7 Replies Latest reply: Jun 24, 2007 3:00 PM by Austin Sloat
Austin Sloat Level 2 Level 2 (195 points)
We had a user get absolutely hammered last Monday with spam. About a hundredfold increase in one day. Anyway, I implemented Alex's Frontline Spam Defense instructions and all incoming mail ceased. Everything was being blocked by spamhaus. A typical log entry was as follows:

Jun 18 20:50:57 ferrari-moe postfix/smtpd[25338]: NOQUEUE: reject: RCPT from ik-out-1112.google.com[66.249.90.182]: 554 Service unavailable; Client host [66.249.90.182] blocked using zen.spamhaus.org; from=<user@gmail.com> to=<user@ferrari-moe.com> proto=ESMTP helo=<ik-out-1112.google.com>

As soon as I saw that I tried to connect to www.spamhaus.org and got a error page... same with zen.spamhaus.org. At that moment their server was unavailable. I checked from my machine working remotely so no relationship to our server's network. Anyway, I removed the RBL entries and incoming mail service returned.

SpamAssassin is configured and working well but this user still had about 5000 messages in her inbox not tagged.

My questions are (1) if you have an RBL listed and it goes down due to a DDOS attack, a DNS resolution error, or whatever, should postfix fail the check gracefully or will all mail get rejected while the RBL is unavailable? and (2) is that completely unrelated to what was happening here?

Here is my postconf -n although obviously I have already removed the RBL settings

ferrari-moe:~ fmserver$ postconf -n
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
localrecipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mapsrbldomains =
messagesizelimit = 0
mydestination = $myhostname,localhost.$mydomain,localhost
mydomain_fallback = localhost
myhostname = ferrari-moe.com
mynetworks = 127.0.0.1/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
ownerrequestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated permit
smtpddatarestrictions = permitmynetworks,reject_unauthpipelining,permit
smtpdhelorequired = yes
smtpdhelorestrictions = permitsasl_authenticated,permit_mynetworks,check_heloaccess hash:/etc/postfix/heloaccess,reject_non_fqdn_hostname,reject_invalidhostname,permit
smtpdpw_server_securityoptions = login,plain,cram-md5,gssapi
smtpdrecipientrestrictions = rejectinvalid_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_au thenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpdtlsCAfile = /etc/certificates/ferrari-moe.com.chcrt
smtpdtls_certfile = /etc/certificates/ferrari-moe.com.crt
smtpdtls_keyfile = /etc/certificates/ferrari-moe.com.key
smtpduse_pwserver = yes
smtpdusetls = yes
unknownlocal_recipient_rejectcode = 550

the lines I had that were not working were:

smtpdrecipientrestrictions = rejectinvalidhostname, rejectnon_fqdnsender, rejectnon_fqdnrecipient, permitsaslauthenticated, permit_mynetworks, rejectunauthdestination, rejectunlistedrecipient, rejectrblclient zen.spamhaus.org, permit

and

disablevrfycommand = yes
with the smtpdclientrestrictions from the article, although I do not have a back up of that as I backed it out first.

it looks like I have permit_mynetworks and permitsaslauthenticated switched in client_restrictions but all mail is working fine right now.

Thanks.

PowerBook G4 1.67, Mac OS X (10.4.10), tiger server 10.4.9
  • pterobyte Level 6 Level 6 (10,910 points)
    Everything was being blocked by spamhaus.
    A typical log entry was as follows:
    Jun 18 20:50:57 ferrari-moe postfix/smtpd[25338]:
    NOQUEUE: reject: RCPT from
    ik-out-1112.google.com[66.249.90.182]: 554 Service
    unavailable; Client host [66.249.90.182] blocked
    using zen.spamhaus.org; from=<user@gmail.com>
    to=<user@ferrari-moe.com> proto=ESMTP
    helo=<ik-out-1112.google.com>


    According to this, Postfix connected to Spamhaus just fine. The lookup resulted in 66.249.90.182 being rejected, which is odd. Checked it now and the IP is not blacklisted. Either it was blacklisted by mistake by spamhaus or maybe your server didn't connect to spamhaus but to some "other place".
    You say you weren't able to connect to Spamhaus through a browser either.
    Could your DNS's cache have been poisoned?


    SpamAssassin is configured and working well but this
    user still had about 5000 messages in her inbox not
    tagged.

