Results 1 to 4 of 4

Thread: postfix accepting invalid email, queues very large, amavis can't keep up

  1. #1
    Join Date
    Jan 2008
    Location
    Atlanta, GA
    Posts
    8
    Rep Power
    7

    Default postfix accepting invalid email, queues very large, amavis can't keep up

    We've been having some strange problems lately. We have a pretty decent server running Zimbra CE for just three people. It has 2GB memory and a dual-core Xeon 2.13GHz processor. Yet, it's been getting bogged down and very slow, to the point that valid incoming and outgoing email was delayed by hours.

    I found that there were tens of thousands of messages in the queues. Somehow all six of the checkboxes under Admin->Global Settings->MTA for Protocol Checks and DNS checks had gotten turned off. I re-checked them and saved, but a few days later they were unchecked again. They got unchecked again once more. It could have been at reboot times, but I'm not positive.

    Another problem is that most of the messages in the Active Queue have a Receiver Address that isn't a valid address. They're spammers guessing at email addresses in our domain. It seems like Postfix should be rejecting these emails before they're even fully read. Instead they're all going through spam and virus checking, which would explain why our server is so hammered.

    Early today I executed this command, which I got from the admin manual:

    Code:
    zmprov mcf zimbraMtaRestriction reject_invalid_hostname \
            zimbraMtaRestriction reject_non_fqdn_hostname \
            zimbraMtaRestriction reject_non_fqdn_sender \
            zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
            zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
            zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
            zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
            zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \
            zimbraMtaRestriction "reject_rbl_client relays.mail-abuse.org"
    That has reduced the amount of mail getting through, but there are still messages getting into the Active Queue that don't have email addresses that are valid on our system. Worse, it seems like Zimbra is trying to send bounce emails to the from addresses in those spam emails. The Deferred Queue has messages in it from mailer-daemon to addresses we definitely haven't been sending to. When I look at the files in /opt/zimbra/postfix/spool/deferred/*, I see emails that are replying to the spam saying that it's the mailer daemon, and it's sorry that it couldn't deliver to some bogus address at our domain. The poor guy whose address the spammer used as a from address shouldn't get spam from our system saying an email (he never sent) couldn't get delivered to some non-existent address.

    I read this: Rejecting Unknown Local Recipients with Postfix and I gather from it that "postconf local_recipient_maps" should make some reference to ldap or some file containing all the valid accounts, aliases, and lists. But mine just returns "proxy:unix: passwd.byname $alias_maps" and alias_maps returns "hash:/etc/aliases". Anyway, it seems like this is getting ignored because we're getting mail to names not in /etc/passwd or /etc/aliases. So clearly I'm missing a link somewhere. (Ignore space after unix:, I couldn't stop the smiley).

    I'm not sure where to look from here. I want to immediately reject email going to nonexistent addresses, and I want to stop sending notices to innocent victims when spam is detected. Suggestions?

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    To reduce email to accounts that you don't even have:
    Change the entry in/opt/zimbra/conf/zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)
    This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. (ie: there's no such user account on the server)

  3. #3
    Join Date
    Jan 2008
    Location
    Atlanta, GA
    Posts
    8
    Rep Power
    7

    Default

    Thanks for the reply. I have a few more questions, if you'll bear with me.

    You mentioned "smtpd_reject_unlisted_recipients" but the file has "smtpd_reject_unlisted_recipient". I tried it with and without the trailing "s" but I'm still getting messages in my Active queue with a receiver address that's not valid on our system. (I didn't forget the postfix reload, either.)

    I noticed the command I posted above from the manual included three of the six checkboxes from the Global Settings->MTA page. Specifically, it had the Protocol checks, but not the DNS checks. Is it valid to add the three DNS checks to the command so it looks like this? Or do they belong to something other than zimbraMtaRestriction?
    Code:
            zmprov mcf zimbraMtaRestriction reject_invalid_hostname \
                zimbraMtaRestriction reject_non_fqdn_hostname \
                zimbraMtaRestriction reject_non_fqdn_sender \
                zimbraMtaRestriction reject_unknown_client \
                zimbraMtaRestriction reject_unknown_hostname \
                zimbraMtaRestriction reject_unknown_sender_domain \
                zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
                zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
                zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
                zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
                zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \
                zimbraMtaRestriction "reject_rbl_client relays.mail-abuse.org"
    The command listed in the Admin Guide is under the statement, "To add all the possible restrictions," so if the other three can be included, should I file this as a documentation issue? Note that there is already a minor documentation issue that could be added because the command in the doc uses publishers' left and right quotes instead of regular (shell) quotes, so when you paste the command it doesn't work right.

    I'm not seeing any difference in the output of "zmprov gacf" or "postconf" when I check or uncheck the Global->MTA Protocol & DNS checks. I was concerned because they keep becoming unchecked. Are they just not valid anymore once you've done a "zmprov mcf zimbraMtaRestriction" command?

    Scott

  4. #4
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I just noticed the specific DNS checks in the Global MTA are unchecked on my installation after checking them twice.

    Is this a bug?

Similar Threads

  1. Daily mail report always reports "No messages found"
    By McPringle in forum Installation
    Replies: 42
    Last Post: 06-13-2011, 08:57 AM
  2. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 11:03 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 02:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •