Prev: Spam filtering
Next: A list in a file
From: "Jason Bailey, Sun Advocate Webmaster" on 22 Jun 2010 23:32
Hello all,

This question has probably been asked before in some form or another,
but I can't seem to find a post that is exactly like the issue I'm
struggling with (maybe I'm just blind). In any event, I hope that at
least one of you might be able to help me.

I've got two SLES 11 mail servers I manage. Both run Postfix 2.5.6. Both
relay outbound mail through their respective ISP's mail system, as
required by those same ISPs (inbound is unrestricted, outbound is only
allowed through a designated relay host). The problem is, both have
problems delivering mail to some hosts. Hotmail is a particular one
(although there are a few others that belong to businesses we frequently
work with).

That has me wondering if something I have done (or have not done,
perhaps) is to blame. Unfortunately, I'm only getting generic delivery
failures from a few of the hosts and none at all with Hotmail and Yahoo
(one drops the mail entirely and the other marks it as junk but delivers
it).

(Note: I do have to disclose one piece of information. Recently our
server was automatically blacklisted by our ISP for spam that was being
relayed through our system from a series of external sources. I've
tested both servers against online open relay tests and performed my own
internal tests at times to prevent relay of spam, so I can't say why
they were able to relay. I ended up basically rewriting the
smtpd_client_restrictions, smtpd_receipient_restrictions and
smtpd_sender_restrictions lists. The relayed spam stopped and our ISP
finally removed us from their blacklist)

I've check log entries, but they all show outbound mail was successfully
relayed through the ISP's SMTP server.

My setup, for the most part, is pretty typical. I have a Postfix +
Amavis (SpamAssassin + ClamAV) + Cyrus IMAP configuration. Amavis works
on the basis of TCP ports, and delivery to Cyrus is via a LMTP socket.
All mailboxes (in both Cyrus and Postfix) are virtual and are in no way
tied to the system users/accounts.

DNS is such that the MX for mydomain.com is mail.mydomain.com.The IP
address resolves correctly on every DNS server I can bounce queries off of.

I have *not* set up TXT records for SPF on any of my domains. Since I
have to relay outbound mail through my ISP, and since things have worked
fine until recently, I suppose it has been out of sight and out of mind.
It's something I realize I need to do to satisfy those that use it.

Here's postconf -n from one of the servers:

alias_maps = hash:/etc/aliases
always_bcc = archives(a)mydomain.com
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_filter.pcre
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
message_size_limit = 26214400
mime_header_checks = pcre:/etc/postfix/mime_filter.pcre
mydestination = $myorigin
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::1]/128 10.0.0.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains =
relayhost = send.isp.net
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_helo_name = mydomain.com
smtp_sasl_security_options = noanonymous
smtp_tls_enforce_peername = yes
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/client_access.hash, permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_filter.hash, check_helo_access
pcre:/etc/postfix/helo_filter.pcre, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
hash:/etc/postfix/recip_filter.hash, check_recipient_access
pcre:/etc/postfix/recip_filter.pcre, reject_unauth_destination,
check_recipient_maps, check_recipient_access
hash:/etc/postfix/overquota, permit
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sender_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_filter.hash, check_sender_access
pcre:/etc/postfix/sender_filter.pcre, permit
smtpd_soft_error_limit = 60
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem
smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem
smtpd_use_tls = no
soft_bounce = no
strict_rfc821_envelopes = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mydomain2.com
virtual_alias_maps = hash:/etc/postfix/forwards
virtual_mailbox_domains = mydomain.com anotherdomain.com mail.mydomain.com
virtual_mailbox_maps = hash:/etc/postfix/users
virtual_transport = lmtp:unix:/data/mail/lib/imap/socket/lmtp

If any other information would be helpful in diagnosing this problem,
I'm happy to provide it. Thank you very much in advance.

--
Jason Bailey, Web/IT Admin
Sun Advocate, Emery County Progress
webmaster(a)sunad.com, webmaster(a)ecprogress.com
(435) 637-0732 (x31)
http://www.sunad.com/

From: Stan Hoeppner on 23 Jun 2010 00:56
Jason Bailey, Sun Advocate Webmaster put forth on 6/22/2010 10:32 PM:

> (Note: I do have to disclose one piece of information. Recently our
> server was automatically blacklisted by our ISP for spam that was being
> relayed through our system from a series of external sources. I've
> tested both servers against online open relay tests and performed my own
> internal tests at times to prevent relay of spam, so I can't say why
> they were able to relay. I ended up basically rewriting the
> smtpd_client_restrictions, smtpd_receipient_restrictions and
> smtpd_sender_restrictions lists. The relayed spam stopped and our ISP
> finally removed us from their blacklist)

If the problem you describe started after this blacklisting, and you had none
of these delivery problems before said blacklisting occurred, doesn't it seem
pretty obvious that what you are seeing are residual effects of said blacklisting?

Apparently the recipient domains in question have added you to their own
internal black lists or other filter database categories (i.e. manual spam
scoring of your domain in SA). You need to contact them--all of them--directly.

--
Stan

From: "Jason Bailey, Sun Advocate Webmaster" on 23 Jun 2010 12:12
On 06/22/2010 10:56 PM, Stan Hoeppner wrote:
> Jason Bailey, Sun Advocate Webmaster put forth on 6/22/2010 10:32 PM:
>
>> (Note: I do have to disclose one piece of information. Recently our
>> server was automatically blacklisted by our ISP for spam that was being
>> relayed through our system from a series of external sources. I've
>> tested both servers against online open relay tests and performed my own
>> internal tests at times to prevent relay of spam, so I can't say why
>> they were able to relay. I ended up basically rewriting the
>> smtpd_client_restrictions, smtpd_receipient_restrictions and
>> smtpd_sender_restrictions lists. The relayed spam stopped and our ISP
>> finally removed us from their blacklist)
>
> If the problem you describe started after this blacklisting, and you had none
> of these delivery problems before said blacklisting occurred, doesn't it seem
> pretty obvious that what you are seeing are residual effects of said blacklisting?
>
> Apparently the recipient domains in question have added you to their own
> internal black lists or other filter database categories (i.e. manual spam
> scoring of your domain in SA). You need to contact them--all of them--directly.
>

But that's just it. When the spam problem occurred, mail never went
beyond our ISP. Our ISP were the ones that blacklisted us, and they have
since removed that block.

That aside, SLES box #2 I mentioned in my earlier email also hosts
mail... but at a different location, using a different ISP. It was not
infiltrated by spam as SLES box #1 was, but outbound mail it sends is
also is being rejected by Hotmail (some cases it's let through, but when
so, it is being marked as junk).

So while the blacklisting may be a part of the problem with SLES box #1,
it has absolutely nothing to do with SLES box #2. Both, however, are
having delivery problems to the same sort of hosts. So that is why I am
scrutinizing my mail configuration.

 | 
Pages: 1
Prev: Spam filtering
Next: A list in a file