Solved

CentOS:  is my server spamming people?

Posted on 2014-03-04
23
1,508 Views
Last Modified: 2014-03-09
Hi All,


Recently my CentOS 6.5 VPS server stopped sending emails via postfix.

A sample from the mail log is below tail

-f /var/log/maillog

Open in new window


Mar  4 22:14:53 www postfix/smtpd[11994]: connect from bl13-209-184.dsl.telepac.pt[85.246.209.184]
Mar  4 22:14:54 www postfix/smtpd[11994]: NOQUEUE: reject: RCPT from bl13-209-184.dsl.telepac.pt[85.246.209.184]: 554 5.7.1 <1fb4024bf@mydomain.com>: Relay access denied; from=<1fb4024bf@speedtouch.lan> to=<1fb4024bf@mydomain.com> proto=ESMTP helo=<speedtouch.lan>
Mar  4 22:14:54 www postfix/smtpd[11994]: disconnect from bl13-209-184.dsl.telepac.pt[85.246.209.184]
Mar  4 22:15:02 www postfix/smtpd[11969]: connect from 178235250213.sejny.vectranet.pl[178.235.250.213]
Mar  4 22:15:02 www postfix/smtpd[11969]: NOQUEUE: reject: RCPT from 178235250213.sejny.vectranet.pl[178.235.250.213]: 554 5.7.1 <79e366e7@mydomain.com>: Relay access denied; from=<79e366e7@sejny.vectranet.pl> to=<79e366e7@mydomain.com> proto=ESMTP helo=<178235250213.sejny.vectranet.pl>
Mar  4 22:15:02 www postfix/smtpd[11969]: disconnect from 178235250213.sejny.vectranet.pl[178.235.250.213]
Mar  4 22:15:02 www postfix/smtpd[11996]: connect from 190-20-119-31.baf.movistar.cl[190.20.119.31]
Mar  4 22:15:02 www postfix/smtpd[11996]: NOQUEUE: reject: RCPT from 190-20-119-31.baf.movistar.cl[190.20.119.31]: 554 5.7.1 <AEXFwKtxTE@mydomain.com>: Relay access denied; from=<AEXFwKtxTE@movistar.cl> to=<AEXFwKtxTE@mydomain.com> proto=ESMTP helo=<190-20-119-31.baf.movistar.cl>
Mar  4 22:15:03 www postfix/smtpd[11996]: disconnect from 190-20-119-31.baf.movistar.cl[190.20.119.31]
Mar  4 22:15:03 www postfix/smtp[12110]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar  4 22:15:04 www postfix/smtp[12108]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar  4 22:15:04 www postfix/smtp[12108]: 04CBBA2AAA: to=<bb363695@comcastbusiness.net>, relay=none, delay=430996, delays=430966/0/30/0, dsn=4.4.1, status=deferred (connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out)
Mar  4 22:15:05 www postfix/smtpd[11994]: connect from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]
Mar  4 22:15:05 www postfix/smtpd[11994]: NOQUEUE: reject: RCPT from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]: 554 5.7.1 <oP@mydomain.com>: Relay access denied; from=<oP@dhcp.embarqhsd.net> to=<oP@mydomain.com> proto=ESMTP helo=<fl-71-52-173-29.dhcp.embarqhsd.net>
Mar  4 22:15:05 www postfix/smtpd[11994]: disconnect from fl-71-52-173-29.dhcp.embarqhsd.net[71.52.173.29]
Mar  4 22:15:07 www postfix/smtp[12111]: connect to comcastbusiness.net[165.160.15.20]:25: Connection timed out
Mar  4 22:15:08 www postfix/smtp[12114]: connect to comcastbusiness.net[165.160.13.20]:25: Connection timed out

Open in new window


Any idea what is going on and how I can fix it?
0
Comment
Question by:detox1978
  • 7
  • 6
  • 4
  • +4
23 Comments
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 100 total points
ID: 39904841
The lines with postfix/smtpd show other people are trying to user your server as an smtp relay. Those connections are denied, which is a good thing.
The lines with postfix/smtp show that your outgoing email is not connecting to the smarthost where you want to deliver your email (I'm assuming). Try another smarthost which is allowed in your VPS environment.
0
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 300 total points
ID: 39904903
A couple of things you can do:

1) Deviate the common SMTP listening port from 25 to something else like 24 or anything else as long as it doesn't go back to port 25.

