Support,
I have a server that has now "nearly crashed" twice due to enabling AUTOREPLY on 1 email box.
I see in post https://www.virtualmin.com/node/15207 that you now feed autoreplies to spamassassin to not reply if it's spam, but...
QUESTION: Is it possible that the autoreply is replying to the "bounce backs"?
I know that we get 1000's of spam every evening, and spamassassin is already overworked.
On Jan. 14 and Jan. 23 my server uptime load average exceed 115.00 and I had to reboot get make it usable again.
Please let me know if there is a way to fine-tune the autoreply, and is it possible to ignore any headers that contain "bounce" in them?
Thx!
You need to setup your Postfix to use RBLs and reject malformed emails. This should lower the amount of spam emails.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
I do have RBL's in my postfix configuration, but maybe they're not right...
Do you see anything wrong with the following?
---snip---
##############################################################################
# main.cf #
##############################################################################
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
#smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = server.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = example.com, server.example.com, localhost.example.com, localhost, server
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols=ipv4
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
allow_percent_hack = no
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
reject_rhsbl_helo zen.spamhaus.org,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_client_restrictions =
permit_mynetworks,
permit_tls_all_clientcerts,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
# reject_unknown_client_hostname
# reject_unknown_reverse_client_hostname
# reject_unknown_client
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
permit
# reject_unknown_client (WILL BLOCK TOO MUCH)
# reject_non_fqdn_hostname (WILL CRASH AUTH SMTP)
smtpd_sender_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
# reject_unknown_sender_domain (WILL BLOCK TOO MUCH)
smtpd_sasl_authenticated_header = yes
message_size_limit = 26214400
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
recipient_bcc_maps = hash:/etc/postfix/bccin
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
##############################################################################
# master.cf #
##############################################################################
smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
# -o smtpd_enforce_tls=yes
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
smtp-13464253011645 unix - - - - - smtp -o smtp_bind_address=123.45.67.89
... (over 100 entries deleted here) ...
smtp-134630993018661 unix - - - - - smtp -o smtp_bind_address=123.45.67.89
Try with this RBLs:
reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
Just to warn you, Sorbs is pretty aggressive in blocking offenders IP and that means they will block IPs even from services like Gmail what most of other RBL will not. I'm testing Sorbs for the last month and i noticed in 2 cases the email sent from Gmail was blocked. But how Gmail is circling the IP's the sender could probably try again in 1-2+ hours. Honestly i agree with Sorbs and Gmail should dedicate more resources to fight the spam from their servers. Spammers realized that Gmail and lookalike are not blacklisted because they are "too big or important", something i do not agree and i fully support what Sorbs is doing.
Next try to play with:
smtpd_error_sleep_time = 20smtpd_soft_error_limit = 2
smtpd_hard_error_limit = 4
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 60
This is another thing to use to slow down incoming spam. It means each incoming IP can make 2 errors before the server put an delay of 20 seconds. After 4 errors your server will stop listening the incoming IP. Last two lines are how many connections (10) in how much time (60) can each IP make. Again pretty aggressive settings but i dont care too much as i think each server owner should properly maintain his service. If you get hit by such requests this will noticeably lover the stress on your server.
Try this, restart Postfix and see how is the situation with your server.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Cool, I don't mind some aggressive settings... I prefer to over-tighten, and then loosen...
Forgot to mention, you should really use Fail2Ban to get full advantage of your settings. Here is the example from one of my servers:
Postfix:
Jan 26 08:28:07 *hidden* postfix/smtpd[28254]: warning: hostname xxx.xxx.xxx.xxx.hostname.tld does not resolve to address xxx.xxx.xxx.xxx: Name or service not knownJan 26 08:28:07 *hidden* postfix/smtpd[28254]: connect from unknown[xxx.xxx.xxx.xxx]
Jan 26 08:28:08 *hidden* postfix/smtpd[28254]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Jan 26 08:28:08 *hidden* postfix/smtpd[28254]: disconnect from unknown[xxx.xxx.xxx.xxx]
Jan 26 08:31:28 *hidden* postfix/anvil[28256]: statistics: max connection rate 1/60s for (smtp:xxx.xxx.xxx.xxx) at Jan 26 08:28:07
Jan 26 08:31:28 *hidden* postfix/anvil[28256]: statistics: max connection count 1 for (smtp:xxx.xxx.xxx.xxx) at Jan 26 08:28:07
Jan 26 08:31:28 *hidden* postfix/anvil[28256]: statistics: max cache size 1 at Jan 26 08:28:07
Fail2Ban:
2017-01-26 08:28:08,891 fail2ban.filter [1066]: INFO [postfix-auth] Found xxx.xxx.xxx.xxx2017-01-26 08:28:08,959 fail2ban.actions [1066]: NOTICE [postfix-auth] Ban xxx.xxx.xxx.xxx
Logs like this one i get tons per server and its something "normal" to expect when your server is facing the web, but that doesnt mean you cant limit the amount and make your server more secure. For example this IP would hammer my server hundreds or even thousands of times per day if i didnt block. Now count this is just one IP, add to this many more different IPs and you get the picture how much stress can produce on your server.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Hmm, I'm using CSF/LFD... but apparently I don't have it configured to help me with these email hackers.
Personally i never liked too much CSF but i know it can work with F2B if you disable overlapping features. I somehow prefer F2B because i like how it works, plus its easy to make new rules.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Ok, turns out I had a client with a Wordpress plugin called Wordfence... which was spawning processes left and right (would force load average up to 150+ in 10 minutes). I've disabled their site until they return. My load average is 0.2 - 0.6 now. Thx!!!
Wordfence is garbage and garbage only. You have F2B plugin for WP and it works great but can be used only for VPS or dedicated so no shared hosting. You can set after how many failed logins to ban the IP. Combine this with login captcha and the results are great. Use htaccess to block access to xmlrpc.php and you did good job in securing your (or your client) WP. For normal WP use you dont need xmlrpc.php and only "famous" plugin that need this file is Jetpack, but then again its another garbage what your WP site doesnt need.
Final point: Never use WP plugins for security or caching if you can do the same on the server level. Regardless how good they are (plugins), bots and other nasty things will still hit Apache, MySQL, etc. and produce additional load on your server.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.