Results 1 to 10 of 10

Thread: Antispam Settings User Verification in postfix

  1. #1
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default Antispam Settings User Verification in postfix

    Hey all i have just set up a brand new mail server for my company here using zimbra.

    Here is the basic set up i am using:

    OS: Red Hat Enterprise Linux Server release 5.2

    Zimbra: Release 5.0.11_GA_2695.RHEL5_20081117051306 RHEL5 FOSS edition

    I am curious is there a way to reject unknown users right at the door? like for example:


    ###snip####
    l020048:~ jliou$ telnet x.x.x.x 25
    Trying x.x.x.x...
    Connected to xxxxx.xxx.
    Escape character is '^]'.
    220 xxxxx.xxx ESMTP Postfix
    helo foobar.com
    250 xxxxxxx.xxx
    mail from: testuser@foobar.com
    250 2.1.0 Ok
    rcpt to: sdfhisudfhiwdu@mydomain.com
    250 2.1.5 Ok
    ####snip####

    It seems to allow anything for mydomain.com to be send on though, the reason why I am asking about this because. In our set up we have gateway servers that use address_verify_maps to verify users. So i would like to be able to recjet non-vaild users right at this level. Is there any way to change this in the zimbra postfix configs with out directly editing main.cf ?. I am also curious so by default is the virtual mailbox table not checked?


    jliou
    Last edited by jliu29; 01-29-2009 at 09:39 AM.

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the forums

    Are you using a catchall address at all ?
    Code:
    su - zimbra
    zmprov gacf | grep -i catch
    zimbraAdminConsoleCatchAllAddressEnabled: FALSE

  3. #3
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default

    uxbod,,

    Thanks for the welcome. It appears that I am not as well.

    ####snip####
    297 jliou@xxxxxx:~$sudo su - zimbra
    Password:
    [zimbra@xxxxxx ~]$ zmprov gacf|grep -i catch
    zimbraAdminConsoleCatchAllAddressEnabled: FALSE

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    By default none existent users should be rejected
    Code:
    su - zimbra
    zmprov gcf zimbraMtaRestriction

  5. #5
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default

    Here is the output that i have.


    ####snip####
    [zimbra@xxxxx ~]$ zmprov gcf zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    ####end snip####

    Also i noticed in the logs these emails are getting rejected.

    ####snip####
    Jan 29 09:22:45 mail0341 amavis[16865]: (16865-17) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090126T102430-16865: <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com> SIZE=356 Received: from mail0341.dti ([127.0.0.1]) by localhost (mail0341.dti [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <sdfhisudfhiwdu@mydomain.com>; Thu, 29 Jan 2009 09:22:45 -0800 (PST)
    Jan 29 09:22:45 mail0341 amavis[16865]: (16865-17) Checking: dn9eeZel7W7x [10.20.6.142] <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>
    Jan 29 09:22:46 mail0341 amavis[16865]: (16865-17) FWD via SMTP: <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>,BODY=7BIT 250 2.6.0 Ok, id=16865-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2F6622CC04BB
    Jan 29 09:22:46 mail0341 amavis[16865]: (16865-17) Passed CLEAN, LOCAL [10.20.6.142] [10.20.6.142] <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>, Message-ID: <20090129172242.4B4442CC04BA@mail0341.dti>, mail_id: dn9eeZel7W7x, Hits: 0.718, size: 356, queued_as: 2F6622CC04BB, 636 ms
    Jan 29 09:22:46 mail0341 postfix/smtp[11323]: 4B4442CC04BA: to=<sdfhisudfhiwdu@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=20/0.01/0/0.64, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2F6622CC04BB)
    Jan 29 09:22:46 mail0341 postfix/smtp[11328]: 2F6622CC04BB: to=<sdfhisudfhiwdu@mydomain.com>, relay=mx.mailix.net[216.148.221.135]:25, delay=0.19, delays=0.01/0.01/0.14/0.03, dsn=5.0.0, status=bounced (host mx.mailix.net[216.148.221.135] said: 550 unrouteable address (in reply to RCPT TO command))
    ####snip####

    I am curious how come i can not reject right at the smtp handshake level. Once again i am asking this because my gateway server needs to able to verify_user_maps against my zimbra mail server. like for example these are the verify logs from my gateway server

    Working one my old non-zimbra server:
    ###snip###
    2:0:1233186812:host x.x.x.x[x.x.x.x] said: 550 <xxx@xxxxxxx.com>: User unknown in virtual mailbox table (in reply to RCPT TO command)
    xxx@xxxxx.xxx
    #####end snip####

    On the new zimbra server it doesnt seem to check and just gives me 250 and lets it though.
    ####snip#####
    0:0:1233217377:250 2.1.5 Ok
    xxxxx@xxxxxxxxx
    ####end snip######

    Does that make more sense now?


    Jliu



    Jason
    Last edited by jliu29; 01-29-2009 at 10:35 AM.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    To reject addresses that don't exist on your system use this: Improving Anti-spam system - Zimbra :: Wiki
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default

    Bill,,

    Thanks for your reply,

    I followed the instructions on that wiki and changed my zimbraMtaRestriction
    to the following:

    ###snip###
    [zimbra@xxxxx ~]$ zmprov gcf zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unverified_recipient
    ###end snip###

    also here is the snip of the postfix_recipient_restrictions.cf

    ####snip####
    [zimbra@mail0341 ~]$ cat /opt/zimbra/conf/postfix_recipient_restrictions.cf
    reject_non_fqdn_recipient
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    reject_unlisted_recipient
    reject_unverified_recipient
    &#37;%contains VAR:zimbraMtaRestriction reject_unverified_recipient%%
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    permit
    ####end snip###

    but it looks like its still the same when i check via telnet:

    ###snip###
    l020048:~ jliou$ telnet xxxx.xxx 25
    Trying x.x.x.x...
    Connected to xxxxx.xxx.
    Escape character is '^]'.
    220 mail0341.dti ESMTP Postfix
    helo xxxxx.com
    250 mail0341.dti
    mail from: test@xxxxx.com
    250 2.1.0 Ok
    rcpt to: aisjfosidjfijf@xxxxxxx.com
    250 2.1.5 Ok
    ####end snip####

    also i noticed when i do postconf -d i dont see these changes? I have tried restarting even rebooting the machine, am i still doing something wrong? also i have the network edition avilable but i only have 10 tickets to use, i was hoping i can solve the issue here, or do u think i should just open up a case?



    jliu

  8. #8
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    The important part of that article is the first two paragraphs:

    To reduce email to accounts that you don't even have: Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)

    -This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. (ie: there's no such user account on the server)
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    To reduce email to accounts that you don't even have: Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)
    Thanks for the tip not sure how i missed it the first time around. worked like a charm. all three of the restrictions are working now.


    jliou29

  10. #10
    jliu29 is offline Member
    Join Date
    Jan 2009
    Posts
    10
    Rep Power
    6

    Default

    Although:
    Now I have this problem – since we start “validating” all these incoming emails at the front on gateways – how to prevent building databases from valid users by spammers?
    I guess this is more like Postfix problem. Ideally I would like to accept all incoming emails without reviling “invalid user names”. By the way, the VRFY is disabled!
    Thanks again folks!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. postdrop fail to create file after upgrade to 5.0.3
    By echoadisan in forum Installation
    Replies: 23
    Last Post: 07-15-2013, 03:02 PM
  2. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  3. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •