[PLUG] Postfix mailq

[Darkhorse]

On Fri, 2004-11-12 at 09:32, Scott Van Hoosen wrote:
> Two Postfix servers that I take care of, both on Red Hat/Fedora, queue
> up attempts at relaying through my servers. I would like Postfix to
> simply discard e-mail not addressed to my domain, but it seems to try
> to bounce these back to the sender, which of course are always forged.
> I haven't been able to find the setting to change this by Googling. Any
> ideas?
> 
> If this is helpful, here's a section of output from mailq:
> 
> F201B1EE38C     3832 Fri Nov 12 06:58:31  svanhoosen
>         (connect to mail2.saveinternet.net[69.42.112.7]: Connection
> timed out)
>                                          dallasburchfield at weabc.net
>  
> F2E1B1EE282     3558 Thu Nov 11 02:56:30  svanhoosen
>                  (connect to pjn.qsrch.net[64.94.29.14]: Connection
> timed out)
>                                          Vazqueziyf at pjn.qsrch.net
>  
> F1C7A1EE2CD     3631 Thu Nov 11 10:22:43  svanhoosen
>            (connect to a.mx.emlcampaign.com[63.79.4.17]: Connection
> timed out)
>                                         
> brilliantmarketinginc at emlcampaign.com
>  
> F422A1EE3A1     3787 Fri Nov 12 07:30:53  svanhoosen
>         (connect to mail1.saveinternet.net[69.42.112.4]: Connection
> timed out)
>                                         
> olengaston at domainsecurefirst.com
> 
> 
> -Scott
> 
Some email sources aren't dns listed and you just have to accept them
explicitly.  It would be interesting if you could bypass just the helo
checking for certain helo names, but I don't know how to do that.

Go ahead and helo check.  I recommend what's called a relay 
firewall in front of your mail server.  Check out postfix.org 
for a config that only relays listed recipients.  I'm attaching
my own config.  Helo checking can block legitimate email.  I 
strongly suggest a script that checks the mail log on the relay
for messages to valid recipients that have been rejected using
the mail command to notify them.

I wrote such a script which emails the valid recipient with
the information about the rejection in case there needs
to be an exception for a certain message source.  Another option
I haven't played with much is a primary relay that helo
checks with a secondary that doesn't.  Better have a tertiary
set up as spamtrap for people who expect the secondary to be
more permissive and consistently go to it first incorrectly. 

All legitimate email servers are supposed to retry at least once.
Problems arise with sites that don't dns list their outgoing mail
servers such as AOL.  It may make their security easier, but it's
a pain for everyone else.

I've attached my main.cf for a postfix 2.1.1 gateway relay.
If you look carefully you'll notice sections for spf and
greylisting as well.  When you use greylisting it's an
especially good idea to have a notifictation script that
runs at least once a day so that your users can find out
about legitimate email attempts to them from sources that 
aren't greylisting compatible.

Your main source of course is postfix.org.

Another thing I've done is write another script that drops ip addresses
of abusers into an iptables chain.  I drop anyone who uses an invalid 
recipient name immediately dropping people who abuse smtp command
pipelining or come in with a hostname that's unknown for three days
after there have been three instances of abuse.

My rejection rate is hovering at 25% or so now down from 70-90%.
To stop bouncing use the luser relay feature.  The only problem with
this approach is that you have to do extra work to notify anyone
that should recieve a bounce there has been a problem.

     --  Michael C. Robinson
-------------- next part --------------
queue_directory = /var/spool/relay_spool
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix

mail_owner = postfix

default_privs = nobody

mydomain=robinson-west.com

myorigin=$mydomain

inet_interfaces = 209.210.202.170, 127.0.0.1

mydestination=
local_recipient_maps= 
local_transport= error:local delivery is disabled

virtual_alias_maps=hash:/etc/postfix/virtual

mynetworks=127.0.0.0/8, 209.210.202.168/29
relay_domains = $mydomain, goose.$mydomain
parent_domain_matches_subdomains = 
    debug_peer_list smtpd_access_maps

relay_recipient_maps=hash:/etc/postfix/relay_recipients
transport_maps=hash:/etc/postfix/transport



in_flow_delay = 1s

smtpd_banner = $myhostname ESMTP $mail_name

smtpd_delay_reject = yes


smtpd_helo_required=yes

disable_vrfy_command=yes

smtpd_reject_unlisted_sender=yes

relocated_maps=hash:/etc/postfix/relocated


smtpd_helo_restrictions= check_helo_access hash:/etc/postfix/access,
                         check_helo_access hash:/etc/postfix/invalid_helo,
                         reject_invalid_hostname,
                         reject_non_fqdn_hostname,
                         reject_unknown_hostname,
                         permit_mynetworks

smtpd_recipient_restrictions = 
               check_sender_access hash:/etc/postfix/override_sender_access,
                                     reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient,
                               reject_unknown_sender_domain, 
                            reject_unknown_recipient_domain,
                                          permit_mynetworks,
                                  reject_unauth_destination,
                   check_policy_service inet:127.0.0.1:9998,
        check_sender_access hash:/etc/postfix/sender_access,
                                  reject_unlisted_recipient,
                   check_policy_service unix:private/policy,
        check_recipient_access hash:/etc/postfix/postmaster,
                           reject_rbl_client dnsbl.ahbl.org,
                          reject_rbl_client opm.blitzed.org,
                            reject_rbl_client list.dsbl.org,
                           reject_rbl_client hil.habeas.com,
                           reject_rbl_client bl.spamcop.net,
#                        reject_rbl_client psbl.surriel.com,
                          reject_rbl_client cbl.abuseat.org,
                          reject_rbl_client dnsbl.sorbs.net,
               reject_rhsbl_sender bogusmx.rfc-ignorant.com,
                reject_rhsbl_sender bulk.rhs.mailpolice.com,
                reject_rhsbl_sender porn.rhs.mailpolice.com,
                   reject_rhsbl_sender dsn.rfc-ignorant.org,
#            reject_rhsbl_sender postmaster.rfc-ignorant.org,
#                 reject_rhsbl_sender abuse.rfc-ignorant.org,
#                 reject_rhsbl_sender whois.rfc-ignorant.org,
                                                     permit

policy_time_limit = 300

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_client_restrictions = reject_unauth_pipelining,
                            permit_mynetworks

smtpd_restriction_classes = local_only
local_only =
    check_recipient_access hash:/etc/postfix/local_domains, reject
                                 
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-1.1.7/samples
readme_directory = /etc/postfix/README_FILES

unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
multi_recipient_bounce_reject_code = 550
html_directory = no