2) Enable fail2ban (http://www.fail2ban.org/) on your server. It will crawl the logs and block specific client IP's doing the relay attempts.

Also look at the MXToolbox for additional checks:
http://mxtoolbox.com/
0
 
LVL 2

Author Comment

by:detox1978
ID: 39904929
Thanks for the feedback.  My server shouldnt be sending any emails, the domain I dont use the email address AEXFwKtxTE@mydomain.com

I'm a Linux novice so you may need to walk me through any info you need using SSH.

I tried to install fail2ban, but nothing happened.
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39905531
Install CSF firewall and restrict access on port 25 by number of connections per second per IP.

TY/SA
0
 
LVL 2

Author Comment

by:detox1978
ID: 39905773
I'm a novice so you will have to walk me through that
0
 
LVL 2

Author Comment

by:detox1978
ID: 39905814
I've made quite a few ad-hoc changes now;

added a iptables rule (twice by accident)
Install fail2ban, which appears to now be updating iptables


[root@www ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SMTP  tcp  --  anywhere             anywhere            tcp dpt:smtp
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source
           tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW recent: SET name: DEFAULT side: source
           tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW recent: SET name: DEFAULT side: source
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SMTP (1 references)
target     prot opt source               destination
DROP       all  --  LPuteaux-156-15-29-140.w82-127.abo.wanadoo.fr  anywhere
DROP       all  --  LNantes-156-76-35-66.w82-127.abo.wanadoo.fr  anywhere
DROP       all  --  193.0.200.134        anywhere
DROP       all  --  181-24-13-176.speedy.com.ar  anywhere
DROP       all  --  LRouen-151-72-8-125.w80-13.abo.wanadoo.fr  anywhere
DROP       all  --  cliente-76873.iberbanda.es  anywhere
DROP       all  --  host86-177-102-152.range86-177.btcentralplus.com  anywhere
DROP       all  --  87.241.3.250         anywhere
RETURN     all  --  anywhere             anywhere

