Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Ubuntu Postfix & SpamAssassin Backup MX Server

Posted on 2010-08-30
2
Medium Priority
?
1,536 Views
Last Modified: 2012-05-10
Trying to configure an ubuntu 9.10 server to serve as a backup mx/relay server. Essentially if a site's mail server goes down, we'd like this box to queue mails until the server comes back up and then deliver them accordingly.

1. It's working as is
2. Spam Assassin is being used to filter (tag?) spam
3. It is queuing a ton of spam for various other domains which will stay on the server for the default 5 days until it expires.

How can I configure the box so that unless the mail being received (recipient domain) is part of the relay domains list, to drop/reject the email automatically.  The logic is if we haven't added the recipient email's domain to our relay domains, then this server should not be handling/processing it.  Any help would be appreciated in advance. Thanks.

My Main.CF is enclosed below.


# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

relay_transport = relay

smtpd_banner = ESMTP - Domain 1
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mx1.domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mx1.domain1.com, lsubuntumx.lsconnections.com, localhost.lsconnections.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +

smtpd_helo_required = yes

        #reject_invalid_hostname  
        #reject_non_fqdn_hostname

smtpd_sender_restrictions = reject_non_fqdn_sender
        #hash:/etc/postfix/access
        #reject_non_fqdn_sender 
        #reject_uknown_sender_domain 
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname permit_mx_backup

smtpd_data_restrictions =
        #reject_unauth_pipelining  (stops bulk mail senders)

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

relay_domains = domain1.com, domain2.com, domain3.com

# You must specify your NAT/proxy external address.
proxy_interfaces = 208.x.x.x

Open in new window

0
Comment
Question by:Malevolo
2 Comments
 
LVL 25

Expert Comment

by:madunix
ID: 33562429
0
 
LVL 5

Accepted Solution

by:
bougui earned 2000 total points
ID: 33567063
Hi

Maybe you dont look closely enough in you're mail queue.

What I suspect is that mail is sent to UserthatdoestNotExist@domain1.com via the mx backup server ( this is usual from spamer they use the backup mx server ).

Then you server queue the email and try to send it to the real email server because your accepting anything to domain1.com

The real email server responds back to your mx backup server this user doesn't not exist.

then your backup server try to respond to the sender ( which is 99 % invalid ) because it was spam and your mx backup server is stuck with the mail in is queue and will try to resend the email during 4 days.

Possible solution:

1) extract the valid email for all your domain and create a recipeient map
and add something like this to main.cf

relay_recipient_maps = hash:/etc/postfix/domain1-recipients

entry example:

ventes@domain1.com            OK


That way you will only accept email to existing users for your domain and your mx server should not filled is queue

2) don't accept spam, you have relax restrictions in your main.cf file this is an indeep doc for this http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

but at least

smtpd_helo_required = yes
disable_vrfy_command = yes


smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      reject_unauth_destination,
      check_recipient_access hash:/etc/postfix/access,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client pbl.spamhaus.org,
      permit

smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit


With this you should be okay.

Good luck !
 
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question