[lug] Am I spamming? postfix log question
George Sexton
georges at mhsoftware.com
Wed Sep 3 13:47:38 MDT 2014
You might want to this tool here:
http://mxtoolbox.com/SuperTool.aspx
to check your ip. Click on the button to change the check type to blacklist.
On 9/3/2014 8:40 AM, Chip Atkinson wrote:
> Thanks for that information. It looks like a good set of restrictions
> to put in place. When scrutinizing my config files further I did
> discover that the server was misconfigured and the source of the
> problem was "backscatter", where a spammer will connect saying they
> are from hotmail or whatever, and my server would dutifully contact
> hotmail saying no such user. That problem is fixed. I'll put these
> in place to further tighten things up.
>
> Chip
>
>
> On Wed, 3 Sep 2014, George Sexton wrote:
>
>> A reasonable smtpd_sender_restrictions would be:
>>
>> smtpd_sender_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_non_fqdn_sender
>>
>> ,reject_unknown_sender_domain,reject_rbl_client zen.spamhaus.org,permit
>>
>>
>>
>> On 9/1/2014 12:59 PM, Chip Atkinson wrote:
>> Hi folks,
>>
>> I'm going through my maillogs and I see entries like this:
>>
>> maillog-20140811:Aug 5 00:03:46 tedward
>> postfix/cleanup[23181]: B64A11AE3AB2:
>> message-id=<20140805060346.B64A11AE3AB2 at tedward.pupman.com>
>>
>> maillog-20140811:Aug 5 00:03:46 tedward postfix/qmgr[6868]:
>> B64A11AE3AB2:
>> from=<>, size=10913, nrcpt=1 (queue active)
>>
>> maillog-20140811:Aug 5 00:03:46 tedward postfix/bounce[23183]:
>> 84C3A1AE3AA9:
>> sender non-delivery notification: B64A11AE3AB2
>>
>> maillog-20140811:Aug 5 00:03:46 tedward postfix/smtp[23187]:
>> B64A11AE3AB2:
>> to=<BureauScores at natric.eu>,
>> relay=hgsp68.natric.eu[162.253.152.22]:25,
>> delay=0.24, delays=0/0.01/0.23/0, dsn=4.4.2, status=deferred
>> (lost connection
>> with hgsp68.natric.eu[162.253.152.22] while receiving the
>> initial server
>> greeting)
>>
>> maillog-20140811:Aug 5 00:12:38 tedward postfix/qmgr[6868]:
>> B64A11AE3AB2:
>> from=<>, size=10913, nrcpt=1 (queue active)
>>
>> maillog-20140811:Aug 5 00:12:38 tedward postfix/smtp[1505]:
>> B64A11AE3AB2:
>> to=<BureauScores at natric.eu>,
>> relay=hgsp68.natric.eu[162.253.152.22]:25,
>> delay=532, delays=532/0.01/0.19/0, dsn=4.4.2, status=deferred
>> (lost connection
>> with hgsp68.natric.eu[162.253.152.22] while receiving the
>> initial server
>> greeting)
>>
>> (Gaps added for clarity due to wrapping)
>>
>> To me it looks like my server got some email from "<>" and then
>> tried to deliver
>> to BureauScores at natric.edu.
>>
>> Is my interpretation correct, and if so, any suggestions on how
>> to combat the
>> problem?
>>
>> Here's postconf -n's output if that helps.
>>
>> Thanks in advance.
>>
>> Chip
>>
>>
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases,
>> hash:/usr/local/mailman/data/aliases
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> debug_peer_list = 167.88.120.115
>> html_directory = no
>> in_flow_delay = 1s
>> inet_interfaces = all
>> inet_protocols = ipv4
>> local_recipient_maps =
>> mail_owner = postfix
>> mail_spool_directory = /var/spool/mail
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> masquerade_domains = pupman.com
>> message_size_limit = 20480000
>> mydestination = $myhostname, localhost.$mydomain, localhost,
>> $mydomain,
>> mail.$mydomain, www.$mydomain, chip1.$mydomain,
>> tedward.pupman.com,
>> www.pupman.com
>> mydomain = pupman.com
>> myhostname = tedward.pupman.com
>> mynetworks = 127.0.0.0/8, 167.88.120.115 [::1]/128
>> myorigin = $mydomain
>> newaliases_path = /usr/bin/newaliases.postfix
>> owner_request_special = no
>> proxy_interfaces = 167.88.120.115
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>> recipient_delimiter = +
>> relay_domains = $mydestination, pupman.com,
>> sample_directory = /usr/share/doc/postfix-2.6.6/samples
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> smtpd_client_restrictions = permit_mynetworks
>> smtpd_data_restrictions = permit_mynetworks,
>> reject_unauth_pipelining,
>> reject_unauth_destination
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks,
>> reject_non_fqdn_hostname,
>> reject_invalid_hostname, permit
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_non_fqdn_sender,
>> reject_non_fqdn_recipient, reject_non_fqdn_hostname,
>> reject_invalid_hostname, reject_unauth_pipelining,
>> reject_unauth_destination, check_client_access
>> hash:/etc/postfix/rbl_override, reject_unknown_sender_domain,
>> reject_unknown_recipient_domain, reject_rbl_client
>> zen.spamhaus.org, reject_rbl_client dnsbl.njabl.net,
>> reject_rbl_client
>> bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
>> reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
>> dbl.spamhaus.org, permit
>> smtpd_sender_restrictions = permit_mynetworks,
>> reject_unknown_sender_domain,
>> reject_unknown_address
>> unknown_local_recipient_reject_code = 550
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667
>> channel=#hackingsociety
>>
>>
>> --
>> George Sexton
>> MH Software, Inc.
>> Voice: 303 438 9585
>> http://www.mhsoftware.com
>>
>>
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140903/0c4802df/attachment.html>
More information about the LUG
mailing list