Open in new window



Here's a minutes excerts from the maillog tail -f /var/log/maillog
Mar  5 09:10:31 www postfix/smtpd[14857]: lost connection after CONNECT from 74.86.158.107-static.reverse.softlayer.com[74.86.158.107]
Mar  5 09:10:31 www postfix/smtpd[14857]: disconnect from 74.86.158.107-static.reverse.softlayer.com[74.86.158.107]
Mar  5 09:10:33 www postfix/smtpd[14820]: warning: 181.40.44.134: address not listed for hostname pool-134-44-40-181.telecel.com.py
Mar  5 09:10:33 www postfix/smtpd[14820]: connect from unknown[181.40.44.134]
Mar  5 09:10:33 www postfix/smtpd[15092]: connect from 015927474Z004.rain.fr[217.167.214.220]
Mar  5 09:10:33 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[181.40.44.134]: 554 5.7.1 <b7306cf@mydomain.co.uk>: Relay access denied; from=<b7306cf@telecel.com.py> to=<b7306cf@mydomain.co.uk> proto=ESMTP helo=<pool-134-44-40-181.telecel.com.py>
Mar  5 09:10:33 www postfix/smtpd[14820]: disconnect from unknown[181.40.44.134]
Mar  5 09:10:34 www postfix/smtpd[15092]: disconnect from 015927474Z004.rain.fr[217.167.214.220]
Mar  5 09:10:41 www postfix/smtpd[14857]: connect from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]
Mar  5 09:10:41 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]: 554 5.7.1 <0c3097a01@mydomain2.co.uk>: Relay access denied; from=<0c3097a01@jonfreyr.com> to=<0c3097a01@mydomain2.co.uk> proto=ESMTP helo=<pd95cf548.dip0.t-ipconnect.de>
Mar  5 09:10:42 www postfix/smtpd[14857]: disconnect from pd95cf548.dip0.t-ipconnect.de[217.92.245.72]
Mar  5 09:10:42 www postfix/smtpd[14854]: connect from unknown[82.114.91.214]
Mar  5 09:10:42 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[82.114.91.214]: 554 5.7.1 <fa28f3e0@mydomain.co.uk>: Relay access denied; from=<fa28f3e0@andersonlawfirm.net> to=<fa28f3e0@mydomain.co.uk> proto=ESMTP helo=<[82.114.91.214]>
Mar  5 09:10:42 www postfix/smtpd[14820]: connect from mail.viaminasltda.com.br[189.22.208.68]
Mar  5 09:10:42 www postfix/smtpd[14854]: disconnect from unknown[82.114.91.214]
Mar  5 09:10:43 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from mail.viaminasltda.com.br[189.22.208.68]: 550 5.1.1 <aphrodite@nufc.net>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@imsva.trendmicro.com> to=<aphrodite@nufc.net> proto=ESMTP helo=<UDIMSS.aliardistribuidora.com.br>
Mar  5 09:10:43 www postfix/smtpd[14820]: disconnect from mail.viaminasltda.com.br[189.22.208.68]
Mar  5 09:10:43 www postfix/smtpd[14857]: connect from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]
Mar  5 09:10:43 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]: 554 5.7.1 <1381dc8@mydomain.co.uk>: Relay access denied; from=<1381dc8@techtrainassoc.com> to=<1381dc8@mydomain.co.uk> proto=ESMTP helo=<93-57-94-158.ip163.fastwebnet.it>
Mar  5 09:10:44 www postfix/smtpd[14857]: disconnect from 93-57-94-158.ip163.fastwebnet.it[93.57.94.158]
Mar  5 09:10:46 www postfix/smtpd[15092]: connect from unknown[210.176.78.35]
Mar  5 09:10:47 www postfix/smtpd[14854]: connect from unknown[124.80.150.175]
Mar  5 09:10:47 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[210.176.78.35]: 554 5.7.1 <f164298de6c32105@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<f164298de6c32105@mydomain.co.uk> proto=ESMTP helo=<[210.176.78.35]>
Mar  5 09:10:47 www postfix/smtpd[14820]: connect from unknown[78.97.237.213]
Mar  5 09:10:47 www postfix/smtpd[15092]: disconnect from unknown[210.176.78.35]
Mar  5 09:10:47 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[124.80.150.175]: 554 5.7.1 <558c2281@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<558c2281@mydomain.co.uk> proto=ESMTP helo=<TG-PC.tbroad>
Mar  5 09:10:47 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[78.97.237.213]: 554 5.7.1 <e8c7975@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<e8c7975@mydomain.co.uk> proto=ESMTP helo=<URSU-PC>
Mar  5 09:10:47 www postfix/smtpd[14820]: disconnect from unknown[78.97.237.213]
Mar  5 09:10:47 www postfix/smtpd[14854]: disconnect from unknown[124.80.150.175]
Mar  5 09:10:48 www postfix/smtpd[14857]: connect from unknown[188.245.82.93]
Mar  5 09:10:48 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from unknown[188.245.82.93]: 554 5.7.1 <360797f@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<360797f@mydomain.co.uk> proto=ESMTP helo=<91.99.231.197.parsonline.net>
