|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: mouss (mlist.only
free.fr)
Date: Wed May 09 2007 - 10:06:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
LuKreme wrote:
> I am trying to figure out how this message from a Korean spammer got
> accepted by postfix-2.2.8:
>
> Mar 5 07:24:41 akane postfix/smtpd[68963]: connect from
> unknown[210.96.229.18]
> Mar 5 07:24:41 akane postfix/smtpd[68963]: EF4F1118BA7B:
> client=unknown[210.96.229.18]
> Mar 5 07:24:44 akane postfix/cleanup[68966]: EF4F1118BA7B: warning:
> header Subject: 540336 from unknown[210.96.229.18]; from=<postm
> aster*munged*.org> to=<qhfvoa*munged2*.com> proto=SMTP
> helo=<eythtnygw.com>: Subject
> Mar 5 07:24:44 akane postfix/cleanup[68966]: EF4F1118BA7B:
> message-id=<20070305142441.EF4F1118BA7Bmail.covisp.net>
> Mar 5 07:24:44 akane postfix/qmgr[57715]: EF4F1118BA7B:
> from=<postmaster*munged*.com>, size=882, nrcpt=10 (queue active)
> Mar 5 07:24:44 akane postfix/smtpd[68963]: disconnect from
> unknown[210.96.229.18]
>
> [200 lines and a good 45 minutes of digging in logs deleted]
>
> OK, I found out why:
>
> % cat /usr/local/etc/postfix/recipient_checks.pcre
> /^\/ 550 Invalid address format.
> /[!%\].*\/ 550 This server disallows weird address syntax.
> /^www\mail\.covisp\.net/ 550 Invalid Webmail return address
> /^www$/ 550 Invalid Webmail return address
> /^postmaster\/ OK
> /^hostmaster\/ OK
> /^abuse\/ OK
>
> This allows through any spam that claims to be from a postmaster
> account, regardless of what the postmaster account actually is. So,
> for example, I've seen a lot of spam recently claiming to be from
> postmasterhosteddomain.tld and evidently this sails through without a
> problem because of the recipient check.
>
> However, from the dim recesses of my memory, this was necessary to
> allow all messages FROM postmasters.
>
> relevant settings:
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = check_recipient_access
> pcre:/usr/local/etc/postfix/recipient_checks.pcre,
you are an open relay for all postmaster* and friends. you should put
the check after reject_unauth_destination.
> check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
> check_sender_access pcre:/usr/local/etc/postfix/sender_access.pcre,
this one will probably make you an open relay as well.
> reject_invalid_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unauth_pipelining, permit_mynetworks,
> reject_unlisted_recipient, permit_sasl_authenticated,
> reject_unauth_destination, check_client_access
> regexp:$config_directory/check_client_fqdn.rx check_client_access
> hash:/usr/local/etc/postfix/access, reject_rbl_client
> zen.spamhaus.org permit
> smtpd_restriction_classes = check_greylist
>
> for right now I will disable those lines from the recipient checks and
> see how it goes, or is it simply a matter of moving the recipients
> check into a later portion of the restrictions? Like, say, last?
as Noel said, the map you showed is not used in this case (rcpt vs
sender). but you should anyway move the check to after
reject_unauth_destination.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]