Antispam Settings User Verification in postfix

[jliu29]

Hey all i have just set up a brand new mail server for my company here using zimbra.

Here is the basic set up i am using:

OS: Red Hat Enterprise Linux Server release 5.2

Zimbra: Release 5.0.11_GA_2695.RHEL5_20081117051306 RHEL5 FOSS edition

I am curious is there a way to reject unknown users right at the door? like for example:


###snip####
l020048:~ jliou$ telnet x.x.x.x 25
Trying x.x.x.x...
Connected to xxxxx.xxx.
Escape character is '^]'.
220 xxxxx.xxx ESMTP Postfix
helo foobar.com
250 xxxxxxx.xxx
mail from: testuser@foobar.com
250 2.1.0 Ok
rcpt to: sdfhisudfhiwdu@mydomain.com
250 2.1.5 Ok
####snip####

It seems to allow anything for mydomain.com to be send on though, the reason why I am asking about this because. In our set up we have gateway servers that use address_verify_maps to verify users. So i would like to be able to recjet non-vaild users right at this level. Is there any way to change this in the zimbra postfix configs with out directly editing main.cf ?. I am also curious so by default is the virtual mailbox table not checked?


jliou

[uxbod]

Welcome to the forums

Are you using a catchall address at all ?

Code:

su - zimbra
zmprov gacf | grep -i catch
zimbraAdminConsoleCatchAllAddressEnabled: FALSE

[jliu29]

uxbod,,

Thanks for the welcome. It appears that I am not as well.

####snip####
297 jliou@xxxxxx:~$sudo su - zimbra
Password:
[zimbra@xxxxxx ~]$ zmprov gacf|grep -i catch
zimbraAdminConsoleCatchAllAddressEnabled: FALSE

[uxbod]

By default none existent users should be rejected

Code:

su - zimbra
zmprov gcf zimbraMtaRestriction

[jliu29]

Here is the output that i have.


####snip####
[zimbra@xxxxx ~]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
####end snip####

Also i noticed in the logs these emails are getting rejected.

####snip####
Jan 29 09:22:45 mail0341 amavis[16865]: (16865-17) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090126T102430-16865: <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com> SIZE=356 Received: from mail0341.dti ([127.0.0.1]) by localhost (mail0341.dti [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <sdfhisudfhiwdu@mydomain.com>; Thu, 29 Jan 2009 09:22:45 -0800 (PST)
Jan 29 09:22:45 mail0341 amavis[16865]: (16865-17) Checking: dn9eeZel7W7x [10.20.6.142] <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>
Jan 29 09:22:46 mail0341 amavis[16865]: (16865-17) FWD via SMTP: <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>,BODY=7BIT 250 2.6.0 Ok, id=16865-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2F6622CC04BB
Jan 29 09:22:46 mail0341 amavis[16865]: (16865-17) Passed CLEAN, LOCAL [10.20.6.142] [10.20.6.142] <test@asdfijsofa.com> -> <sdfhisudfhiwdu@mydomain.com>, Message-ID: <20090129172242.4B4442CC04BA@mail0341.dti>, mail_id: dn9eeZel7W7x, Hits: 0.718, size: 356, queued_as: 2F6622CC04BB, 636 ms
Jan 29 09:22:46 mail0341 postfix/smtp[11323]: 4B4442CC04BA: to=<sdfhisudfhiwdu@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=20/0.01/0/0.64, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2F6622CC04BB)
Jan 29 09:22:46 mail0341 postfix/smtp[11328]: 2F6622CC04BB: to=<sdfhisudfhiwdu@mydomain.com>, relay=mx.mailix.net[216.148.221.135]:25, delay=0.19, delays=0.01/0.01/0.14/0.03, dsn=5.0.0, status=bounced (host mx.mailix.net[216.148.221.135] said: 550 unrouteable address (in reply to RCPT TO command))
####snip####

I am curious how come i can not reject right at the smtp handshake level. Once again i am asking this because my gateway server needs to able to verify_user_maps against my zimbra mail server. like for example these are the verify logs from my gateway server

Working one my old non-zimbra server:
###snip###
2:0:1233186812:host x.x.x.x[x.x.x.x] said: 550 <xxx@xxxxxxx.com>: User unknown in virtual mailbox table (in reply to RCPT TO command)
xxx@xxxxx.xxx
#####end snip####

On the new zimbra server it doesnt seem to check and just gives me 250 and lets it though.
####snip#####
0:0:1233217377:250 2.1.5 Ok
xxxxx@xxxxxxxxx
####end snip######

Does that make more sense now?


Jliu



Jason

[phoenix]

To reject addresses that don't exist on your system use this: Improving Anti-spam system - Zimbra :: Wiki

[jliu29]

Bill,,

Thanks for your reply,

I followed the instructions on that wiki and changed my zimbraMtaRestriction
to the following:

###snip###
[zimbra@xxxxx ~]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unverified_recipient
###end snip###

also here is the snip of the postfix_recipient_restrictions.cf

####snip####
[zimbra@mail0341 ~]$ cat /opt/zimbra/conf/postfix_recipient_restrictions.cf
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
reject_unverified_recipient
%%contains VAR:zimbraMtaRestriction reject_unverified_recipient%%
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
permit
####end snip###

but it looks like its still the same when i check via telnet:

###snip###
l020048:~ jliou$ telnet xxxx.xxx 25
Trying x.x.x.x...
Connected to xxxxx.xxx.
Escape character is '^]'.
220 mail0341.dti ESMTP Postfix
helo xxxxx.com
250 mail0341.dti
mail from: test@xxxxx.com
250 2.1.0 Ok
rcpt to: aisjfosidjfijf@xxxxxxx.com
250 2.1.5 Ok
####end snip####

also i noticed when i do postconf -d i dont see these changes? I have tried restarting even rebooting the machine, am i still doing something wrong? also i have the network edition avilable but i only have 10 tickets to use, i was hoping i can solve the issue here, or do u think i should just open up a case?



jliu

[phoenix]

The important part of that article is the first two paragraphs:

Quote:

To reduce email to accounts that you don't even have: Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)

-This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. (ie: there's no such user account on the server)

[jliu29]

Quote:

Originally Posted by phoenix

To reduce email to accounts that you don't even have: Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)

Thanks for the tip not sure how i missed it the first time around. worked like a charm. all three of the restrictions are working now.


jliou29

[jliu29]

Although:
Now I have this problem – since we start “validating” all these incoming emails at the front on gateways – how to prevent building databases from valid users by spammers?
I guess this is more like Postfix problem. Ideally I would like to accept all incoming emails without reviling “invalid user names”. By the way, the VRFY is disabled!
Thanks again folks!