[Postfixbuch-users] Trotz SMTP-Auth extreme Spamwellen - Die Lage in den Griff kriegen
Timo Heinrichs
theinrichs at netzpepper.de
Fr Okt 26 10:08:28 CEST 2012
Ihr seid Klasse! Danke schon mal für die antworten!
> Greylisting ist für Inbound, nicht für Outbound (und kann durch postscreen (wenn man Postfix >=2.8 betreibt;
> http://www.postfix.org/POSTSCREEN_README.html) oft ersetzt werden).
Inbound ist aber doch auch logischerweise jede Mail die ein User bei uns einliefert, oder seh ich das falsch?
>> damit wir im Notfall auf einen Ersatzserver einsetzen können, möchte
>> ich gerne auf dem Mailproxy als relayhost einen anderen Mailer
> Das kann aber immer nur eine kurzfristige Notlösung sein. Wenn weiter Spam von Euch kommt ist der zweite Server schneller auf Blacklists als Ihr gucken > könnt.
Ist natürlich nur eine Kurzfristige Notlösung! Aber wir haben dem Spam ja schon im Griff (da wird ein rigoros abgeschaltet!), das Problem sind die Blacklists die jetzt nach wie vor blocken bzw. die schlechte MTA-Reputation die z.B. Proofpoint uns bescheinigt
> eintragen. Ist ja auch kein Problem, ich tue mich noch etwas schwer
> mit der Konfig auf dem relayenden Server. Der MUSS die Mails vom
> anderen Server annehmen und verarbeiten, komm ich da irgendwie drum
> rum, dass ich mir relay reciepient maps aufbaue wo alle Relay-User
> drin stehen? Schließlich hab ich schon auf dem anderen Server
> Dafür gibt es mynetworks
> (http://www.postfix.org/postconf.5.html#mynetworks).
Der Weg über MyNetworks ist logisch, allerdings bekommen ich TROTZ MyNetworks den Fehler :(
Es müsste doch hier reichen auf dem Backup-Server unter MyNetworks den geblacklisten Server einzutragen und in den reciepient_restrictions ein permit_mynetworks zu setzen, oder? Habe ich nämlich bereits gemacht.
Hier mal noch die postconf -n, master.cf (ohne Kommentare) und die dovecot.conf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
bounce_template_file = /etc/postfix/bounce-templates/bounce.de-DE.cf
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 51200
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps_mail2.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail02.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail02.cf
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_queue_lifetime = 3d
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mailproxy.netzpepper.de
myhostname = mailproxy.netzpepper.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 78.111.239.43 78.111.239.46 78.111.239.48
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail2.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail02.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps_mail2.cf
smtp_tls_CAfile = /etc/postfix/STAR_netzpepper_de.ca-bundle
smtp_tls_cert_file = /etc/postfix/STAR_netzpepper_de.crt
smtp_tls_key_file = /etc/postfix/netzpepper_wildcard.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 20
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_recipient_rate_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_sender_domain, reject_invalid_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/custom_blacklist, reject_rbl_client sbl.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient_mail2.cf, permit_mynetworks, permit_mx_backup, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noactive, nodictionary
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/STAR_netzpepper_de.ca-bundle
smtpd_tls_cert_file = /etc/postfix/STAR_netzpepper_de.crt
smtpd_tls_key_file = /etc/postfix/netzpepper_wildcard.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail02.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail02.cf
Master.cf
smtp inet n - n - 60 smtpd
submission inet n - y - 60 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
smtps inet n - y - 60 smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
Dovecot
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s
ssl_ca_file: /etc/postfix/STAR_netzpepper_de.ca-bundle
ssl_cert_file: /etc/postfix/STAR_netzpepper_de.crt
ssl_key_file: /etc/postfix/netzpepper_wildcard.key
disable_plaintext_auth: no
login_dir: /var/run/dovecot//login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_greeting: netzpepper mailproxy ready to rumble!
login_process_per_connection: no
login_processes_count: 20
mail_privileged_group: mail
mail_uid: 5000
mail_gid: 5000
mail_location: maildir:/var/vmail/%d/%n/Maildir
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/rawlog /usr/lib/dovecot/pop3
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
lda:
postmaster_address: postmaster at my-domain.tld
mail_plugin_dir: /usr/lib/dovecot/modules/lda
auth_socket_path: /var/run/dovecot/auth-master
mail_plugins: sieve quota
auth default:
mechanisms: plain login
user: nobody
debug: yes
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql_mail2.conf
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql_main.conf
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql_mail01.conf
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql_mail02.conf
userdb:
driver: static
args: uid=0 gid=0
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: root
plugin:
quota: dict:user::file:/var/vmail/%d/%n/.quotausage
sieve: /var/vmail/%d/%n/.sieve
_______________________________________________
Postfixbuch-users -- http://www.postfixbuch.de Heinlein Professional Linux Support GmbH
Postfixbuch-users at listen.jpberlin.de
https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
Mehr Informationen über die Mailingliste Postfixbuch-users