Join Log in
Score:1
Jupiter rules avatar Server

POSTFIX / Grey List not working

in flag
Jupiter rules

I had spam attack on my website. some one using my email to send spam email to everyone.

So now i plan to find a way to stop it.

I see people rejecting mails by regex. But i have tons and tons of different emails (50,000 users).

I want to see if there is email in database then I allow it to go. Otherwise quarantine. Do not want them stuck in mailqueue.

I have this greylist.pl:

#main.cf 
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:/private/greylist

#master.cf
greylist unix - n n - - spawn user=nobody argv=/usr/bin/perl  /tmp/mailrejct.

But when I use it I get these errors in maillog:

Dec 25 09:24:58 intelligent-mahavira postfix/spawn[107258]: warning: command /usr/bin/perl exit status 2
Dec 25 09:24:58 intelligent-mahavira postfix/smtpd[107253]: warning: premature end-of-input on /private/greylist while reading input attribute name
Dec 25 09:24:59 intelligent-mahavira postfix/spawn[107258]: warning: command /usr/bin/perl exit status 2
Dec 25 09:24:59 intelligent-mahavira postfix/smtpd[107253]: warning: premature end-of-input on /private/greylist while reading input attribute name
Dec 25 09:24:59 intelligent-mahavira postfix/smtpd[107253]: warning: problem talking to server /private/greylist: Connection reset by peer

I replaced smtpd_access_policy with mine. That is one difference. Anyone expert in this.

Who is sending attrib values? Postfix? how did it get passed?

NOT SOLVED. This is only for recieving email. Only for Incoming spam.

For outgoing email there is only Pattern checks.

1 #!/bin/sh
 2 
 3 # Simple shell-based filter. It is meant to be invoked as follows:
 4 #       /path/to/script -f sender recipients...
 5 
 6 # Localize these. The -G option does nothing before Postfix 2.3.
 7 INSPECT_DIR=/var/spool/filter
 8 SENDMAIL="/usr/sbin/sendmail -G -i" # NEVER NEVER NEVER use "-t" here.
 9 
10 # Exit codes from <sysexits.h>
11 EX_TEMPFAIL=75
12 EX_UNAVAILABLE=69
13 
14 # Clean up when done or when aborting.
15 trap "rm -f in.$$" 0 1 2 3 15
16 
17 # Start processing.
18 cd $INSPECT_DIR || {
19     echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
20 
21 cat >in.$$ || { 
22     echo Cannot save mail to file; exit $EX_TEMPFAIL; }
23 
24 # Specify your content filter here.
25 # filter <in.$$ || {
26 #   echo Message content rejected; exit $EX_UNAVAILABLE; }
27 
28 $SENDMAIL "$@" <in.$$
29 
30 exit $?

Can the above converted to php code? I am wondering if i sendmail from php it gona come back to same place?

exec("/usr/sbin/sendmail $email < /etc/postfix/myfilter/email.txt");

i need to put the email stuff into email.txt. WHen i put whole test it messup emails with details and stuff which shows all content and headers

I need to clean up

From [email protected]  Sun Dec 26 12:31:47 2021
Received: from webmail.test.com (localhost.localdomain [IPv6:::1])
        by intelligent-mahavira.51-163-215-224.plesk.page (Postfix) with ESMTPSA id B9CFD82DA1
        for <[email protected]>; Sun, 26 Dec 2021 12:31:47 +0000 (UTC)
Authentication-Results: intelligent-mahavira.51-163-215-224.plesk.page;
        spf=pass (sender IP is ::1) [email protected] smtp.helo=webmail.test.com
Received-SPF: pass (intelligent-mahavira.51-163-215-224.plesk.page: connection is authenticated)
MIME-Version: 1.0
Date: Sun, 26 Dec 2021 04:31:47 -0800
From: [email protected]
To: alex3 <[email protected]>
Subject: testing filter2
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <[email protected]>
X-Sender: [email protected]
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-PPP-Message-ID: <164052190789.24073.12166249882816501264@intelligent-mahavira.51-163-215-224.plesk.page>
X-PPP-Vhost: test.com

sss

i saw this somehwere in google , will try tomorrow by using regex to filter out subject from content-type and body.

