1 (edited by aniyan.rajan6 2013-04-23 20:03:40)

Topic: Stop Unwanted Connections

==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version: Debian/squeeze
- Related log if you're reporting an issue: please see below.
====

Hello,

I am getting a lot of connections daily as shown in the quotes below. I had the Email ID: "job at mydomain dot org", which I was using for job searching. I deleted this Email ID one month ago, as it is no longer needed and it was targetted by spams. (I have done this before I install the iRedmail and I don't want to recreate it in the future. ) But the connections are still coming in /var/log/mail.log. Is there anything more that I can do in the mail server or at the DNS to reject these connection requests efficiently or stop them coming in, permanently?

Apr 21 09:06:05 mydomain postfix/smtpd[23369]: connect from adsl-99-34-93-226.dsl.chcgil.sbcglobal.net[99.34.93.226]
Apr 21 09:06:05 mydomain postfix/trivial-rewrite[23373]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Apr 21 09:06:05 mydomain postfix/smtpd[23369]: NOQUEUE: reject: RCPT from adsl-99-34-93-226.dsl.chcgil.sbcglobal.net[99.34.93.226]: 550 5.1.1 <job@mydomain.org>: Recipient address rejected: User unknown in local recipient table; from=<India-Jobs.067L@s2d9.com> to=<job@mydomain.org> proto=SMTP helo=<s2d9.com>
Apr 21 09:06:05 mydomain postfix/smtpd[23369]: disconnect from adsl-99-34-93-226.dsl.chcgil.sbcglobal.net[99.34.93.226]

Apr 21 10:30:07 mydomain postfix/smtpd[23770]: connect from 216-80-120-209.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.209]
Apr 21 10:30:10 mydomain postfix/trivial-rewrite[23772]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Apr 21 10:30:10 mydomain postfix/smtpd[23770]: NOQUEUE: reject: RCPT from 216-80-120-209.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.209]: 450 4.1.8 <Kuwait-Employment.226B@RLMBUSINESS.COM>: Sender address rejected: Domain not found; from=<Kuwait-Employment.226B@RLMBUSINESS.COM> to=<job@mydomain.org> proto=SMTP helo=<RLMBUSINESS.COM>

Apr 21 12:17:46 mydomain postfix/smtpd[24100]: connect from unknown[178.125.178.74]
Apr 21 12:17:46 mydomain postfix/trivial-rewrite[24103]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Apr 21 12:17:46 mydomain postfix/smtpd[24100]: NOQUEUE: reject: RCPT from unknown[178.125.178.74]: 504 5.5.2 <178.125.178.74>: Helo command rejected: need fully-qualified hostname; from=<richandbarb@marketing4technology.com> to=<job@mydomain.org> proto=SMTP helo=<178.125.178.74>

Apr 23 10:02:01 mydomain postfix/smtpd[3766]: connect from adsl-99-34-93-225.dsl.chcgil.sbcglobal.net[99.34.93.225]
Apr 23 10:02:01 mydomain postfix/trivial-rewrite[3769]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Apr 23 10:02:01 mydomain postfix/smtpd[3766]: NOQUEUE: reject: RCPT from adsl-99-34-93-225.dsl.chcgil.sbcglobal.net[99.34.93.225]: 550 5.1.1 <job@mydomain.org>: Recipient address rejected: User unknown in local recipient table; from=<Gulf-Jobs.069R@s2d9.com> to=<job@mydomain.org> proto=SMTP helo=<s2d9.com>
Apr 23 10:02:01 mydomain postfix/smtpd[3766]: disconnect from adsl-99-34-93-225.dsl.chcgil.sbcglobal.net[99.34.93.225]
Apr 23 10:05:21 mydomain postfix/anvil[3768]: statistics: max connection rate 1/60s for (smtp:99.34.93.225) at Apr 23 10:02:01
Apr 23 10:05:21 mydomain postfix/anvil[3768]: statistics: max connection count 1 for (smtp:99.34.93.225) at Apr 23 10:02:01
Apr 23 10:05:21 mydomain postfix/anvil[3768]: statistics: max cache size 1 at Apr 23 10:02:01

2

Re: Stop Unwanted Connections

aniyan.rajan6 wrote:

Apr 21 10:30:10 mydomain postfix/trivial-rewrite[23772]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains

You should fix this issue first. For example, use a different server hostname, then update Postfix "mydestination" setting in /etc/postfix/main.cf also.

To stop unwanted connections, you can create a Postfix header_checks rule, if it's sent to job@ in "To:" header, reject this smtp connection. Reference: http://www.postfix.org/header_checks.5.html

3 (edited by aniyan.rajan6 2013-04-24 16:42:25)

Re: Stop Unwanted Connections

ZhangHuangbin wrote:

You should fix this issue first. For example, use a different server hostname, then update Postfix "mydestination" setting in /etc/postfix/main.cf also.

I will work on this and update.

