[Postfixbuch-users] Trotz SMTP-Auth extreme Spamwellen - Die Lage in den Griff kriegen

Timo Heinrichs theinrichs at netzpepper.de
Fr Okt 26 10:08:28 CEST 2012


Ihr seid Klasse! Danke schon mal für die antworten!

> Greylisting ist für Inbound, nicht für Outbound (und kann durch postscreen (wenn man Postfix >=2.8 betreibt;
> http://www.postfix.org/POSTSCREEN_README.html) oft ersetzt werden).

Inbound ist aber doch auch logischerweise jede Mail die ein User bei uns einliefert, oder seh ich das falsch?

>> damit wir im Notfall auf einen Ersatzserver einsetzen können, möchte 
>> ich gerne auf dem Mailproxy als relayhost einen anderen Mailer

> Das kann aber immer nur eine kurzfristige Notlösung sein. Wenn weiter Spam von Euch kommt ist der zweite Server schneller auf Blacklists als Ihr gucken > könnt.

Ist natürlich nur eine Kurzfristige Notlösung! Aber wir haben dem Spam ja schon im Griff (da wird ein rigoros abgeschaltet!), das Problem sind die Blacklists die jetzt nach wie vor blocken bzw. die schlechte MTA-Reputation die z.B. Proofpoint uns bescheinigt

> eintragen. Ist ja auch kein Problem, ich tue mich noch etwas schwer 
> mit der Konfig auf dem relayenden Server. Der MUSS die Mails vom 
> anderen Server annehmen und verarbeiten, komm ich da irgendwie drum 
> rum, dass ich mir relay reciepient maps aufbaue wo alle Relay-User 
> drin stehen? Schließlich hab ich schon auf dem anderen Server

> Dafür gibt es mynetworks
> (http://www.postfix.org/postconf.5.html#mynetworks).

Der Weg über MyNetworks ist logisch, allerdings bekommen ich TROTZ MyNetworks den Fehler :( 
Es müsste doch hier reichen auf dem Backup-Server unter MyNetworks den geblacklisten Server einzutragen und in den reciepient_restrictions ein permit_mynetworks zu setzen, oder? Habe ich nämlich bereits gemacht.

Hier mal noch die postconf -n, master.cf (ohne Kommentare) und die dovecot.conf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
bounce_template_file = /etc/postfix/bounce-templates/bounce.de-DE.cf
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 51200
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps_mail2.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail02.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail02.cf
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_queue_lifetime = 3d
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mailproxy.netzpepper.de
myhostname = mailproxy.netzpepper.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 78.111.239.43 78.111.239.46 78.111.239.48
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail2.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_relaydomains_mail02.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps_mail2.cf
smtp_tls_CAfile = /etc/postfix/STAR_netzpepper_de.ca-bundle
smtp_tls_cert_file = /etc/postfix/STAR_netzpepper_de.crt
smtp_tls_key_file = /etc/postfix/netzpepper_wildcard.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 20
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_recipient_rate_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_sender_domain, reject_invalid_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/custom_blacklist, reject_rbl_client sbl.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient_mail2.cf, permit_mynetworks, permit_mx_backup, permit_sasl_authenticated, reject_unauth_destination,  reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noactive, nodictionary
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/STAR_netzpepper_de.ca-bundle
smtpd_tls_cert_file = /etc/postfix/STAR_netzpepper_de.crt
smtpd_tls_key_file = /etc/postfix/netzpepper_wildcard.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_forwardings_mail02.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_main.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail01.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email_mail02.cf


Master.cf

smtp      inet  n       -       n       -       60       smtpd
submission inet n       -       y       -       60       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
smtps     inet  n       -       y       -       60       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}



Dovecot

base_dir: /var/run/dovecot/
log_path: /var/log/dovecot.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s
ssl_ca_file: /etc/postfix/STAR_netzpepper_de.ca-bundle
ssl_cert_file: /etc/postfix/STAR_netzpepper_de.crt
ssl_key_file: /etc/postfix/netzpepper_wildcard.key
disable_plaintext_auth: no
login_dir: /var/run/dovecot//login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_greeting: netzpepper mailproxy ready to rumble!
login_process_per_connection: no
login_processes_count: 20
mail_privileged_group: mail
mail_uid: 5000
mail_gid: 5000
mail_location: maildir:/var/vmail/%d/%n/Maildir
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/rawlog /usr/lib/dovecot/pop3
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
lda:
  postmaster_address: postmaster at my-domain.tld
  mail_plugin_dir: /usr/lib/dovecot/modules/lda
  auth_socket_path: /var/run/dovecot/auth-master
  mail_plugins: sieve quota
auth default:
  mechanisms: plain login
  user: nobody
  debug: yes
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql_mail2.conf
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql_main.conf
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql_mail01.conf
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql_mail02.conf
  userdb:
    driver: static
    args: uid=0 gid=0
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: root
plugin:
  quota: dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve: /var/vmail/%d/%n/.sieve



_______________________________________________
Postfixbuch-users -- http://www.postfixbuch.de Heinlein Professional Linux Support GmbH

Postfixbuch-users at listen.jpberlin.de
https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users



Mehr Informationen über die Mailingliste Postfixbuch-users