Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped? I understand this is probably related to my config - which follows: <main.cf> queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = <mumble> mydomain = <mumble> myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 proxy_interfaces = <mumble> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain unknown_local_recipient_reject_code = 550 mynetworks = 192.168.230.0/24, 127.0.0.0/8 relay_domains = virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps smtpd_helo_required = yes smtpd_delay_reject = yes strict_rfc821_envelopes = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_map smtpd_client_restrictions = check_client_access hash:/etc/postfix/access smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/roleaccount_exceptions, reject_invalid_hostname, check_helo_access pcre:/etc/postfix/helo_checks, reject_rbl_client sbl-xbl.spamhaus.org, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes tls_random_exchange_name = /var/spool/postfix/prng_exch smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/pki/tls/private/ssl.key.private.decrypted smtpd_tls_cert_file = /etc/pki/tls/certs/<mumble> smtpd_tls_CAfile = /etc/pki/tls/certs/sub.class2.server.ca.pem smptd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_security_options = noanonymous mailbox_size_limit = 102400000 message_size_limit = 40960000 in_flow_delay = 1s alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases home_mailbox = Maildir/ content_filter=amavisfeed:[127.0.0.1]:10024 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.2.2/samples readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES </main.cf>
Any suggestions appreciated. TIA rob
On November 16, 2010 11:49:42 am Rob Kampen wrote:
Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped?
It will be after 5 days or something. DNS errors get temp failed in case they start working again later. This is a good thing.
On 17/11/10 7:26 AM, Rob Kampen wrote:
Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped?
What is the complete output of postqueue -p? What is the From address and, more to the point, is it MAILER-DAEMON?
Agreed, however this opens a potential DoS attack vector - I'm trying to determine why my postfix even has these requests present as I'm not initiating the emails (as far as I know) and I do not forward emails for any other domains. I feel like I'm missing something......confused maybe
It could be backscatter.
Run postqueue -p and pick one of the messages, it shouldn't matter which. Then run:
postcat -q $MSGID | less
Where $MSGID is one of the messages in the queue. That will show you the message and headers. I'd be willing to bet it's your server trying to send a rejection/spam detection to a server.
Regards, Ben
Ben McGinnes wrote:
On 17/11/10 7:26 AM, Rob Kampen wrote:
Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped?
What is the complete output of postqueue -p? What is the From address and, more to the point, is it MAILER-DAEMON?
Yes it is
Agreed, however this opens a potential DoS attack vector - I'm trying to determine why my postfix even has these requests present as I'm not initiating the emails (as far as I know) and I do not forward emails for any other domains. I feel like I'm missing something......confused maybe
It could be backscatter.
Run postqueue -p and pick one of the messages, it shouldn't matter which. Then run:
postcat -q $MSGID | less
Where $MSGID is one of the messages in the queue. That will show you the message and headers. I'd be willing to bet it's your server trying to send a rejection/spam detection to a server.
Correct - thanks for the pointers on how to track it down - so now my question is how do I set things up to simply try this once and then drop it, rather than queue it up for the next five days with all the attendant dns errors. This is definitely at the boundaries of my mail setup experience - for some reason the other two mail servers I run do not seem to get the same level of spam and thus I seldom notice this.
Regards, Ben
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Pls add bdgiedjhea.po6e4ina.com Jake@bdgiedjhea.po6e4ina.com to /etc/hosts file
and , then add bdgiedjhea.po6e4ina.com Jake@bdgiedjhea.po6e4ina.com to mydestination parameter in /etc/postfix/main.cf file
mydestination = $myhostname, localhost.$mydomain, localhost, bdgiedjhea.po6e4ina.com Jake@bdgiedjhea.po6e4ina.com
then, restart postfix.
That't it.
On Mon, Nov 22, 2010 at 9:17 AM, Rob Kampen rkampen@kampensonline.comwrote:
Ben McGinnes wrote:
On 17/11/10 7:26 AM, Rob Kampen wrote:
Examining the postfix queue with postqueue -p: I see many
(Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped?
What is the complete output of postqueue -p? What is the From address and, more to the point, is it MAILER-DAEMON?
Yes it is
Agreed, however this opens a potential DoS attack vector - I'm trying to determine why my postfix even has these requests present as I'm not initiating the emails (as far as I know) and I do not forward emails for any other domains. I feel like I'm missing something......confused maybe
It could be backscatter.
