OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Relay attempts from bot filling mail queue and getting my server blacklisted: how's it happening?

From: Wietse Venema (wietseporcupine.org)
Date: Tue Jun 04 2013 - 14:41:24 CDT


benindietorrent.org:
> For the sake of thoroughness, and because I'm expected to perform a
> root-cause-analysis, I'm following-up on this after noticing that there was
> a missing comma in the smtpd_recipient_restrictions directive (after
> check_recipient_access on the third line):
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,

For posteriority (i.e. people who find this with a search engine),
replace these three lines:

> check_recipient_access
> mysql:/etc/postfix/mysql-virtual_recipient.cf,
> reject_unauth_destination,

with these three lines:

> reject_unauth_destination,
> check_recipient_access
> mysql:/etc/postfix/mysql-virtual_recipient.cf,

As that prevents unexpected open relay problems.

> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_destination,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client zen.spamhaus.org
>
> Even though the problem seems to be resolved after adding the comma and
> swapping the two items as Wietse suggested, what would be the net-result of
> the missing comma in my version of Postfix (2.7.0)? Would the entire list
> of smtpd_recipient_restrictions be ignored? (That would certainly explain
> why a bot was able to relay hundreds of thousands of messages the course of
> a few days.)

The comma is treated here as whitespace.

        Wietse