Relaying and backskatter problem
in [Postfix]
|
Prev: question about MX records and postfix (repost)
Next: Small amount of spam still routed through server andanotherproblem with spam
From: Randy on 24 Mar 2010 12:36 A configuration was introduced ( from the holy powers ) which happens to cause our server to backskatter and I am trying to fix the problem on our end ASAP. 1. We relay to an offsite mail server for a few of our users ( contracted mail hosting ) 2. This is M$exchange, and they have rules which reject mail that we forward causing us to possibly backskatter. argh! EX: <rhys(a)theholycat.com>: Sender address rejected: Domain not found (in reply to RCPT TO command)) So I tried to use HELO checks and sender restrictions which works for some but still lets many go through. Using: smtpd_sender_restrictions = hash:/etc/postfix/access,permit_mynetworks,reject_unknown_sender_domain Since reject_unknown_sender_domain finds a valid MX, this gets through. So I am interested to know which settings I can implement that will block these without forwarding since the MSexchange server seems to have rules to catch them. Also it appears that some of these connections don't use helo and it this is important information to help with this, I will provide those. Can anyone offer suggestions? Thanks, Randy Ramsdell
From: Sean Reifschneider on 24 Mar 2010 16:06 On 03/24/2010 10:36 AM, Randy wrote: > EX: > <rhys(a)theholycat.com>: Sender address rejected: Domain not found (in > reply to RCPT TO command)) I'd be tempted to set up a milter or policy filter that for each rcpt would connect to the Exchange server (assuming that's where it's destined) and see if that server will accept it. There's probably a better way to do it, but that's what comes to my mind. Sean -- Sean Reifschneider, Member of Technical Staff <jafo(a)tummy.com> tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
From: Wietse Venema on 24 Mar 2010 16:28 Sean Reifschneider: > On 03/24/2010 10:36 AM, Randy wrote: > > EX: > > <rhys(a)theholycat.com>: Sender address rejected: Domain not found (in > > reply to RCPT TO command)) > > I'd be tempted to set up a milter or policy filter that for each rcpt > would connect to the Exchange server (assuming that's where it's destined) > and see if that server will accept it. There's probably a better way to do > it, but that's what comes to my mind. You could also use Postfix's built-in recipient address verification feature. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient Wietse
From: Randy on 24 Mar 2010 16:55 Wietse Venema wrote: > Sean Reifschneider: > >> On 03/24/2010 10:36 AM, Randy wrote: >> >>> EX: >>> <rhys(a)theholycat.com>: Sender address rejected: Domain not found (in >>> reply to RCPT TO command)) >>> >> I'd be tempted to set up a milter or policy filter that for each rcpt >> would connect to the Exchange server (assuming that's where it's destined) >> and see if that server will accept it. There's probably a better way to do >> it, but that's what comes to my mind. >> > > You could also use Postfix's built-in recipient address verification feature. > > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > > Wietse > The recipient is a real recipient. The m$change server is rejecting on on the sender domain part, where the postfix setting "reject_unknown_sender_domain" does not fit here since these domains do have a MX record. The problem really boils down to determining what criteria m$change is using to reject the sender domain. Keep in mind that these mails are spam. dig theholycat.com MX ;; ANSWER SECTION: theholycat.com. 600 IN MX 20 mail13.theholycat.com. dig mail13.theholycat.com ;; ANSWER SECTION: mail13.theholycat.com. 589 IN A 208.43.143.111 dig -x 208.43.143.111 ;; ANSWER SECTION: 111.143.43.208.in-addr.arpa. 3600 IN PTR 208.43.143.111-static.reverse.softlayer.com. Forward and reverse do not match for the mail server, and I think I am seeing "unknown" regarding the connection ip because of this. Should I look into rejecting on these grounds? Or is that, to intrusive and subject to false positives? Note: We are rejecting many because of the "reject_unknown_sender_domain" but not all. Thanks, Randy Ramsdell
From: Stan Hoeppner on 24 Mar 2010 18:47
Randy put forth on 3/24/2010 3:55 PM: > dig -x 208.43.143.111 > ;; ANSWER SECTION: > 111.143.43.208.in-addr.arpa. 3600 IN PTR > 208.43.143.111-static.reverse.softlayer.com. Your problem isn't the Exchange server per se. Your problem is that you're forwarding spam to it, and its anti-spam software is better than that on your Postfix server, which causes the backscatter. Almost any mail coming to you from Softlayer IP space is going to be spam, most likely snowshoe. Softlayer is a generic ISP/COLO outfit with tons of resellers and terrible (non existent) customer vetting. They have few, if any, legit email sending customers. As you can see I've extensively SMTP blocked Softlayer over the years. I suggest you do the same. # Softlayer, Dallas 10/10/2008 66.228.112.0/20 REJECT 67.228.0.0/16 REJECT 74.86.0.0/16 REJECT 208.43.0.0/16 REJECT 174.36.0.0/15 REJECT 75.126.0.0/16 REJECT 173.192.0.0/15 REJECT Beef up the anti spam capabilities on your Postfix server and this problem will go away. Either that or tell the Exchange admin to silently drop/discard/eat the spam instead of rejecting it back upstream. The former is the preferable route, the latter the lazy route. -- Stan |