[gentoo-server] SMTP Woes

[gentoo-server] SMTP Woes

[Randy Barlow]

I am getting a huge number of connections to my mail server (postfix)
compared to usual.  I've seen as many as 50 connections open at one
time.  The logs show that the connections are from several computers of
varying IPs, and they are all trying to send mail to random mailboxes on
my domain.  It's very annoying, and I have noticed that inbound mail
seems to be lagging by several hours.  Is there something similar to
denyhosts for spammers?  Any other suggestions?

-- 
Randy Barlow
http://electronsweatshop.com
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Randy Barlow wrote:
> I am getting a huge number of connections to my mail server (postfix)
> compared to usual.  I've seen as many as 50 connections open at one
> time.  The logs show that the connections are from several computers of
> varying IPs, and they are all trying to send mail to random mailboxes on
> my domain.  It's very annoying, and I have noticed that inbound mail
> seems to be lagging by several hours.  Is there something similar to
> denyhosts for spammers?  Any other suggestions?

Check those IPs against: www.robtex.com/rbl
Choose your favorite blacklists (test them, some of them provide too many false positives) and
implement with them DNSBL/RBL in your postfix. Also, SPF and greylisting make a good job.

Additionally, I recall a Netfilter/iptables module that does dnsbl, too, but... I'd not recommend it.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Apoye la Musica Libre - Vote Futurabanda desde: (ver sgte. linea)
http://www.frecuenciazero.com.ar/realityrock/votar.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHT+R1AlpOsGhXcE0RClWcAJ9FgejSCEeQCTKtIJauIwnGueXQLACdHUZA
5Bf6bMBYal6+LN2rPyJnakY=
=Tqvc
-----END PGP SIGNATURE-----
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Kerin Millar]

On 30/11/2007, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Randy Barlow wrote:
> > I am getting a huge number of connections to my mail server (postfix)
> > compared to usual.  I've seen as many as 50 connections open at one
> > time.  The logs show that the connections are from several computers of
> > varying IPs, and they are all trying to send mail to random mailboxes on
> > my domain.  It's very annoying, and I have noticed that inbound mail
> > seems to be lagging by several hours.  Is there something similar to
> > denyhosts for spammers?  Any other suggestions?
>
> Check those IPs against: www.robtex.com/rbl
> Choose your favorite blacklists (test them, some of them provide too many false positives) and
> implement with them DNSBL/RBL in your postfix. Also, SPF and greylisting make a good job.

Regarding SPF, I'd just like to add that the SPF policy daemons (which
can be integrated into postfix very easily) are available at
http://www.openspf.org/Software. There are implementations in perl and
python and, as luck would have it, the python version is available in
portage as mail-filter/pypolicyd-spf. If you choose to endorse SPF
then don't forget to define records for one's own domains! A helpful
document describing SPF syntax can be found here:
http://www.openspf.org/SPF_Record_Syntax.

Regards,

--Kerin
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Lindsay Haisley]

In my experience SPF isn't deployed widely enough to be a reliable
technology on its own for identifying spam.  There are just too many
ISPs out there running mail servers, and sending legitimate email, that
don't identify in SPF.  You'll get many false positives.

Although I'm not using courier-mta instead of postfix, I'm using
blacklists with very good results on FMP's small commercial mail server.
The lion's share of blocking is done based on the Composite Blocking
List.  See <http://cbl.abuseat.org/>, although I have several others in
the mix.

Courier doesn't mess with an inbound SMTP connection attempt if it
identifies in a BL, but simply rejects the connection out front with an
error, which should cause the sending system to issue a DSN in the case
of falsely identified spam - of which I see extremely little.  I expect
postfix works in a similar way.  This delays the connection somewhat,
but you don't end up with dozens of spam-bots tying up your SMTP server
because they fail to properly disconnect when they are told they're
trying to send to a nonexistent mailbox.

