Solved

Ubuntu Postfix & SpamAssassin Backup MX Server

Posted on 2010-08-30
2
1,402 Views
Last Modified: 2012-05-10
Trying to configure an ubuntu 9.10 server to serve as a backup mx/relay server. Essentially if a site's mail server goes down, we'd like this box to queue mails until the server comes back up and then deliver them accordingly.

1. It's working as is
2. Spam Assassin is being used to filter (tag?) spam
3. It is queuing a ton of spam for various other domains which will stay on the server for the default 5 days until it expires.

How can I configure the box so that unless the mail being received (recipient domain) is part of the relay domains list, to drop/reject the email automatically.  The logic is if we haven't added the recipient email's domain to our relay domains, then this server should not be handling/processing it.  Any help would be appreciated in advance. Thanks.

My Main.CF is enclosed below.


# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

relay_transport = relay

smtpd_banner = ESMTP - Domain 1
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mx1.domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mx1.domain1.com, lsubuntumx.lsconnections.com, localhost.lsconnections.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +

smtpd_helo_required = yes

        #reject_invalid_hostname  
        #reject_non_fqdn_hostname

smtpd_sender_restrictions = reject_non_fqdn_sender
        #hash:/etc/postfix/access
        #reject_non_fqdn_sender 
        #reject_uknown_sender_domain 
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname permit_mx_backup

smtpd_data_restrictions =
        #reject_unauth_pipelining  (stops bulk mail senders)

strict_rfc821_envelopes = no

smtp_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

relay_domains = domain1.com, domain2.com, domain3.com

# You must specify your NAT/proxy external address.
proxy_interfaces = 208.x.x.x

Open in new window

0
Comment
Question by:Malevolo
2 Comments
 
LVL 25

Expert Comment

by:madunix
ID: 33562429
0
 
LVL 5

Accepted Solution

by:
bougui earned 500 total points
ID: 33567063
Hi

Maybe you dont look closely enough in you're mail queue.

What I suspect is that mail is sent to UserthatdoestNotExist@domain1.com via the mx backup server ( this is usual from spamer they use the backup mx server ).

Then you server queue the email and try to send it to the real email server because your accepting anything to domain1.com

The real email server responds back to your mx backup server this user doesn't not exist.

then your backup server try to respond to the sender ( which is 99 % invalid ) because it was spam and your mx backup server is stuck with the mail in is queue and will try to resend the email during 4 days.

Possible solution:

1) extract the valid email for all your domain and create a recipeient map
and add something like this to main.cf

relay_recipient_maps = hash:/etc/postfix/domain1-recipients

entry example:

ventes@domain1.com            OK


That way you will only accept email to existing users for your domain and your mx server should not filled is queue

2) don't accept spam, you have relax restrictions in your main.cf file this is an indeep doc for this http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

but at least

smtpd_helo_required = yes
disable_vrfy_command = yes


smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      reject_unauth_destination,
      check_recipient_access hash:/etc/postfix/access,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client pbl.spamhaus.org,
      permit

smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit


With this you should be okay.

Good luck !
 
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question