Mar  5 09:10:49 www postfix/smtpd[14857]: disconnect from unknown[188.245.82.93]
Mar  5 09:10:52 www postfix/smtpd[15092]: warning: 78.189.233.12: address not listed for hostname 78.189.233.12.static.ttnet.com.tr
Mar  5 09:10:52 www postfix/smtpd[15092]: connect from unknown[78.189.233.12]
Mar  5 09:10:52 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[78.189.233.12]: 554 5.7.1 <tsXJIxckl@mydomain2.co.uk>: Relay access denied; from=<tsXJIxckl@ttnet.com.tr> to=<tsXJIxckl@mydomain2.co.uk> proto=ESMTP helo=<78.189.233.12.static.ttnet.com.tr>
Mar  5 09:10:52 www postfix/smtpd[15092]: disconnect from unknown[78.189.233.12]
Mar  5 09:10:55 www postfix/smtpd[14820]: warning: 113.167.172.10: address not listed for hostname localhost
Mar  5 09:10:55 www postfix/smtpd[14820]: connect from unknown[113.167.172.10]
Mar  5 09:10:55 www postfix/smtpd[14857]: connect from unknown[212.92.217.148]
Mar  5 09:10:55 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from unknown[212.92.217.148]: 554 5.7.1 <c1be0491@mydomain2.co.uk>: Relay access denied; from=<c1be0491@mysunvalleyhome.com> to=<c1be0491@mydomain2.co.uk> proto=ESMTP helo=<[212.92.217.148]>
Mar  5 09:10:56 www postfix/smtpd[14857]: disconnect from unknown[212.92.217.148]
Mar  5 09:10:56 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from unknown[113.167.172.10]: 554 5.7.1 <nrvjhyfle@mydomain.co.uk>: Relay access denied; from=<nrvjhyfle@falconhi.com> to=<nrvjhyfle@mydomain.co.uk> proto=ESMTP helo=<localhost>
Mar  5 09:10:56 www postfix/smtpd[14820]: disconnect from unknown[113.167.172.10]
Mar  5 09:10:57 www postfix/smtpd[14857]: connect from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]
Mar  5 09:10:57 www postfix/smtpd[15092]: warning: 66.94.72.130: address not listed for hostname net-66-94-72-130.arpa.fidelityaccess.net
Mar  5 09:10:57 www postfix/smtpd[15092]: connect from unknown[66.94.72.130]
Mar  5 09:10:57 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[66.94.72.130]: 554 5.7.1 <494e7f74@mydomain.co.uk>: Relay access denied; from=<494e7f74@fidelityaccess.net> to=<494e7f74@mydomain.co.uk> proto=ESMTP helo=<net-66-94-72-130.arpa.fidelityaccess.net>
Mar  5 09:10:57 www postfix/smtpd[14857]: NOQUEUE: reject: RCPT from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]: 554 5.7.1 <b80009e6@mydomain2.co.uk>: Relay access denied; from=<b80009e6@ourjewelryclub.com> to=<b80009e6@mydomain2.co.uk> proto=ESMTP helo=<dslb-088-065-084-019.pools.arcor-ip.net>
Mar  5 09:10:57 www postfix/smtpd[15092]: disconnect from unknown[66.94.72.130]
Mar  5 09:10:57 www postfix/smtpd[14857]: disconnect from dslb-088-065-084-019.pools.arcor-ip.net[88.65.84.19]
Mar  5 09:10:59 www postfix/scache[14956]: statistics: start interval Mar  5 09:06:50
Mar  5 09:10:59 www postfix/scache[14956]: statistics: domain lookup hits=0 miss=1 success=0%
Mar  5 09:10:59 www postfix/scache[14956]: statistics: address lookup hits=0 miss=1 success=0%
Mar  5 09:10:59 www postfix/scache[14956]: statistics: max simultaneous domains=1 addresses=1 connection=1
Mar  5 09:11:00 www postfix/smtpd[14820]: connect from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]
Mar  5 09:11:00 www postfix/smtpd[14820]: NOQUEUE: reject: RCPT from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]: 554 5.7.1 <6a2ca74@mydomain.co.uk>: Relay access denied; from=<6a2ca74@antraki.com> to=<6a2ca74@mydomain.co.uk> proto=ESMTP helo=<93-45-121-76.ip102.fastwebnet.it>
Mar  5 09:11:00 www postfix/smtpd[14820]: disconnect from 93-45-121-76.ip102.fastwebnet.it[93.45.121.76]
Mar  5 09:11:00 www postfix/smtpd[15092]: connect from unknown[78.136.97.139]
Mar  5 09:11:00 www postfix/smtpd[15092]: NOQUEUE: reject: RCPT from unknown[78.136.97.139]: 554 5.7.1 <c1e830b8@mydomain.co.uk>: Relay access denied; from=<ee.alert@ee.co.uk> to=<c1e830b8@mydomain.co.uk> proto=ESMTP helo=<GABOS-PC>
Mar  5 09:11:00 www postfix/smtpd[15092]: disconnect from unknown[78.136.97.139]
Mar  5 09:11:01 www postfix/smtpd[14854]: connect from unknown[24.138.216.238]
Mar  5 09:11:01 www postfix/smtpd[14854]: NOQUEUE: reject: RCPT from unknown[24.138.216.238]: 554 5.7.1 <a64aaded@mydomain2.co.uk>: Relay access denied; from=<a64aaded@gsconnect.nl> to=<a64aaded@mydomain2.co.uk> proto=ESMTP helo=<JORGERIVERA-PC>
M

