Postfix Rejecting Unknown Local Recipients pass by

virtualmin108 · December 15, 2016, 10:20am

here and there we get mails delivered with unknown local recipients, in general these mails been rejected. how can it be postfix delivers a mail with a unknow local recipient.

main.cf

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate “delayed mail” warnings

#delay_warning_time = 4h

readme_directory = no

TLS parameters

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = sys.ublun.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname

myorigin = $mydomain

myorigin = /etc/mailname
mydestination = $myhostname, xxxxxxx.com, , localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
compatibility_level = 2
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
message_size_limit = 52428800

Diabolico · December 15, 2016, 2:07pm

Try to change mydestination = $myhostname, localhost.$mydomain, localhost, server.hostname.tld, restart postfix and see if the problem is gone. Do not forget to make local copy of your postfix before any change.

P.S. Instead of “server.hostname.tld” use the real hostname.

virtualmin108 · December 15, 2016, 8:57pm

thank you Diabolico, we adjusted accordingly

virtualmin108 · February 15, 2017, 7:33pm

so far all fine with Postfix server but one thing remains:

connect from unknown

how is it that some IP adresses beign rejected, some not. Both are from a unknown source.

 
connect from unknown[177.54.144.232] NOQUEUE: reject: RCPT from unknown[177.54.144.232]: 450 4.7.1 Client host rejected: cannot find your reverse  hostname, 
connect from unknown[89.248.171.132] warning: unknown[89.248.171.132]: SASL LOGIN authentication failed: authentication failure
postconf -n
alias_maps = hash:/etc/aliases

allow_percent_hack = no

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = yes

compatibility_level = 2

home_mailbox = Maildir/

inet_interfaces = all

inet_protocols = all

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

mailbox_size_limit = 0

message_size_limit = 52428800

milter_default_action = accept

milter_protocol = 2

mydestination = $myhostname, xxxx.com, localhost.xxxx.com, localhost

myhostname = xxxx.com

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 144.76.73.84

myorigin = /etc/mailname

non_smtpd_milters = inet:localhost:8891

readme_directory = no

recipient_delimiter = +

sender_bcc_maps = hash:/etc/postfix/bcc

sender_dependent_default_transport_maps = hash:/etc/postfix/dependent

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_use_tls = yes

smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces reject_unknown_reverse_client_hostname permit_tls_all_clientcerts reject_rbl_client zen.spamhaus.org reject_rhsbl_client zen.spamhaus.org

smtpd_milters = inet:localhost:8891

smtpd_recipient_restrictions = reject_unknown_reverse_client_hostname

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination defer_unauth_destination permit

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem

smtpd_tls_key_file = /etc/postfix/postfix.key.pem

smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_protocols = SSLv3, TLSv1

smtpd_tls_security_level = may

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes

virtual_alias_maps = hash:/etc/postfix/virtual

Diabolico · February 15, 2017, 7:57pm

Start with “mydestination = $myhostname, localhost.$mydomain, localhost, your.hostname.tld” where you need to change “your.hostname.tld” and put your real hostname. Remember hostname must be FQDN.

virtualmin108 · February 15, 2017, 8:36pm

we adjusted accordingly:
“mydestination = $myhostname, localhost.$mydomain, localhost, sys.ublun.com”
but they still roll in…

Feb 15 21:27:13 sys postfix/smtpd[14372]: connect from unknown[89.248.171.132] Feb 15 21:27:16 sys postfix/smtpd[14372]: warning: unknown[89.248.171.132]: SASL LOGIN authentication failed: authentication failure Feb 15 21:27:16 sys postfix/smtpd[14372]: disconnect from unknown[89.248.171.132] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Diabolico · February 15, 2017, 9:20pm

This IP 89.248.171.132, is that from your server or personal connection?

virtualmin108 · February 15, 2017, 9:56pm

no no… nothing to do with my IP’s it comes from the Seychelles and their is one from the Ukraine, I can only stop them over iptables, Postfix does not act as it should.

virtualmin108 · February 15, 2017, 10:17pm

actually the problem is based on: Reject clients with no reverse hostname
Most clienst with no reverse hostname get rejected but not all, that makes me wondering.

Diabolico · February 16, 2017, 2:19am

Yes, i suspected that IP isnt yours. I made a check after my last post and that IP belongs to Novogara.com, formerly known as Ecatel.net. This host have servers located in Netherlands, but the company is from England and owned by some shady offshore company. This host is also known as best heaven for spammers and hackers so its not a surprise to see their IP in server logs. Same as with IP’s originated from Colocrossing a.k.a. HudsonValleyHost. Nothing unusual to see their multiple IP ranges on every major spam list.

How to stop? To begin you will need to install Fail2Ban and activate jails for all software that you can, like Apache, Postfix, Dovecot… and so on. Next, you will need to edit main.cf and add/modify lines “smtpd_helo_restrictions”, “smtpd_relay_restrictions”, “smtpd_sender_restrictions”, “smtpd_recipient_restrictions”. There is really huge amount of information and examples on google so just pick few and use them. It would help even more if you add few RBL in your main.cf:
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org,

reject_rbl_client dnsbl.sorbs.net,

Sorbs is the most aggressive RBL and they are frequently blacklisting IP’s even from Gmail, so do not use it if you dont know what are you doing or you have anyone important who is using Gmail, Hotmail, etc.

Just by installing Fail2Ban majority of this attacks will be stopped but i would suggest to play a little with main.cf. Remember to always have a local/offsite copy of any file you intend to modify.