Run postqueue -p and pick one of the messages, it shouldn't matter which. Then run:
postcat -q $MSGID | less
Where $MSGID is one of the messages in the queue. That will show you the message and headers. I'd be willing to bet it's your server trying to send a rejection/spam detection to a server.
Correct - thanks for the pointers on how to track it down - so now my question is how do I set things up to simply try this once and then drop it, rather than queue it up for the next five days with all the attendant dns errors. This is definitely at the boundaries of my mail setup experience - for some reason the other two mail servers I run do not seem to get the same level of spam and thus I seldom notice this.
Regards, Ben
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 22/11/10 2:54 PM, Indunil Jayasooriya wrote:
Pls add bdgiedjhea.po6e4ina.com mailto:Jake@bdgiedjhea.po6e4ina.com to /etc/hosts file
and , then add bdgiedjhea.po6e4ina.com mailto:Jake@bdgiedjhea.po6e4ina.com to mydestination parameter in /etc/postfix/main.cf http://main.cf file
mydestination = $myhostname, localhost.$mydomain, localhost, bdgiedjhea.po6e4ina.com mailto:Jake@bdgiedjhea.po6e4ina.com
This is a really *bad* idea, it makes Rob's mail server accept mail for that domain, which is not what he wants. What he wants is to prevent his system from sending an auto-response to an unreachable host.
Regards, Ben
On 22/11/10 2:47 PM, Rob Kampen wrote:
Ben McGinnes wrote:
What is the complete output of postqueue -p? What is the From address and, more to the point, is it MAILER-DAEMON?
Yes it is
Cool.
Where $MSGID is one of the messages in the queue. That will show you the message and headers. I'd be willing to bet it's your server trying to send a rejection/spam detection to a server.
Correct - thanks for the pointers on how to track it down -
No problem.
so now my question is how do I set things up to simply try this once and then drop it, rather than queue it up for the next five days with all the attendant dns errors.
That would be difficult to do without it affecting all mail and resolution problems are supposed to induce temporary failures for a reason. The reason normally being that if you are isolated from the Internet for any length of time (e.g. link outage), you don't want mail queued on the server being bounced or dropped because you can't reach an external name server to find an A record or MX record.
This is definitely at the boundaries of my mail setup experience - for some reason the other two mail servers I run do not seem to get the same level of spam and thus I seldom notice this.
Are they both running Postfix too? If so, compare the output of postconf -n between the three servers and look for what is different.
In this case, the email address that the bounces are trying to be delivered to is what appeared in the MAIL FROM section during delivery. It is almost certainly intended to bounce and the mail will all be spam. I haven't been able to find any A records for that domain and the registration is in Russia. It's a fairly safe bet that they're spammers.
I would recommend that you add the following to your smtpd_recipient_restrictions in main.cf:
check_sender_access hash:/etc/postfix/sender_access,
Probably immediately above or below the line for "check_recipient_access" which is listed in your original post.
Create a file called /etc/postfix/sender_access with the text editor of your choice and include the following line:
po6e4ina.com REJECT
Then run the following commands:
postmap /etc/postfix/sender_access postfix reload
That should do the trick nicely.
Regards, Ben
On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen rkampen@kampensonline.com wrote:
Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped? I understand this is probably related to my config - which follows: <main.cf>
Here's what you want (copied from my config):
maps_rbl_reject_code = 450 non_fqdn_reject_code = 450 smtpd_delay_reject = yes smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_helo_hostname permit
smtpd_sender_restrictions = reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unknown_sender_domain permit
smtpd_client_restrictions = # sleep 1 reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_unknown_client_hostname permit
smtpd_recipient_restrictions = reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination #fully automated RBLs reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.proxybl.org reject_rbl_client psbl.surriel.com reject_rbl_client db.wpbl.info reject_rbl_client bl.spamcop.net # reject_rbl_client bl.spamcannibal.org #blocked charles reject_rbl_client intercept.datapacket.net reject_rbl_client spamtrap.drbl.drand.net # reject_rbl_client dnsbl.ahbl.org #blocked godaddy reject_rbl_client dnsbl-1.uceprotect.net reject_rbl_client bhnc.njabl.org reject_rbl_client dnsbl.njabl.org #larder RBLs with some non-automation and larger ranges of IPs # reject_rbl_client dnsbl.sorbs.net #(blocked fedora) # reject_rbl_client dnsbl-2.uceprotect.net reject_rbl_client dnsbl-3.uceprotect.net reject_rbl_client zen.spamhaus.org # reject_rbl_client # reject_rbl_client dnsbl-2.uceprotect.net, # check_policy_service unix:private/spfpolicy # check_policy_service inet:127.0.0.1:10023 permit
strict_rfc821_envelopes = yes smtpd_reject_unlisted_sender = yes
Am 26.11.2010 19:48, schrieb Mike Fedyk:
On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen rkampen@kampensonline.com wrote:
Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped? I understand this is probably related to my config - which follows: <main.cf>
Here's what you want (copied from my config):
Not really - because the shown part of the Postfix config is doubtful.
maps_rbl_reject_code = 450 non_fqdn_reject_code = 450
Why a temporary DSN? You want those to come back again and again and again ...?
smtpd_delay_reject = yes
Running the default of a delayed reject, why then splitting up the smtpd_*_restrictions causing plenty of tests to be run more than 1 time?
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname
Can lead to a lot of rejects for legitimate senders.
reject_unknown_helo_hostname permitsmtpd_sender_restrictions = reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient
Again in smptd_recipient_restrictions.
reject_unknown_recipient_domain
Again in smptd_recipient_restrictions.
reject_unknown_sender_domain permitsmtpd_client_restrictions = # sleep 1 reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_unknown_client_hostname permit
smtpd_recipient_restrictions = reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination #fully automated RBLs
Much too much RBLs, really.
reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.proxybl.org reject_rbl_client psbl.surriel.com reject_rbl_client db.wpbl.info reject_rbl_client bl.spamcop.net
spamcop can be too aggressive.
# reject_rbl_client bl.spamcannibal.org #blocked charles reject_rbl_client intercept.datapacket.net reject_rbl_client spamtrap.drbl.drand.net # reject_rbl_client dnsbl.ahbl.org #blocked godaddy reject_rbl_client dnsbl-1.uceprotect.net reject_rbl_client bhnc.njabl.org reject_rbl_client dnsbl.njabl.org #larder RBLs with some non-automation and larger ranges of IPs # reject_rbl_client dnsbl.sorbs.net #(blocked fedora) # reject_rbl_client dnsbl-2.uceprotect.net reject_rbl_client dnsbl-3.uceprotect.net reject_rbl_client zen.spamhaus.org # reject_rbl_client # reject_rbl_client dnsbl-2.uceprotect.net, # check_policy_service unix:private/spfpolicy # check_policy_service inet:127.0.0.1:10023 permit
strict_rfc821_envelopes = yes smtpd_reject_unlisted_sender = yes
Alexander
Mike Fedyk wrote:
On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen rkampen@kampensonline.com wrote:
Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped? I understand this is probably related to my config - which follows: <main.cf>
Here's what you want (copied from my config):
maps_rbl_reject_code = 450 non_fqdn_reject_code = 450
450 implies not available try again later - definitely not what I want for blacklisted senders - I want 550 or something that makes their server go up in smoke.
smtpd_delay_reject = yes smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_helo_hostname permit
smtpd_sender_restrictions = reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unknown_sender_domain permit
smtpd_client_restrictions = # sleep 1 reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_unknown_client_hostname permit
smtpd_recipient_restrictions = reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination #fully automated RBLs reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.proxybl.org reject_rbl_client psbl.surriel.com reject_rbl_client db.wpbl.info reject_rbl_client bl.spamcop.net # reject_rbl_client bl.spamcannibal.org #blocked charles reject_rbl_client intercept.datapacket.net reject_rbl_client spamtrap.drbl.drand.net # reject_rbl_client dnsbl.ahbl.org #blocked godaddy reject_rbl_client dnsbl-1.uceprotect.net reject_rbl_client bhnc.njabl.org reject_rbl_client dnsbl.njabl.org #larder RBLs with some non-automation and larger ranges of IPs # reject_rbl_client dnsbl.sorbs.net #(blocked fedora) # reject_rbl_client dnsbl-2.uceprotect.net reject_rbl_client dnsbl-3.uceprotect.net reject_rbl_client zen.spamhaus.org # reject_rbl_client # reject_rbl_client dnsbl-2.uceprotect.net, # check_policy_service unix:private/spfpolicy # check_policy_service inet:127.0.0.1:10023 permit
strict_rfc821_envelopes = yes smtpd_reject_unlisted_sender = yes
Thanks for sharing your config - when I get some spare time I'll check it out.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alan Hodgson -
Alexander Dalloz -
Ben McGinnes -
Indunil Jayasooriya -
Mike Fedyk -
Rob Kampen