Solved

Ubuntu Postfix & SpamAssassin Backup MX Server

Posted on 2010-08-30
2
1,411 Views
Last Modified: 2012-05-10
Trying to configure an ubuntu 9.10 server to serve as a backup mx/relay server. Essentially if a site's mail server goes down, we'd like this box to queue mails until the server comes back up and then deliver them accordingly.

1. It's working as is
2. Spam Assassin is being used to filter (tag?) spam
3. It is queuing a ton of spam for various other domains which will stay on the server for the default 5 days until it expires.

How can I configure the box so that unless the mail being received (recipient domain) is part of the relay domains list, to drop/reject the email automatically.  The logic is if we haven't added the recipient email's domain to our relay domains, then this server should not be handling/processing it.  Any help would be appreciated in advance. Thanks.

My Main.CF is enclosed below.


# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

relay_transport = relay

smtpd_banner = ESMTP - Domain 1
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mx1.domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mx1.domain1.com, lsubuntumx.lsconnections.com, localhost.lsconnections.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +

smtpd_helo_required = yes

        #reject_invalid_hostname  
        #reject_non_fqdn_hostname

smtpd_sender_restrictions = reject_non_fqdn_sender
        #hash:/etc/postfix/access
        #reject_non_fqdn_sender 
        #reject_uknown_sender_domain 
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname permit_mx_backup

smtpd_data_restrictions =
        #reject_unauth_pipelining  (stops bulk mail senders)

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

relay_domains = domain1.com, domain2.com, domain3.com

# You must specify your NAT/proxy external address.
proxy_interfaces = 208.x.x.x

Open in new window

0
Comment
Question by:Malevolo
2 Comments
 
LVL 25

Expert Comment

by:madunix
ID: 33562429
0
 
LVL 5

Accepted Solution

by:
bougui earned 500 total points
ID: 33567063
Hi

Maybe you dont look closely enough in you're mail queue.

What I suspect is that mail is sent to UserthatdoestNotExist@domain1.com via the mx backup server ( this is usual from spamer they use the backup mx server ).

Then you server queue the email and try to send it to the real email server because your accepting anything to domain1.com

The real email server responds back to your mx backup server this user doesn't not exist.

then your backup server try to respond to the sender ( which is 99 % invalid ) because it was spam and your mx backup server is stuck with the mail in is queue and will try to resend the email during 4 days.

Possible solution:

1) extract the valid email for all your domain and create a recipeient map
and add something like this to main.cf

relay_recipient_maps = hash:/etc/postfix/domain1-recipients

entry example:

ventes@domain1.com            OK


That way you will only accept email to existing users for your domain and your mx server should not filled is queue

2) don't accept spam, you have relax restrictions in your main.cf file this is an indeep doc for this http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

but at least

smtpd_helo_required = yes
disable_vrfy_command = yes


smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      reject_unauth_destination,
      check_recipient_access hash:/etc/postfix/access,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client pbl.spamhaus.org,
      permit

smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit


With this you should be okay.

Good luck !
 
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question