To stop unwanted connections, you can create a Postfix header_checks rule, if it's sent to job@ in "To:" header, reject this smtp connection. Reference: http://www.postfix.org/header_checks.5.html

I added a "header_checks = regexp:/etc/postfix/header_checks" in /etc/postfix/main.cf

and

/^To: job@mydomain.com/ REJECT
in /etc/postfix/header_checks

then did
# postfix reload

I believe this is what you asked me to do.

After watching for a few hours, it seems this is not working. I get the following connections in /var/log/mail.log

Apr 23 22:36:27 mydomain postfix/smtpd[2690]: connect from 216-80-120-215.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.215]
Apr 23 22:36:27 mydomain postfix/trivial-rewrite[2694]: warning: do not list domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Apr 23 22:36:27 mydomain postfix/smtpd[2690]: NOQUEUE: reject: RCPT from 216-80-120-215.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.215]: 550 5.1.1 <job@mydomain.org>: Recipient address rejected: User unknown in local recipient table; from=<Jobs-In-Belgium.077Y@NEWJOBSABROAD.COM> to=<job@mydomain.org> proto=SMTP helo=<NEWJOBSABROAD.COM>

Please help.

Thanks.

4 (edited by aniyan.rajan6 2013-04-24 19:20:50)

Re: Stop Unwanted Connections

aniyan.rajan6 wrote:

After watching for a few hours, it seems this is not working. I get the following connections in /var/log/mail.log

An update is:

The header_checks will work only if a Valid Email ID exists. In this case postfix can reject the incoming emails using header_checks with the error "550 5.7.1 message content rejected".

In my case, I have already deleted the Email ID  "job at mydomain dot com", which was targeted by spams. As I don't have a Valid Email ID "job at mydomain dot com" at present, it doesn't reach the header_checks and the email will be rejected with the error "550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table". This rejection happens before it goes to the header_checks.

So Could you please suggest if there is any other method to avoid the unwanted connections coming (appearing) in /var/log/mail.log ?
Or is there anything more I can do in the  mail server or at the DNS to reject these connection requests efficiently, rather than just deleting the Email ID ?

Thanks.

5

Re: Stop Unwanted Connections

aniyan.rajan6 wrote:

As I don't have a Valid Email ID "job at mydomain dot com" at present, it doesn't reach the header_checks

Oops, my mistake. Sorry about this trouble.

You can try to add "check_recipient_access" in Postfix parameter "smtpd_recipient_restrictions". For example:

smtpd_recipient_restrictions =
    ...,
    check_recipient_access hash:/etc/postfix/recipient_access            # <-- Add this line, before "reject_unlisted_recipient"
    reject_unlisted_recipient,
    ...

File /etc/postfix/recipient_access:

job@mydomain.com REJECT account not exist anymore

6

Re: Stop Unwanted Connections

ZhangHuangbin wrote:
job@mydomain.com REJECT account not exist anymore

That's great. I think I will set the message as "detected as spam", as all of those incoming connections are spams. I will update you, if any issues.

Thanks a lot.

7 (edited by aniyan.rajan6 2013-04-25 01:08:12)

Re: Stop Unwanted Connections

I did that and restarted postfix. I think it is looking for a database, not a text file. Am I missing something ?

Apr 24 17:02:19 mydomain postfix/master[8542]: daemon started -- version 2.7.1, configuration /etc/postfix
Apr 24 17:03:27 mydomain postfix/smtpd[8553]: fatal: open database /etc/postfix/recipient_access.db: No such file or directory
Apr 24 17:03:28 mydomain postfix/master[8542]: warning: process /usr/lib/postfix/smtpd pid 8553 exit status 1
Apr 24 17:03:28 mydomain postfix/master[8542]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

8

Re: Stop Unwanted Connections

Oops, my mistake. Please execute below command to create the db file:

# postmap hash:/etc/postfix/recipient_access

9

Re: Stop Unwanted Connections

Zhang,

I have removed the previous entries from the header_checks file and configured the smtpd_recipient_restrictions, as you said. The connections are still coming in the /var/log/mail.log. Please see below. But I think now we are atleast rejecting these connection requests efficiently at the mailserver in addition to the EmailID deletion.

Thanks.

Apr 25 16:09:37 mydomain postfix/smtpd[15165]: connect from 216-80-120-215.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.215]
Apr 25 16:09:38 mydomain postfix/smtpd[15165]: NOQUEUE: reject: RCPT from 216-80-120-215.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.215]: 554 5.7.1 <job@mydomain.org>: Recipient address rejected: Detected as Spam; from=<New-Zealand-Jobs.032M@NEWJOBSABROAD.COM> to=<job@mydomain.org> proto=SMTP helo=<NEWJOBSABROAD.COM>
Apr 25 16:09:38 mydomain postfix/smtpd[15165]: disconnect from 216-80-120-215.prs-bsr1.chi-prs.il.static.cable.rcn.com[216.80.120.215]