Open in new window

0
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 300 total points
ID: 39909060
That's what fail2ban does. It adds in rules to prevent attackers from accessing or abusing your system. You might get a lot of rules, but you will also notice your system will be much more responsive so you can work on other things.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39912181
i assume this server is not the MX of any domain

what are the clients that are actually allowed to connect to this system over port 25 ?

first thing is to only allow these, either in the firewall or in postfix. it looks like you allowed relay to a list of domain through your server regardless of the origin of the connection.
0
 
LVL 19

Expert Comment

by:NickUpson
ID: 39912192
if the server should not be sending any emails at all, why have postfix running?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39912207
The server is an MX for receiving and forward mail.  It looks like a couple of my postfix catch all rules have been getting abused.

I've no idea why someone would want to spam a domain a million times.  But that's what's been happening.
0
 
LVL 29

Expert Comment

by:Michael W
ID: 39912221
Hackers and spammers search the web for open relays and try every trick in the book to attempt to get their message out to the real world. If you're system is seen as an open relay, then if an attacker is able to use your system for said relay, it would be you that gets blamed for allowing the message to be sent out, even if your system is deemed compromised.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 100 total points
ID: 39912331
fail2ban is quite a good tool to start with if and only if you receive lots of connection attempts from the same ip. this should not be the case unless your server is the MX of a domain which you don't relay (or was recently)

if you configure it to ban an ip after the first relay access denied and possibly combine this with greylisting, you'll have something useful but it will quickly fill iptables with useless rules otherwise

---

use postscreen so you can use postfix's builtin adaptive behavior

configure blacklists in postfix or use something like policydweight to protect further

then you can add spamassassin or the likes but the above steps should already block 90% of the spam traffic at least without even too much work on their config
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39912345
a couple of my postfix catch all rules

what are you talking about ?
0
 
LVL 29

Accepted Solution

by:
Michael W earned 300 total points
ID: 39912821
Something you might consider is using Postfix with Amavisd-new, ClamAV and SpamAssassin. It does take some time to configure, but it is a very effective solution if you are running a mail (MX) server.

http://nolabnoparty.com/en/secure-postfix-amavisd-clamav-spamassassin/

Additional versions of the above with added features:
http://andrewpuschak.com/dokuwiki/doku.php?id=centos_6_email_server
http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer
http://www.shisaa.jp/postset/mailserver-1.html
0
 
LVL 61

Expert Comment

by:gheist
ID: 39913235
Dear,
Can you send ALL smtpd_*_restrictions from main.cf file
Master.cf does little for access control. Probably you can remove it. reinstall postfix and default will suit you well.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39913454
@gheist : restrictions can be set in either files.
actually, i consider it best practice to enforce these restrictions in master when you have multiple smtpd services possibly linked with multiple cleanup services which is the case when you run content filters such as amavis(d-new)
0
 
LVL 2

Author Comment

by:detox1978
ID: 39913533
can you let me know what the commands are to get the info you need?
0
 
LVL 61

Expert Comment

by:gheist
ID: 39913606
less /etc/postfix/main.cf

/_restrictions[=\ ]

copy paste whole variable...
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39913765
# list restrictions in main
postconf | grep restrictions
# list restrictions in master
postconf -M | grep restrictions

Open in new window

0
 
LVL 2

Author Comment

by:detox1978
ID: 39915339
[root@www ~]# postconf | grep restrictions
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =

Open in new window



There are no restrictions set;
[root@www ~]# postconf -m | grep restrictions
[root@www ~]#

Open in new window

0
 
LVL 2

Author Comment

by:detox1978
ID: 39915340
I've had a play around with fail2ban and it's got the spam issue under control.  However looking in my iptables list all the ip addresses it's blocked (and there are now hundreds) are all on DNSBL.

This question was orginally aimed at findoing out if my server was spamming people.  It looks like it's not.  SO I should really close the question and open a new one for setting up DNSBL

http://www.experts-exchange.com/OS/Linux/Q_28379551.html


Many thanks for your time
0
 
LVL 61

Expert Comment

by:gheist
ID: 39915547
DNSBL product for postfix is called postgrey.

Your problem is that you accept all mail and dont filter it much, so you still have open relay with fail2ban and greylisting in place
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39915551
postgrey is a greylisting product that happens to also do dnsbl. applying aggressive greylisting to blacklisted ips is quite a good way to handle spam while limiting false posotives rates

postfix also has builtin support for dnsbl by adding the following to your *_restrictions
reject_rbl_client sbl.spamhaus.org

Open in new window


i'd recommend the combination of postscreen and either policydweight or postgrey

postscreen information can be found here (quite a lot to read)
http://www.postfix.org/POSTSCREEN_README.html

configure either of the above policy service (or yet another one) like this :

in /etc/postfix/master.cf:

add a line to spawn your filter when postfix needs it (always)
policy  unix  -       n       n       -       0       spawn
  user=nobody argv=/some/where/policy-server

Open in new window


modify your smtpd line by adding the following arguments :
-o smtpd_recipient_restrictions,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy 

Open in new window

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Utilizing an array to gracefully append to a list of EmailAddresses
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now