    To: [email protected]
    Subject: This is an HTML message
    From: [email protected]
    Content-Type: text/html; charset="utf8"

    <html>
    <body>
    <div style="
        background-color: 
        #abcdef; width: 300px; 
        height: 300px;
        ">
    </div>
    You can add any valid email HTML here.
    </body>
    </html>
  1. Greylisting - we can give access feedback in the form of "dunno" , "reject optional text".
  2. Simple filter no feedback. Filter has to handle sending email. Not clear how it is done. I basically capture all the STDIN and send it as email but it has all headers. Do not know how attachment handled. Need to see what it shows when i send attachment.
  3. Advanced filtering looks confusing. I see plex email security implements that. when i added it it added this to main.cf and master.cf

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter = smtp-amavis:[127.0.0.1]:10024


localhost:10025 inet n  -       n       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_delay_reject=no
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
  -o smtpd_authorized_xclient_hosts=127.0.0.0/8,[::1]/128
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o smtpd_restriction_classes=
  -o mynetworks=127.0.0.0/8,[::1]/128
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o local_header_rewrite_clients=
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
pickup    unix  n       -       n       60      1       pickup
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

This is the email saved in data.txt and send it manually if it matches recipient email in the system

Received: from webmail.test.com (localhost.localdomain [IPv6:::1])
        by intelligent-mahavira.serverip.plesk.page (Postfix) with ESMTPSA id C7E7282E1B;
        Tue, 28 Dec 2021 00:36:31 +0000 (UTC)
Authentication-Results: intelligent-mahavira.serverip.plesk.page;
        spf=pass (sender IP is ::1) [email protected] smtp.helo=webmail.test.com
Received-SPF: pass (intelligent-mahavira.serverip.plesk.page: connection is authenticated)
MIME-Version: 1.0
Date: Mon, 27 Dec 2021 16:36:31 -0800
From: [email protected]
To: alex2 <[email protected]>, alex3 <[email protected]>,
 [email protected]
Subject: Attachment test
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <[email protected]>
X-Sender: [email protected]
Content-Type: multipart/mixed;
 boundary="=_5745fc7d762d12dda4165a3e0be576fc"
X-PPP-Message-ID: <164065179196.8458.1248882909976426707@intelligent-mahavira.serverip.plesk.page>
X-PPP-Vhost: test.com

--=_5745fc7d762d12dda4165a3e0be576fc
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Attachment succes?
--=_5745fc7d762d12dda4165a3e0be576fc
Content-Transfer-Encoding: base64
Content-Type: image/jpeg;
 name=536_PIA23645_PaleBlueDotRevisited_1600.jpg
Content-Disposition: attachment;
 filename=536_PIA23645_PaleBlueDotRevisited_1600.jpg;
 size=74009

/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAAA8AAD/4QMcaHR0cDov

Issue is there is no subject in the email. its hidden inside headers. Ugly.

result

  1. Incoming from email say gmail ..i have clean bounce test The response from the remote server was: 554 5.7.1 [email protected]: Recipient address rejected: Email is only allowed between USERS. Email Reciepient= [email protected] Uses Policy method

  2. Outgoing email i am sending email for valid users and reject /quarantine the other one.. i dont get bounce image. i need to have same text for outgoing email Uses simple content filter