On Fri, 2007-11-30 at 11:34 +0000, Kerin Millar wrote:
> On 30/11/2007, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Randy Barlow wrote:
> > > I am getting a huge number of connections to my mail server (postfix)
> > > compared to usual.  I've seen as many as 50 connections open at one
> > > time.  The logs show that the connections are from several computers of
> > > varying IPs, and they are all trying to send mail to random mailboxes on
> > > my domain.  It's very annoying, and I have noticed that inbound mail
> > > seems to be lagging by several hours.  Is there something similar to
> > > denyhosts for spammers?  Any other suggestions?
> >
> > Check those IPs against: www.robtex.com/rbl
> > Choose your favorite blacklists (test them, some of them provide too many false positives) and
> > implement with them DNSBL/RBL in your postfix. Also, SPF and greylisting make a good job.
> 
> Regarding SPF, I'd just like to add that the SPF policy daemons (which
> can be integrated into postfix very easily) are available at
> http://www.openspf.org/Software. There are implementations in perl and
> python and, as luck would have it, the python version is available in
> portage as mail-filter/pypolicyd-spf. If you choose to endorse SPF
> then don't forget to define records for one's own domains! A helpful
> document describing SPF syntax can be found here:
> http://www.openspf.org/SPF_Record_Syntax.
> 
> Regards,
> 
> --Kerin

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Wendall Cada]

On Fri, 30 Nov 2007 02:00:20 -0500
Randy Barlow <randy@electronsweatshop.com> wrote:

> I am getting a huge number of connections to my mail server (postfix)
> compared to usual.  I've seen as many as 50 connections open at one
> time.  The logs show that the connections are from several computers
> of varying IPs, and they are all trying to send mail to random
> mailboxes on my domain.  It's very annoying, and I have noticed that
> inbound mail seems to be lagging by several hours.  Is there
> something similar to denyhosts for spammers?  Any other suggestions?
> 

There are a variety of reasons this many incoming connections can be
generated. No amount of blacklist/greylist filtering will do anything
to prevent them from happening. If you block them at the firewall, they
will just keep retrying and you'll end up making the problem worse. You
need to give a 550 to every incoming connection, regardless. It sounds
like you are using a DB on the backend for user lookups. If so, there
are important optimizations that need to be made to make this issue a
moot point.

First, it would be nice to know what MTA you are using, and secondly if
you are using a database backend for lookups. With that information, I
could give some specific answers on how to better optimize your setup
for dealing with the garbage.

Wendall
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Wendall Cada]

On Fri, 30 Nov 2007 02:00:20 -0500
Randy Barlow <randy@electronsweatshop.com> wrote:

> I am getting a huge number of connections to my mail server (postfix)
> compared to usual.  I've seen as many as 50 connections open at one
> time.  The logs show that the connections are from several computers
> of varying IPs, and they are all trying to send mail to random
> mailboxes on my domain.  It's very annoying, and I have noticed that
> inbound mail seems to be lagging by several hours.  Is there
> something similar to denyhosts for spammers?  Any other suggestions?
> 

Sorry, I missed that you are using postfix. Are you using a sql
database for your lookups?

Wendall
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] SMTP Woes

[Randy Barlow]

Wendall Cada wrote:
> Sorry, I missed that you are using postfix. Are you using a sql
> database for your lookups?

No SQL database, I'm actually the only user on this system.  I don't
fully understand how it is doing the lookups honestly, but I figure it
has something to do with /etc/passwd and /etc/mail/aliases.  I used this
guide to set up my system:

http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network

I had the reject code set to 450 (try again later) so I just changed it
to 550 (reject).  Hopefully that will help.  I have considered
greylisting since valid mail should try again, so perhaps that is the
way to go.  Also, the lists of known spammers would be useful.  Thanks
for all the replies!

