How do I deal with unknown addresses in my postfix log?

Discussion:

(too old to reply)

Henrik B A

2016-11-25 09:02:22 UTC

It seems that mail from unknown recipients/senders are being sent through my postfix server. I see a lot of entries like this, with different shady addresses:

Nov 24 15:32:35 XXXXX postfix/smtpd[12363]: 34108BA48C6: client=localhost[127.0.0.1]
Nov 24 15:32:35 XXXXX postsrsd[13736]: srs_forward: <***@fortalezatours.com> rewritten as <SRS0+FZUn=XJ=fortalezatours.com=***@YYYYY.ZZ>
Nov 24 15:32:35 XXXXX postfix/cleanup[13735]: 34108BA48C6: message-id=<***@fortalezatours.com>
Nov 24 15:32:35 XXXXX postfix/qmgr[12188]: 34108BA48C6: from=<SRS0+FZUn=XJ=fortalezatours.com=***@YYYYY.ZZ>, size=1196, nrcpt=1 (queue active)
Nov 24 15:32:35 XXXXX amavis[13918]: (13918-01) Passed CLEAN {RelayedOpenRelay}, [222.92.30.22]:49947 [222.92.30.22] <***@fortalezatours.com> -> <***@ukr.net>, Queue-ID: 8F805BA48C7, Message-ID: <***@fortalezatours.com>, mail_id: qF8LOG1vGb3f, Hits: 2.58, size: 768, queued_as: 34108BA48C6, 2235 ms
Nov 24 15:32:35 XXXXX postfix/smtp[13887]: 8F805BA48C7: to=<***@ukr.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.3, delays=2.4/0/0.84/2.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 34108BA48C6)
Nov 24 15:32:35 XXXXX postfix/smtp[13676]: 34108BA48C6: to=<***@ukr.net>, relay=mxs.ukr.net[212.42.77.251]:25, delay=0.25, delays=0.17/0/0.04/0.04, dsn=2.0.0, status=sent (250 OK id=1c9v4l-000JFT-EP)
Nov 24 15:32:35 XXXXX postfix/qmgr[12188]: 34108BA48C6: removed
(My server name and domain is replaced with XXXXX and YYYYY.ZZ)

I don't have an open relay (relayhost= is set in main.cf), and I have a proper SPF record ("v=spf1 a mx ?all"). What more do I need to do?

Cheers,
Henrik

Rob Brown

2016-11-25 19:37:54 UTC

Permalink

Post by Henrik B A
I don't have an open relay (relayhost= is set in main.cf),

I don't think that that is what the relayhost setting does.

Relayhost specifies where to send mail if there is no matching entry in the
transport map. I suppose if there is no relayhost and no transport map, mail
will be sent directly to the recipient.

See relay_domains and transport_maps.

At our shop, we had to relay mail through our outside facing postfix to our
inside mail servers. We used the relay_recipients file to make sure that
unknown recipients were not relayed. See relay_recipient_maps.

hth

Henrik B A

2016-11-26 13:01:14 UTC

Permalink

Post by Rob Brown
See relay_domains and transport_maps.

Hmm, neither of those are set. Never mind, here's my full main.cf (with some obfuscation):

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/mail.XXXXX.no.crt
smtpd_tls_key_file=/etc/ssl/private/mail.XXXXX.no.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = ZZZZZ.XXXXX.no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = XXXXX.no, ZZZZZ.XXXXX.no, mail.XXXXX.no, localhost.XXXXX.no, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
WWWWW.no,
VVVVV.no
virtual_maps = hash:/etc/postfix/virtual
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_tls_auth_only = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
message_size_limit = 50000000
smtp_generic_maps = hash:/etc/postfix/generic
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
sender_canonical_maps = tcp:127.0.0.1:10001
recipient_canonical_maps = tcp:127.0.0.1:10002
sender_canonical_classes = envelope_sender
recipient_canonical_classes = envelope_recipient

Is there anything more I should do to prevent those obviously dubious email being passed through my server? (Btw, sender/recipient_canonical_maps points to postsrsd so that forwarding works properly.)

Cheers,
Henrik

Rob Brown

2016-11-28 20:50:55 UTC

Permalink

Is there anything more I should do ...

Well we have now exceeded my expertise. When I was tying to figure this stuff
out, many years ago, I found the documentation at http://www.postfix.org useful.
Googling postfix open relay can also be entertaining.

Good luck.