104
0 + 0
jp flag
AlexD
It is unclear what are you trying to achieve. Is it outgoing emails from your domain and you want to check senders? Or do you want to check incoming emails and you want to check recipients? Or do you have an open relay and someone used your server to send spam to others? Or someone just spoofed your email and used it to send spam and you just need proper SPF/DKIM/DMARC?
1
Reply
Jupiter rules avatar
in flag
Jupiter rules
If someone hacked one of users email and start sending spam using our servers or some code in our website hacked and some one using our login to send spam. No greylisting stuff can prevent it. So i implemented system which checks outgoing recipients are in database if not reject . I dont like reject because it will kill our mailbox because its someone using our mailbox. I want to quarantine. I got reject working at last. After 2 weeks of thinking how to implement. Initially was using hook to print email info but it did not do anything else.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Don't send email to the sender. If that's spam, you will generate a backscatter which is almost as bad as spam itself. How exactly does your application sends mail? Do you use PHPMailer of something like this? If not, this is the first thing you should do.
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
Yes php mailer sends email to system users. My idea is block any emails not in the system. I used simple filter in postfix so far. But advanced filter is bit confusing to implement. Documents for postfix is real bad. Its written in the context of the developer but not the implementer. Always missing some explanation. Lack of examples is a problem. Simple filter sends email but what email? What about attachments in that email?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
So, does PHPMailer use SMTP (and preferable authentication) when it connects to your mail server? How exactly is it configured? Which Postfix SMTP service does receive PHPMailer's submission? (I suspect it falls into `mynetworks` and allowed with `permit_mynetworks` or something like this, and Amavis is also configured to skip most checks for "whitelisted" addresses. You have to rework this; either put policy service checks in front of `permit_mynetworks` or reconfigure content filter to make no exceptions.)
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
I use phpmailer to send emails to customers using SMTP in port 25. All smptpd in main.cf is for incoming emails. I need something for outgoing emails so i just return Reject email message using policy. but i dont see find one i can use. Transport maps triggers sending email but it expect maps as result. More of static look up table not dynamic like spawn process.
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
Simple filter catches it but i need to resend email myself. But the content shows all header and stuff when recieved. So i have to see what i should send. How attachment is going to be. i update attachment test result after i test that. if it fail i need to figureout how advanced filter works as it seems listening in post 10026.
0
Reply
bjoster avatar
cn flag
bjoster
This is simply too much for one answer. Split your question (for example) into four parts (I think I can see questions about Greylisting, RegEx Matching, Postfix configuratrion and Perl) and get answers one by one.
0
Reply
Score:1
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Postfix supports policy services. It is possible to implement what you are asking for by designing a policy service. Also there might be other ways; this way is just first thing that came on my mind. The example at the end of that page has almost all what you need.

However, this is dead end. Instead of properly designing and securing a web application and a server, you allow malicious party in and then try to avoid inevitable consequences. Did you figured out how they did that through your web application? Have you fixed that hole? This should be your first priority.

Aside from that, general suggestions:

  1. Your web application shouldn't send mail at third party's will. It must only send it when you are certain email should be sent.
  2. The web application should always authenticate to the mail server. It is very wrong if you rely on mail() function of something like this. There are several PHP libraries which know how to do ESMTP authentication, use one them.
  3. Your mail server should restrict which sender address your site can use. And, it may also restrict the mail flow, by setting some limits (per hour, per day, etc.); there are ways to do this.
  4. The mail server could check the mail for spam before delivering. This way you'll let less spam out.
0 + 0
Paul avatar
cn flag
Paul
@Jupiterrules If this answers your question, please mark it as the answer.
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
Actually No. It only used for Incoming email from outside. Outgoing email there is only headerchecks bodychecks they only do pattern checks. Cant use them as my database has 50000 user emails from various domains. STUCK
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
There is no "incoming" or "outgoing" mail from the MTA perspective. That's your mind's construct. All the mail is "going through". For example, after you made your PHP script always send mail using ESMTP with authentication, you can attach any checks to that SMTP server which receives this submission, including those you considered useful to only for "incoming spam filtering".
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
Sorry i already checked Only emails coming from outside of my domain come to smtp_recipient restrictions. So greylist policy or my policy can catch. For outgoing , content filter catches it but you have to do the email as there is no feedback to system. I will update once i am successful in sending correct email back to sender and send status messages to syslog and maillog for Fail2ban to pick up the ip address of the sender for IP ban
0
Reply
Jupiter rules avatar
in flag
Jupiter rules
So the solution is this. Outgoing email from Users in the system...i use content filter to check signature. Incoming email i use greylisting style code but check the user in the system , if not log into maillog as failed email. It will be picked by fail2ban and block it permanently after 3 wrong email.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.