-- 
Randy Barlow
http://electronsweatshop.com
-- 
gentoo-server@gentoo.org mailing list

[gentoo-server] Interesting IP Aliasing Problem

[M Summers]

Hello,

I have a rather pressing issue with IP aliasing.  So, my ISP assigns IPs
via dhcp using the MAC address to bind it statically.   What I need to
do is get multiple static public IPs via their dhcp server.  My ISPs
reliance on dhcp presents an interesting problem.  How am I to acquire
multiple static public IPs from one NIC, say eth0, if their dhcp server
requires a unique MAC address per IP?  I have tried using macchanger,
but it doesn't work for aliases alone.  It changes the MAC for the main
interface, eth0, not eth0:{0,N}.

Many thanks in advance for the assistance.

Cheers,
Summers
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Interesting IP Aliasing Problem

[Konstantin Astafjev]

Hello M,

Monday, December 3, 2007, 8:46:58 PM, you wrote:
> I have a rather pressing issue with IP aliasing.  So, my ISP assigns IPs
> via dhcp using the MAC address to bind it statically.   What I need to
> do is get multiple static public IPs via their dhcp server.  My ISPs
> reliance on dhcp presents an interesting problem.  How am I to acquire
> multiple static public IPs from one NIC, say eth0, if their dhcp server
> requires a unique MAC address per IP?  I have tried using macchanger,
> but it doesn't work for aliases alone.  It changes the MAC for the main
> interface, eth0, not eth0:{0,N}.

If I'm not mistaken you have 3 options:

 - force your ISP make some static rules mac=some_IPs in their
   switches/routers. I guess they forcing clients to use DHCP because
   of "dhcp snooping" and "arp inspection" features helps them filter
   alien ips&macs.

 - take a simple switch and some NICs with different MACs.
   Quantity depends on how many IPs do you need. ;)

 - the craziest one: take vlan switch, on your NIC create some VLANs,
   change MAC address on each VLAN.

AFAIK, DHCP assigning a different IPs simultaneously on one MAC impossible.
   
-- 
Konstantin


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Interesting IP Aliasing Problem

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 497 bytes --]

On 03/12/2007, Konstantin Astafjev <konstantin@astafjev.com> wrote:
>
> - the craziest one: take vlan switch, on your NIC create some VLANs,
>    change MAC address on each VLAN.
>
> AFAIK, DHCP assigning a different IPs simultaneously on one MAC
> impossible.
>
> --
> Konstantin
>
>
Hey Konstantin,

Another crazy one:

- Bring up a bunch of dummy interfaces and bridge them over to the main
interface.

I also don't think you can assign multiple IPs via DHCP (I'd like to be
shown wrong!)

.r'

[-- Attachment #2: Type: text/html, Size: 842 bytes --]

Re[2]: [gentoo-server] Interesting IP Aliasing Problem

[Konstantin Astafjev]

Hello RijilV,

Monday, December 3, 2007, 10:34:54 PM, you wrote:
>> On 03/12/2007, Konstantin Astafjev <konstantin@astafjev.com> wrote:
>> - the craziest one: take vlan switch, on your NIC create some VLANs,
>>    change MAC address on each VLAN.
>>
>> AFAIK, DHCP assigning a different IPs simultaneously on one MAC impossible.

> Hey Konstantin,
> Another crazy one:
> - Bring up a bunch of dummy interfaces and bridge them over to the main interface.
> I also don't think you can assign multiple IPs via DHCP (I'd like to be shown wrong!)

> .r'

Yeah. If it's possible to change MAC address on dummy interfaces, that
will be the best one solution, IMHO.

-- 
Konstantin

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Interesting IP Aliasing Problem

[M Summers]

Thanks for the advice Konstantin.  To be honest the "crazy" option looks
very interesting, but perhaps for another day.  I think I may have found
my solution.  It occurred to me that I just needed to have a unique MAC
for my ISP's dhcp server, but not necessarily for the network proper. 
In that case, I can simply pass a "unique" CLIENTID to dhcpcd when I
call it, as in the following test (-T) example:

    # dhcpcd -T -I 00:GE:NT:00:RO:CK eth0:0   
    IPADDR='192.168.1.105'
    NETMASK='255.255.255.0'
    BROADCAST='192.168.1.255'
    ROUTES=''
    GATEWAYS='192.168.1.1'
    DNSSERVERS='DNS server IPs are here'
    DHCPSID='192.168.1.1'
    LEASETIME='86400'  
    RENEWALTIME='0'
    REBINDTIME='0'
    INTERFACE='eth0:0'
    CLASSID='dhcpcd 3.1.5'
    CLIENTID='00:GE:NT:00:RO:CK
    DHCPCHADDR='my:re:al:ma:ca:dd'

Now, of course, I didn't actually use 00:GE:NT:00:RO:CK as the CLIENTID,
but you get the point.

