoosen
> (connect to mail1.saveinternet.net[69.42.112.4]: Connection
> timed out)
>
> olengaston at domainsecurefirst.com
>
>
> -Scott
>
Some email sources aren't dns listed and you just have to accept them
explicitly. It would be interesting if you could bypass just the helo
checking for certain helo names, but I don't know how to do that.
Go ahead and helo check. I recommend what's called a relay
firewall in front of your mail server. Check out postfix.org
for a config that only relays listed recipients. I'm attaching
my own config. Helo checking can block legitimate email. I
strongly suggest a script that checks the mail log on the relay
for messages to valid recipients that have been rejected using
the mail command to notify them.
I wrote such a script which emails the valid recipient with
the information about the rejection in case there needs
to be an exception for a certain message source. Another option
I haven't played with much is a primary relay that helo
checks with a secondary that doesn't. Better have a tertiary
set up as spamtrap for people who expect the secondary to be
more permissive and consistently go to it first incorrectly.
All legitimate email servers are supposed to retry at least once.
Problems arise with sites that don't dns list their outgoing mail
servers such as AOL. It may make their security easier, but it's
a pain for everyone else.
I've attached my main.cf for a postfix 2.1.1 gateway relay.
If you look carefully you'll notice sections for spf and
greylisting as well. When you use greylisting it's an
especially good idea to have a notifictation script that
runs at least once a day so that your users can find out
about legitimate email attempts to them from sources that
aren't greylisting compatible.
Your main source of course is postfix.org.
Another thing I've done is write another script that drops ip addresses
of abusers into an iptables chain. I drop anyone who uses an invalid
recipient name immediately dropping people who abuse smtp command
pipelining or come in with a hostname that's unknown for three days
after there have been three instances of abuse.
My rejection rate is hovering at 25% or so now down from 70-90%.
To stop bouncing use the luser relay feature. The only problem with
this approach is that you have to do extra work to notify anyone
that should recieve a bounce there has been a problem.
-- Michael C. Robinson
-------------- next part --------------
queue_directory = /var/spool/relay_spool
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
default_privs = nobody
mydomain=robinson-west.com
myorigin=$mydomain
inet_interfaces = 209.210.202.170, 127.0.0.1
mydestination=
local_recipient_maps=
local_transport= error:local delivery is disabled
virtual_alias_maps=hash:/etc/postfix/virtual
mynetworks=127.0.0.0/8, 209.210.202.168/29
relay_domains = $mydomain, goose.$mydomain
parent_domain_matches_subdomains =
debug_peer_list smtpd_access_maps
relay_recipient_maps=hash:/etc/postfix/relay_recipients
transport_maps=hash:/etc/postfix/transport
in_flow_delay = 1s
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = yes
smtpd_helo_required=yes
disable_vrfy_command=yes
smtpd_reject_unlisted_sender=yes
relocated_maps=hash:/etc/postfix/relocated
smtpd_helo_restrictions= check_helo_access hash:/etc/postfix/access,
check_helo_access hash:/etc/postfix/invalid_helo,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname,
permit_mynetworks
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/override_sender_access,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:9998,
check_sender_access hash:/etc/postfix/sender_access,
reject_unlisted_recipient,
check_policy_service unix:private/policy,
check_recipient_access hash:/etc/postfix/postmaster,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client hil.habeas.com,
reject_rbl_client bl.spamcop.net,
# reject_rbl_client psbl.surriel.com,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rhsbl_sender bogusmx.rfc-ignorant.com,
reject_rhsbl_sender bulk.rhs.mailpolice.com,
reject_rhsbl_sender porn.rhs.mailpolice.com,
reject_rhsbl_sender dsn.rfc-ignorant.org,
# reject_rhsbl_sender postmaster.rfc-ignorant.org,
# reject_rhsbl_sender abuse.rfc-ignorant.org,
# reject_rhsbl_sender whois.rfc-ignorant.org,
permit
policy_time_limit = 300
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_client_restrictions = reject_unauth_pipelining,
permit_mynetworks
smtpd_restriction_classes = local_only
local_only =
check_recipient_access hash:/etc/postfix/local_domains, reject
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-1.1.7/samples
readme_directory = /etc/postfix/README_FILES
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
multi_recipient_bounce_reject_code = 550
html_directory = no
More information about the PLUG
mailing list