postfix problem ?

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
hamei
Posts: 10211
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

postfix problem ?

Unread postby hamei » Fri May 04, 2007 11:11 am

So Postfix and Cyrus have been running a while and I'm watching the logs ... and I'm relaying some mail ! Rotten bastards. Not a lot but still, this is intolerable. I'm also getting mail to a local host that hasn't been turned on in months and never had a publically-visible host name. Originally I set Postfix up to allow relaying from addresses in the local network (had another machine that was doing its own smtp at one time) but this appears to maybe be a mistake ? From looking at the log it appears that there are some unexplained "max connection rate" hits and also some strange addresses (mailto:xy.com@ab.com , for example) trying to get through.

anyway, if you are running Postfix I would suggest not allowing relaying from your local network addresses. So far that seems to have stopped the problem. Any other suggestions willingly accepted. The logs from Postfix are not as good as Weasel logs. Sure is faster tho.

Bastard spammers :evil:

User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Re: postfix problem ?

Unread postby shel » Sat May 05, 2007 10:45 am

hamei wrote:anyway, if you are running Postfix I would suggest not allowing relaying from your local network addresses.

You can control Postfix's idea of what your local network is, and, unless you specify addresses that aren't really on your network, it's bulletproof in my experience. Postfix (since pretty early versions) rejects relaying by default. It's posible to override this with configuration, of course.

If you continue to have trouble, join the Postfix mailing list at http://www.postfix.org. Read the membership welcome notice carefully before posting.

-Shel

hamei
Posts: 10211
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: postfix problem ?

Unread postby hamei » Sat May 05, 2007 11:00 am

shel wrote:You can control Postfix's idea of what your local network is, and, unless you specify addresses that aren't really on your network, it's bulletproof in my experience. Postfix (since pretty early versions) rejects relaying by default. It's posible to override this with configuration, of course.

The problem was trying to accomodate users who are not on the local network and who do not have static IP's .... pop-before-smtp is really what I needed and now that I've kinda given up on the hokey workarounds I was using, it seems like that is actually an option via Perl. Why it isn't part of the Postfix base package is kind of a mystery to me, tho. Seems like almost everyone is travelling all over with a laptop these days. Postfix is definitely fast. Mikey likes that part !

Barkas
Posts: 121
Joined: Thu Sep 08, 2005 3:16 pm

Unread postby Barkas » Sun May 06, 2007 12:41 pm

Why not simply smtp with authentication?

User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Re: postfix problem ?

Unread postby shel » Mon May 07, 2007 8:48 am

hamei wrote:The problem was trying to accomodate users who are not on the local network and who do not have static IP's .... pop-before-smtp is really what I needed and now that I've kinda given up on the hokey workarounds I was using, it seems like that is actually an option via Perl. Why it isn't part of the Postfix base package is kind of a mystery to me, tho. Seems like almost everyone is travelling all over with a laptop these days. Postfix is definitely fast. Mikey likes that part !

Since Postfix doesn't do POP at all, Postfix's including a hack like pop-before-smtp would be pretty tough.

The real thing is to use a supported authentication method. However, they seem to be moderately difficult to implement, since they are a compile-time option with Postfix, etc. Once implemented, both on the client and the server, however, they are user-transparent.

Because I have a relatively small number of traveling users, and they are tech-savvy, I use a home-brew combination of split-horizon DNS and SSH tunnelling to provide remote access. The advantage to this method is that I can allow out-of-LAN access to a number of otherwise local services. The disadvantage is that the user has to affirmatively put his machine into "traveling" mode when he leaves the LAN, and put it back into "local" mode when he returns.

-Shel


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest