Hi
I have not been listed on Backscatter for more than 2.5 years as I configured the mail server to stop it but for some reason which I can't work I have been listed again.
When I telnet into the mail server and run a test as below I get a reject status
I would be most grateful to anyone for taking at look at my conf files and to see if they can see anything.
telnet mail.mydomain.co.uk 25
helo mail.mydomain.co.uk
MAIL FROM: <victim@domain.com>
250 2.1.0 Ok
RCPT TO: <NoSuchUser@mydomain.com>
550 5.1.1 <NoSuchUser@mydomain.com>: Recipient address rejected: User unknown
main.cf
biff = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_name = mail.mydomain.co.uk
smtpd_banner = ESMTP $mail_name
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
myhostname = server.mydomain.co.uk
mydomain = server.mydomain.co.uk
inet_protocols = ipv4
#inet_interfaces = 127.0.0.1, my.ip.addr.ess
inet_interfaces = all
smtp_bind_address = my.ip.addr.ess
mydestination = $myhostname, localhost.$mydomain, localhost, server.mydomain.co.uk
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, my.ip.addr.range/24, 109.123.101.0/24
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
bounce_size_limit = 2000
message_size_limit = 40960000
header_size_limit = 402400
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 20
smtpd_hard_error_limit = 20
smtpd_junk_command_limit = 20
# qmgr_message_active_limit = 10000 # default 20000
strict_rfc821_envelopes = yes
show_user_unknown_table_name = no
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
2bounce_notice_recipient = postmaster@mydomain.co.uk
error_notice_recipient = postmaster@mydomain.co.uk
bounce_notice_recipient = postmaster@mydomain.co.uk
header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks
### Reject codes
access_map_reject_code = 554
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450
### SMTP Restrictions
smtpd_client_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_restrictions,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
warn_if_reject reject_unknown_reverse_client_hostname,
warn_if_reject reject_unknown_client
smtpd_helo_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_helo_access regexp:/etc/postfix/helo.regexp,
# reject_non_fqdn_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
# warn_if_reject reject_unknown_helo_hostname,
permit
smtpd_etrn_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_client_access regexp:/etc/postfix/client_restrictions,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
warn_if_reject reject_unverified_sender,
permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject_unauth_destination,
check_client_access regexp:/etc/postfix/client_restrictions,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
# check_policy_service unix:private/policy-spf,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unverified_recipient,
