[Postfix-es] Serios problemas de spam,
grandes colas en el smtpd y posibilidad de Denegacion
de Servicio. [Largo]
x-ip
xip.linux en gmail.com
Lun Ago 27 22:45:19 CEST 2007
Buenas, les escribo porque realmente ya no se como controlar la
cantidad de spam que estoy teniendo. Les dejo un fragmento de log para
que puedan apreciar:
Aug 27 17:34:55 dizzy postfix/lmtp[27039]: 45AC5FA9599:
to=<ygxwyazwqt en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024,
conn_use=4, delay=2372, delays=5.2/2302/0/64, dsn=2.7.0, status=sent
(250 2.7.0 Ok, discarded, id=27377-06-4 - SPAM)
Aug 27 17:35:00 dizzy postfix/lmtp[27047]: 061CFFA958F:
to=<yoder en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2,
delay=2384, delays=3.5/2242/0.79/138, dsn=2.7.0, status=sent (250
2.7.0 Ok, discarded, id=27335-04-2 - SPAM)
Aug 27 17:35:06 dizzy postfix/lmtp[27384]: D48C3FA958C:
to=<ypf en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2,
delay=2395, delays=3.6/2166/0/225, dsn=2.7.0, status=sent (250 2.7.0
Ok, discarded, id=27383-04-2 - SPAM)
Aug 27 17:35:21 dizzy postfix/lmtp[27079]: 631BDFA959A:
to=<albatros en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=2402, delays=13/2357/1.1/31, dsn=2.7.0, status=sent (250 2.7.0
Ok, discarded, id=27565-02 - SPAM)
Aug 27 17:35:22 dizzy postfix/lmtp[27056]: D89C9FA9595:
to=<yo en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2,
delay=2399, delays=3.7/2294/0.21/101, dsn=2.7.0, status=sent (250
2.7.0 Ok, discarded, id=27328-05-2 - SPAM)
Aug 27 17:35:28 dizzy postfix/lmtp[27601]: 7C833FA959B:
to=<andrade en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=2408, delays=9.7/2293/2.1/104, dsn=2.7.0, status=sent (250 2.7.0
Ok, discarded, id=27378-06 - SPAM)
Aug 27 17:35:48 dizzy postfix/lmtp[27045]: 139A3FA9593:
to=<yoda en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2426,
delays=9.1/2321/6/90, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=27418-06 - SPAM)
Aug 27 17:36:04 dizzy postfix/lmtp[27624]: 71A19FA94E6:
to=<yeyo en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2435,
delays=8.1/2395/0.27/31, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=27565-03 - SPAM)
Aug 27 17:36:09 dizzy postfix/lmtp[27137]: D899DFA9594:
to=<yjcekg en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2446,
delays=8/2319/3.6/115, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=27416-05 - SPAM)
Aug 27 17:36:47 dizzy postfix/lmtp[27039]: 604B8FA959D:
to=<ohara en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2481,
delays=6.7/2365/3.3/107, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=27377-07 - SPAM)
Aug 27 17:36:55 dizzy postfix/lmtp[27384]: AE3BFFA9577:
to=<ybfkzjdem en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024,
conn_use=3, delay=2480, delays=1.1/2373/0/106, dsn=2.7.0, status=sent
(250 2.7.0 Ok, discarded, id=27383-04-3 - SPAM)
Aug 27 17:36:58 dizzy postfix/lmtp[27601]: 758FCFA95A1:
to=<any en rosario.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2,
delay=2492, delays=10/2393/0/88, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=27378-06-2 - SPAM)
Esto es solo un dominio. Noto que son alguna clase de bots que van
creando usuarios en rosario.com y para otros dominios que atiende el
smtpd también. Utilizo amavisd, spamassassin y clamav, les dejo a
continuacion mi configuracion:
########## C onfiguracion S mtp
#--------- Amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
#--------- UCE rules
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
smtpd_sender_restrictions =
hash:/etc/postfix/access,permit_mynetworks,permit_sasl_authenticated
smtpd_data_restrictions =
permit_mynetworks,
reject_unauth_pipelining
#--------- Set
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
strict_7bit_headers = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unverified_sender_reject_code = 554
unverified_recipient_reject_code = 554
header_checks = pcre:/etc/postfix/header_checks.regexp
#---------- General Conf
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myhostname = dizzy.rcom.com.ar
mydomain = rcom.com.ar
myorigin = $mydomain
mydestination = $myhostname
mynetworks = 127.0.0.0/8 10.0.10.10/24
biff = no
inet_interfaces = all
bounce_queue_lifetime = 7000s
maximal_queue_lifetime = 7200s
delay_warning_time = 1
home_mailbox = Maildir/
mailbox_command =
transport_maps = hash:/etc/postfix/transport.map ldap:ldap_transport
relayhost = rosario.com,$mydestination,hash:/etc/postfix/access
#---------- Ldap
ldap_virtual_server_host = jay.dmz.rcom.com.ar
ldap_virtual_server_port = 389
ldap_virtual_bind = no
ldap_virtual_search_base = o=Rcom, c=AR
ldap_virtual_query_filter = (&(objectClass=CourierMailAlias)(mail=%s))
ldap_virtual_result_attribute = maildrop
ldap_transport_server_host = jay.dmz.rcom.com.ar
ldap_transport_server_port = 389
ldap_transport_bind = no
ldap_transport_search_base = o=Rcom, c=AR
ldap_transport_query_filter =
(&(objectClass=CourierDomainAlias)(virtualdomain=%s))
ldap_transport_result_attribute = mailsource
ldap_transport_bind_dn = cn=Manager, o=Rcom, c=AR
#---------- Sasl y Tls
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
La carga en el sistema no baja del 15%. Agradecería que me den
información sobre que leer y que debo utilizar para poder dar frente
a tal volumen de tráfico 'insano'.
Desde ya les agradezco su tiempo,
x-ip.
Más información sobre la lista de distribución Postfix-es