[SOLVED] Too many "Relay access denied"

[marsobe]

Hello Everybody,
it's a couple of week i'm receiving a lot of "Relay access denied" from many clients.

Like this:
Jul 30 17:42:31 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <harrisondd@larestaurant.com>: Relay access denied; from=<burgled@4felines.freeserve.co.uk> to=<harrisondd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:31 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchernn@larestaurant.com>: Relay access denied; from=<burgled@4felines.freeserve.co.uk> to=<hatchernn@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskinsdd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<haskinsdd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskinsi@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<haskinsi@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hastings@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hastings@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatch@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatch@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:32 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <harveynn@larestaurant.com>: Relay access denied; from=<shinning94@91932.com> to=<harveynn@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:33 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatchd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:33 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskins@larestaurant.com>: Relay access denied; from=<shinning94@91932.com> to=<haskins@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:33 zimbra postfix/smtpd[22232]: connect from unknown[196.44.195.138]
Jul 30 17:42:34 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchdd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatchdd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawleya@vivia.com>: Relay access denied; from=<bootlegkv5@pantrennwand.com> to=<mccawleya@vivia.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawleya@vivia.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccawleya@vivia.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccord@lbvsd.org>: Relay access denied; from=<orderingb040@tukana.com> to=<mccord@lbvsd.org> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mcclychiari@iwado.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mcclychiari@iwado.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mcclydemage@bbsdocumentary.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mcclydemage@bbsdocumentary.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawley@davero.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccawley@davero.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@amaerospace.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@amaerospace.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@alboran.ual.es>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@alboran.ual.es> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccrayigmccray@alboran.ual.es>: Relay access denied; from=<orderingb040@tukana.com> to=<mccrayigmccray@alboran.ual.es> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@alldirect.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@alldirect.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:35 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@altmann.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@altmann.com> proto=ESMTP helo=<VXIDRLQ>
Jul 30 17:42:37 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatcher@larestaurant.com>: Relay access denied; from=<ardorby4@3sixtymedia.com> to=<hatcher@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>


Is it possible to block ip's trying to relay with my server?

Thanks.

[dalmate]

do not need.

[marsobe]

Quote:

Originally Posted by dalmate

do not need.

I'm receiving 10MB of log eatch day, it looks like a DOS attack from a lot of different IP's.

Blocking definitively this IP's would be mutch better.

[phoenix]

I'd have to ask why you're seeing that many messages in the logs? Have you modified the Kill/Tag percentages, have you modified the anti-spam settings, do you use any RBLs, do you discard mail sent to invalid addresses? All of those will offer you some respite from spme, you need to post further information about your configuration and search the forums and wiki for some additional techniques.

[marsobe]

I've default Anti Spam settings and RBLs activated:

Code:

zimbra@zimbra:/root$ zmprov gacf | grep zimbraMtaRestriction                    zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org

I receive 30 attempt to relay from one IP then :

Code:

Jul 31 12:27:12 zimbra postfix/smtpd[16979]: too many errors after RCPT from unknown[174.46.159.50]
Jul 31 12:27:12 zimbra postfix/smtpd[16979]: disconnect from unknown[174.46.159.50]

And then another IP starts to try relaying.


In this situation the mail queue is empty, so I think the server is well configured. I'm worried about the intensive unwanted external activities.

[phoenix]

I'd suggest that the first thing you should look at is your RBL list. I believe you'll get better results if you use the zen.spamhaus.org RBL (it includes all the RBL lists) rather than the one you've got and it should be placed first in your list. I find it strange that some of those IPs don't get rejected (and I don't have an answer as to 'why') when they fail a multi-RBL check, for instance there's one here: MSRBL - Multi RBL Checker - try it for the other IPs and see if they're listed. FWIW I only use the following restrictions:

Code:

zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.org
zimbraMtaRestriction: reject_rbl_client bl.spameatingmonkey.net

I see very little spam on my server and almost no relay attempts (that get through) and spamhaus block the vast majority of the spam. As I mentioned earlier I also reject mail sent to invalid addresses - you can find more details in the wiki in the article on improving the anti-spam system.

[imx]

The others are missing the point... i use fail2ban, if youre using KiddieOS (Ubuntu) this is fairly easy. Just configure the postfix module as follows and point it at the fail log:


[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
maxretry = 2
bantime = 86400
findtime = 600
action = %(action_mwl)s
logpath = /var/log/mail.log

This works perfectly and lowered the load on my server significantly.

[imx]

From the postfix filter file in fail2ban, this regex bans via iptables the exact issue youre seeing - excessive 554 error:

failregex = reject: RCPT from (.*)\[<HOST>\]: 554

[marsobe]

Thanks a lot IMX, using fail2ban solved my roblem, now most of relay attempt has been blocked.

I think a better solution would be banning addresses using RBL's instead of relay errors, just to prevent attacks.

Enyway my problem now is solved.

Thanks again.

[imx]

Sure, which is why i took this one step further - and created my own RBL from the ban logs - and then use this on my firewalls (you can use on iptables quite easily with some scripting) so it blocks before the mail server has to even process the connection. When using this across a a decent amount, or even only a couple, of servers you really see the benefits. Even if you didnt want to put this on a firewall, you could put the home-made RBL across your Zimbra servers, so if one sees an attack...they all do and block it.

Maybe ill write up a how-to when i find a moment