At this point the question becomes: Will I be able to use this with my
IP, not just my internal router?  I hope so, I will test very soon.

Another question is:  How do I add this to /etc/conf.d/net so that this
all occurs nice & clean whrn I start net.eth0?

Regardless, thanks for the assistance.  I will post with further news as
I learn.  Anyone with any experience with this subject, please know that
your past and future assistance is appreciated.

Cheers,
Summers





Konstantin Astafjev wrote:
> Hello M,
>
> Monday, December 3, 2007, 8:46:58 PM, you wrote:
>   
>> I have a rather pressing issue with IP aliasing.  So, my ISP assigns IPs
>> via dhcp using the MAC address to bind it statically.   What I need to
>> do is get multiple static public IPs via their dhcp server.  My ISPs
>> reliance on dhcp presents an interesting problem.  How am I to acquire
>> multiple static public IPs from one NIC, say eth0, if their dhcp server
>> requires a unique MAC address per IP?  I have tried using macchanger,
>> but it doesn't work for aliases alone.  It changes the MAC for the main
>> interface, eth0, not eth0:{0,N}.
>>     
>
> If I'm not mistaken you have 3 options:
>
>  - force your ISP make some static rules mac=some_IPs in their
>    switches/routers. I guess they forcing clients to use DHCP because
>    of "dhcp snooping" and "arp inspection" features helps them filter
>    alien ips&macs.
>
>  - take a simple switch and some NICs with different MACs.
>    Quantity depends on how many IPs do you need. ;)
>
>  - the craziest one: take vlan switch, on your NIC create some VLANs,
>    change MAC address on each VLAN.
>
> AFAIK, DHCP assigning a different IPs simultaneously on one MAC impossible.
>    
>   

-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] SMTP Woes

[Olaf Niermann]

Hi Randy,

I would give the package 'mail-filter/policyd-weight' a try to stop this
unwanted mails.

But keep in mind to have some 'check_sender_access' and
'check_recipient_access' files on hand to bypass the fail-positives
senders and recipients.

Example:
# postconf | grep 'smtpd_recipient_restrictions'
smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_checks, check_recipient_access
hash:/etc/postfix/recipient_checks, check_policy_service
inet:127.0.0.1:12525, warn_if_reject reject_unknown_sender_domain,
warn_if_reject reject_non_fqdn_sender, warn_if_reject
reject_unknown_recipient_domain, warn_if_reject
reject_non_fqdn_recipient, warn_if_reject reject_unauth_pipelining,
warn_if_reject reject_unauth_destination, permit_auth_destination,
reject

Regards,
Olaf Niermann

-----Original Message-----
From: Randy Barlow [mailto:randy@electronsweatshop.com] 
Sent: Friday, November 30, 2007 8:00 AM
To: gentoo-server@lists.gentoo.org
Subject: [gentoo-server] SMTP Woes


I am getting a huge number of connections to my mail server (postfix)
compared to usual.  I've seen as many as 50 connections open at one
time.  The logs show that the connections are from several computers of
varying IPs, and they are all trying to send mail to random mailboxes on
my domain.  It's very annoying, and I have noticed that inbound mail
seems to be lagging by several hours.  Is there something similar to
denyhosts for spammers?  Any other suggestions?

-- 
Randy Barlow
http://electronsweatshop.com
-- 
gentoo-server@gentoo.org mailing list


-- 
gentoo-server@gentoo.org mailing list