[PLUG] Beware of silent failures in postfix

Keith Lofstrom keithl at kl-ic.com
Mon Dec 26 05:42:26 UTC 2005


I have been fixing up postfix on my incoming mail server to filter
more spam.  Some options did not seem to work - it turns out there
were some typos in the main.cf file.  I learned that postfix does
not check for typos;  if you misname an option, it will parse it
and ignore it.  The one that caught me was the mispelling:

   smtp_recipient_restrictions =

Which should be:

   smtpd_recipient_restrictions =

If you have problems with postfix, or it does not seem to be
implementing an option you put in the main.cf file, this is 
something to check.

I encountered this while adding postgrey as one of the final
bricks in the wall (since it stops so much stuff, you need to leave
it off while implementing the other filters). 

 --- and wandering off on a tangent ...

The last brick in the wall is a high MX spam trap, like Randal talked
about a few months ago.  I hope to do that by using the postgrey
mechanism and database.  Postgrey starts its timer and permits mail
to pass 300 (default) seconds after the previous attempt to send email.
Persistent servers get through, and then get whitelisted.  My plan is
to "postdate" a high-MX entry sent to the postgrey daemon;  postgrey
will then block mail from that source for 300 seconds after the
future time I set for the entry (probably 6 hours).  Yes, I will
have to tweak on postgrey a bit to permit this, but it apparently
has an options mechanism for the message passing that will keep the
tweak small. 

My first approach was to just block the source of the high MX spam
permanently, but Randal pointed out that a zombie hidden behind a
legitimate mail server could also generate high MX traffic, apparently
coming from that mail server's IP address.  A few hours delay should
permit the sender to locate the zombie on their own net.  Randal
blocks the entire site by adding an entry to iptables and removing
it after a time.  While there are advantages to this (it is easy!),
it also may block web page service to the offending site, preventing
them from learning about why they are blocked, and also does not
permit postmaster@ and abuse@ emails to go through.

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs



More information about the PLUG mailing list