RE: [SLUG] Postfix SNAFU

From: Stephen Ames (sames@managedwebservices.com)
Date: Fri Jul 09 2004 - 19:41:16 EDT


They're at it again! Grrrr. I hate spam! >:(

I checked the mynetworks line and it had my local subnet and the 127.0.0.1/8
entry. I took out the local subnet and left the 127.0.0.1/8 entry. The
spam is coming from the outside and they are putting
nobody@web1.managedwebservices.com in the To line, and somepoordudes@aol.com
;) in the CC and BCC lines. I have told it not to accept more than 5
recipients, but that only keeps it from getting ridiculous. I really would
like to configure it to not accept or relay mail from anybody and only send
mail from itself (web contact forms, etc).

Here is a section from the main.cf that appears to be talking about just
such an idea, but I'm not too sure on how to proceed:

Thanks,

Steve

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in file sample-smtpd.cf.
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
mynetworks = 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

# The relay_domains parameter restricts what clients this mail system
# will relay mail from, or what destinations this system will relay
# mail to. See the smtpd_recipient_restrictions restriction in the
# file sample-smtpd.cf for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients whose IP address matches $mynetworks,
# - from "trusted" clients matching $relay_domains or subdomains thereof,
# - from untrusted clients to destinations that match $relay_domains
# or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_maps.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction in the file sample-smtpd.cf.
#
#relay_domains = $mydestination

-----Original Message-----
From: slug@nks.net [mailto:slug@nks.net] On Behalf Of Matt Moen
Sent: Thursday, July 08, 2004 1:18 PM
To: slug@nks.net
Subject: Re: [SLUG] Postfix SNAFU

Based on the logs, is this mail coming from the outside, or is it coming
through your web application?

If it's coming from the outside, then fix your "mynetworks" setting in
main.cf.

It sounds as if it's coming from your web application (which is probably
sending directly through the sendmail executable). If so, at a minimum it
should apply some restrictions to only allow the appropriate recipients and
domains (including CC and BC's) and not somepoordude@aol.com. :-) Perl has
some nifty modules to sanitize user supplied e-mail addresses.

> Folks, I have been banging my head against a problem over the last few
> days. My web server uses postfix to send mail to other machines --
> logs, mail sent from web forms, etc. It shouldn't need to accept or
> relay mail from the outside. Somehow it will accept mail on the
> nobody account and will relay to any cc or bcc addresses. That
> functionally allows spammers to relay through the server. I can't
> figure out how to turn this off. I thought I had shut off relaying in
> the main.cf file, but I must be missing something. Any ideas?
>
> Thanks,
>
> Stephen Ames

-- 
Matthew Moen

It's an old ASR adage that all OS's suck. Based on my recent experiences with three Linux distributions, Debian sucks like a straw in a tongue- cancer patient's mouth, Gentoo sucks like an Electrolux, and Redhat 9 sucks like a jet engine intake.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:20:03 EDT