From: Ansgar Wiechers on
On 2010-05-04 Terry Gilsenan wrote:
> Then change mynetwokrs to be 127.0.0.1 and use a firewall to block
> incoming tcp on 25 and 587 it really is that simple. Dont allow
> services to listen to anything you dont want them to act on.

If you don't want services to listen on interfaces they're not supposed
to listen on: configure the services to not listen on those interfaces.
Do NOT let the services listen on all interfaces and then block access
with a packet filter.

inet_interfaces = loopback-only

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

From: Ansgar Wiechers on
On 2010-05-04 Appliantologist wrote:
> I had a situation where some of my users had compromised machines and
> someone is brazil and indiawere able to authorize themselves to use
> sendmail using the login then send scenario. Recently we changed
> hosting and set up postfix. In addition we decided to eliminate any
> access to our system buy email users, instead we asked them all to go
> open gmail accounts and put the corresponding address in the virtual
> file.
>
> Now it seems the spammers are back with a vengance and still able to
> send spam. I set up the rules suggested but it seems they are simply
> using email that exist. I was hoping someone could point me to a
> solution.
>
>
> I would like to set up postfix so that:
>
> It only accepts mail generated by the scripts on the server
> and
> It only accepts mail to a predefined list of email address
>
> I tried to make a CIDR file with most of the 3rd world in it, some
> 30,000 ips but for some reason it doesn't seem to have the effect I
> was hoping for.
> Any ideas would be helpful, thanks.David

Please post a log excerpt of one full (spam) mail transaction from
submission to delivery to demonstrate the issue. Also post the output of
"postconf -n".

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

From: Appliantologist on
Hi guys,

I still need to accept mail for the email addresses we host on our
machine from the net, so blocking port 25 or mynetworks as local host
would seem to prevent that. we still have users on the domain that
get mail to the address, except now we forward that mail to gmail
using the virtual table

here is the result of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_privs = apache
disable_vrfy_command = yes
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = wans-eu.com
myhostname = wans-eu.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_helo_restrictions = reject_invalid_hostname
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = multiterminal.ua
virtual_alias_maps = hash:/etc/postfix/virtual


On Tue, May 4, 2010 at 2:14 AM, Terry Gilsenan
<terry.gilsenan(a)interoil.com> wrote:
> From: owner-postfix-users(a)postfix.org [owner-postfix-users(a)postfix.org] On Behalf Of Appliantologist [octobit(a)gmail.com]
> Sent: Tuesday, 4 May 2010 9:11 AM
> To: Gary Smith
> Cc: The Doctor; postfix-users(a)postfix.org
> Subject: Re: Stopping spammers extreme
>
> Hi,
>
> We don't have any legitimate users sending mail aside from scripts on
> the server (linux), only mail from localhost, anyone with an email
> address is listed in the virtual file and has their email forwarded to
> a gmail and uses gmail's MTA to send mail.
>
> Since we have all the email addresses we accept mail for in a file
> (/etc/postfix/virtual)  I was hoping there was some way to check a) is
> the mail from the localhost OR is the mail for an address in some
> file.   My understanding is you can make a list of email addresses
> that you will deliver to like a whitelist, but we also send mail from
> scripts to outside addresses of which we don't alway know beforehand.
>
> I don't think I am running an open relay, I've tested it on a couple
> of sites came back clean. I come from 20 years of sendmail, which has
> a completely different system and we were using pop authorization,
> until people had their password compromised and spammers took over.
>
> I am sure some of this is trojans so the amavisd seems like a solid
> tool to have anyway.
>
> Thanks guys,
> David
>
> Do this..:
>
> Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on.
>
>
>
>
> On Tue, May 4, 2010 at 1:49 AM, Gary Smith <gary.smith(a)holdstead.com> wrote:
>>> > I tried to make a CIDR file with most of the 3rd world in it, some
>>> > 30,000 ips but for some reason it doesn't seem to have the effect I
>>> > was hoping for.
>>> > Any ideas would be helpful, thanks.David
>>>
>>> Add amavisd to your postfix.
>>
>> If they are relaying messages through their server, how is amavisd going to help?  Some additional configuration details might be useful.  Are the users authenticated?  If so, which user is sending the email?  It actually sounds like an open relay issue.  But I'm just guessing here.
>>
>

From: Charles Marcus on
Please stop top-posting...

On 2010-05-04 5:29 AM, Appliantologist wrote:
> Hi guys,
>
> I still need to accept mail for the email addresses we host on our
> machine from the net, so blocking port 25 or mynetworks as local host
> would seem to prevent that. we still have users on the domain that
> get mail to the address, except now we forward that mail to gmail
> using the virtual table
>
> here is the result of postconf -n

You forgot the logging of a sample spam...

--

Best regards,

Charles

From: Gary Smith on
> Hi guys,
>
> I still need to accept mail for the email addresses we host on our
> machine from the net, so blocking port 25 or mynetworks as local host
> would seem to prevent that. we still have users on the domain that
> get mail to the address, except now we forward that mail to gmail
> using the virtual table

Accepting email for your domain and setting mynetworks to local host still work. When my networks is set to remote addresses, you are given those remote addresses permission to relay through you. That's bad.

The short course is that you need to setup postfix to accept email for your domain, then set my networks to be your local network (or loopback). When you do that, external email will still be allowed to flow to your server, and your server will accept that email, as it knows it is the endpoint. Once this is done any email coming across the internet to your box will be rejected if it's not the proper destination.

Though you say your not an open relay, it still sounds like you are.