# Added reject_unverified_recipient 7-5-19 for trying to stop Backscatter
reject_unlisted_recipient,
reject_multi_recipient_bounce,
reject_non_fqdn_hostname,
reject_invalid_hostname,
warn_if_reject reject_unknown_client,
# Added warn_if_reject 1st Feb 2018 for overcoming too many Client host rejected: cannot find your hostname
warn_if_reject reject_unknown_hostname,
reject_unauth_pipelining,
# check_sender_access hash:/etc/postfix/blacklisted_domains,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
smtpd_timeout = 300s
smtp_destination_rate_delay = 1s
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
# smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
# smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
# tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
# policy-spf_time_limit = 3600s
master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
my.ip.addr.ess:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes
my.ip.addr.ess:submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
-o smtpd_tls_security_level=may
-o tls_preempt_cipherlist=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
# bounce unix - - n - 0 bounce
bounce unix - - n - 0 discard
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
127.0.0.1:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes
127.0.0.1:submission inet n - n - - smtpd
header_checks
## Header checks file
#### Checks are done in order, top to bottom.
#### /etc/postfix/header_checks
### How to check regex on command line
### echo 'mail-db5eur01on0084.outbound.protection.outlook.com' | grep -e '^\S*\.outlook\.com$'
#### non-RFC Compliance
/[^[:print:]]{7}/ REJECT RFC2047
# /^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT RFC822
# /(.*)?\{6,\}/ REJECT RFC822
/(.*)[X|x]\{3,\}/ REJECT RFC822
#### Unreadable NON-acsii un-printable text
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)\?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable
#### Subject checks
/^Subject:.* / REJECT Space
/^Subject:.*r[ _\.\*\-]+o[ _\.\*\-]+l[ _\.\*\-]+e[ _\.\*\-]+x/ REJECT Hidden Words
/^Subject:.*p[ _\.\*\-]+o[ _\.\*\-]+r[ _\.\*\-]+n/ REJECT Hidden Words
#### Character Set Checks
/^(Content-Type:.*|\s+)charset\s*=\s*"?(Windows-1251)\?/ REJECT Bad Content Type
#### Backscatter checks
/^Content-Type: multipart\/report; report-type=delivery-status\;/ REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; / REJECT no third-party DSNs
#### Attachments
/^Content-(Type|Disposition):.*(file)?name=.*\.(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/
REJECT Bad Attachment .${3}
#### Backscatter mail from virus scanners
/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification
#### Known Spammers or Unsolicited Commercial Email
/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
Hi @applejack
I'm having the exact same problem. Did you manage to come right, and what was the resolution if you did?
If you check your IP on backscatter it should give you a date & time to check in your mail logs. i.e. who you were sending an email to or sending a bounce back to. I suspect it was the latter and that the sender was spoofed.
Thanks @Dibs.... You are correct it is the latter. What I was looking for was the correct config string/s in main.cf to stop this type of behavior. I tried googling, and applied some settings, but there were hiccups....
I was also caught out by backscatterer and followed the advice on https://www.linuxbabe.com/mail-server/block-email-spam-postfix except for the greylisting - cut down the spam being recieved massively and got off backscatterer.
HIH
Dibs
@Dibs, thank you for the link! I hadn't tried that one. I will go through the article, apply what's there and see what happens. As Backscatterer.org keeps the listings in for a month, I'll only see if it's fully effective after the middle of next month. The real acid test will be that. I will make a note to report after the 15th December 2019, to see how effective this has been.
@neural you should see in log files server some indication it is kind of "idiot" to only wait after every change and look afters x days on thet list. ( i think i don't understand your reply here ;)
Mail delivery failures could be indication for... mostly when using forwards or mail contact forms.
I mean not you are .... ;) but one could take upfront some precautions. with log file info's
Read also before taking such as only 1 example :
Use the following line to reject non fully qualified HELO/EHLO hostname.
reject_non_fqdn_helo_hostname
You could mis important mails for you or clients if to strict while lot of mailservices are not configured 100% ! You need do do it right in right order!
Read here for example:
https://unix.stackexchange.com/questions/91749/helo-command-rejected-nee...
https://en.wikipedia.org/wiki/Backscatter_(email)
Hi @Jfro, For sure, you're right. I was always planning on checking my logs.... I picked up the time when the backscatter occurred, checked the logs at that time, and saw what was causing it. Also do checks like "grep status=bounced mail.log" etc. I will definitely be checking the logs, especially to see if there are false positives, as in legitimate mail trying to get in being blocked etc... Maybe I wasn't so verbose in my previous response, but the last "check" would be when I'd been delisted from backscatterer.org and not put right back on again. I do prefer the command line to gui, so checking logs etc, not a problem to me, and what I do on a daily basis at some point.
Thanks for the input - much appreciated.
We had one USER / client "abusing" with wrong configured and more contact php form, almost 2 years of sh..it now this custommers is gone no problem anymore.
Was using emailadresses in contact form ( from other server / mailadres from him ) and having on virtualmin mailadresses forwarded and some more, lot of shouting on the phone his form was 100% ok safe and secure , now he is gone i have much more time and peace of mind...
;)
He didn't has budget, and i can't help with php from custommers being "webadmins"
Yes, sometimes people know just enough to be dangerous... Glad you got rid of your problem client, so much better to rather let them go. :D
Anyone know where user mail forwarding addresses are stored so I can check easily across multiple accounts rather than having to go into each one in VM ?