    My questions are (1) if you have an RBL listed and it
    goes down due to a DDOS attack, a DNS resolution
    error, or whatever, should postfix fail the check
    gracefully or will all mail get rejected while the
    RBL is unavailable?


    Postfix will slow down because of the unsuccessful look-ups. That's all. It will NOT reject any mail if an RBL cannot be reached.

    As I mentioned above, Postfix did connect and receive a response. If your DNS's cache was poisoned you may have been connecting to a different place.


    Also, I did check my logs for the same date and time (time zone adjusted assuming your server is in Portland as per your profile). My server did connect to spamhaus just fine and did not show any false positives.
  • davidh Level 4 Level 4 (1,890 points)
    Actually, that's spamhaus doing it's job.

    I had no legitimate mail rejected during that exact period and no problems communicating with the spamhaus rbl.

    Jun 18 20:02:00 server postfix/smtpd[15281]: NOQUEUE: reject: RCPT from unknown[200.64.84.140]: 554 Service unavailable; Client host [200.64.84.140] blocked using zen.spamhaus.org; http:
    //www.spamhaus.org/query/bl?ip=200.64.84.140; from=<nvtft@bock.com.br> to=<user@my-obfuscated-hostname.com> proto=ESMTP helo=<dup-200-64-84-140.prodigy.net.mx>

    You may need to investigate why your clients are being blocked by spamhaus...

    The restrictions you list as not working, do work. I use them - albeit not exactly as Alex/pterobyte documents them, but they do work. They may have unintended consequences, however But that points to a different problem. As Alex documents them, the listed restrictions work, but may be too restrictive for some. If they are, that points to (other) larger problems.

    My point is, they do work, and I have them in place and all desired mail is still being received. However, I've had to create some exceptions for a handful of poorly managed servers with no fix in sight from their Op (vs. "admin").
  • pterobyte Level 6 Level 6 (10,910 points)
    David,

    I agree a 100% with you. What puzzled me, was that in the log extract it was a Google server being rejected. I received mail from that IP in the same timeframe.



    Alex
  • Austin Sloat Level 2 Level 2 (195 points)
    Thanks for the info. I guess that it is possible that I was having DNS issues, but my server is in San Francisco and I am in Portland -- different ISPs and connections with different DNS servers. At that time I wasn't able to connect to their website, but of course that is not saying the RBL service itself was unavailable and I thank you for checking your own logs to verify.

    As you note it was rejecting everything, including gmail - but not internal email within my domain. Maybe after the smoke settles I will try again. My coworkers don't like having mail not working and a bunch of our clients were not happy to have our mail server rudely tell them that they were blacklisted.
  • Joel Mcintosh1 Level 3 Level 3 (530 points)
    I will try again. My coworkers don't like having mail not working and
    a bunch of our clients were not happy to have our mail server rudely
    tell them that they were blacklisted.


    Your comment struck me as curious. I don't recall any e-mail generated by Postfix that would "rudely tell [a sender that] they they were blacklisted."

    As I recall, when Postfix rejects an e-mail because it is listed with zen.spamhaus.org, it reports with "554 Service unavailable."

    If you were just posting that comment because you were blowing off some steam (understandable given the frustration you experienced), that is one thing. However, if there were actually rude messages generated and sent to senders, I would be inclined to dig a bit deeper into this.
  • davidh Level 4 Level 4 (1,890 points)
    I guess that it is possible that I was having DNS issues, but my server is in >San Francisco and I am in Portland -- different ISPs and connections with >different DNS servers. At that time I wasn't able to connect to their website, >but of course that is not saying the RBL service itself was unavailable and I >thank you for checking your own logs to verify.


    Actually, it sounds like your server (in San Fran) may have been having DNS issues. Many of the postfix restrictions require fully working DNS. Postfix does cache information (for a time) but if it can't do a new lookup, problems will result.
  • Austin Sloat Level 2 Level 2 (195 points)
    Actually, I'm not blowing off steam or even frustrated. As far as the "rude message" I was being facetious. I did have one client however call me up and say, "Hey man, what's with the blacklist?" So at least someone knew what the mail server was doing to them.

    I will check my DNS logs but all other services are working perfectly, and wouldn't the HELO checking rely on working DNS? Or is that doing something else?

    The DNS servers we use are 207.69.188.185 & 207.69.188.186, by the way.