Postfix, how can I reject spam from unknown IP (no DNS)

Alienizer asked:

Despite all efforts to filter spam, I’m still getting spam from unknown even after I’ve set main.cf to not allow it and to check the DNS etc. Even after adding a pcre: to REJECT /.unknown./ some of them still get through and I don’t understand why! Here is my log file. The first block is ok, it gets rejected, it’s from unknow. The second block is the same, from unknown but it gets through and not rejected. I wish to reject all “connect from unknown” not just some of them. postfix v2.8.4 on Centos. Any ideas what I’m doing wrong? Thanks.

this block gets rejected

Nov 24 12:00:30 sof postfix/smtpd[4632]: connect from unknown[91.99.51.137]
Nov 24 12:00:30 sof postfix/smtpd[4632]: connect from unknown[91.99.51.137]
Nov 24 12:00:31 sof postfix/smtpd[4632]: NOQUEUE: reject: RCPT from unknown[91.99.51.137]: 450 4.7.1 <91.99.51.137.parsonline.net>: Helo command rejected: Host not found; from= to= proto=ESMTP helo=<91.99.51.137.parsonline.net>
Nov 24 12:00:31 sof postfix/smtpd[4632]: NOQUEUE: reject: RCPT from unknown[91.99.51.137]: 450 4.7.1 <91.99.51.137.parsonline.net>: Helo command rejected: Host not found; from= to= proto=ESMTP helo=<91.99.51.137.parsonline.net>
Nov 24 12:00:31 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: Message aborted.
Nov 24 12:00:31 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: Message aborted.
Nov 24 12:00:31 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: Message aborted.
Nov 24 12:00:31 sof postfix/smtpd[4632]: disconnect from unknown[91.99.51.137]
Nov 24 12:00:31 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: Message aborted.
Nov 24 12:00:31 sof postfix/smtpd[4632]: disconnect from unknown[91.99.51.137]

this block doesn’t get rejected

Nov 24 14:16:09 sof postfix/smtpd[8221]: connect from unknown[190.237.252.197]
Nov 24 14:16:09 sof postfix/smtpd[8221]: connect from unknown[190.237.252.197]
Nov 24 14:16:18 sof postfix/smtpd[8221]: 9467B848368A: client=unknown[190.237.252.197]
Nov 24 14:16:18 sof postfix/smtpd[8221]: 9467B848368A: client=unknown[190.237.252.197]
Nov 24 14:16:23 sof postfix/cleanup[8428]: 9467B848368A: message-id=<9186950014.574880.74670.SendMail@domain.com>
Nov 24 14:16:23 sof postfix/cleanup[8428]: 9467B848368A: message-id=<9186950014.574880.74670.SendMail@domain.com>
Nov 24 14:16:25 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: handlers_stderr: SKIP
Nov 24 14:16:25 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: handlers_stderr: SKIP
Nov 24 14:16:25 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: SKIP during call ‘check-quota’ handler
Nov 24 14:16:25 sof /usr/lib64/plesk-9.0/psa-pc-remote[678]: SKIP during call ‘check-quota’ handler
Nov 24 14:16:25 sof postfix/qmgr[19747]: 9467B848368A: from=, size=5285, nrcpt=1 (queue active)
Nov 24 14:16:25 sof postfix/qmgr[19747]: 9467B848368A: from=, size=5285, nrcpt=1 (queue active)
Nov 24 14:16:25 sof postfix-local[8481]: postfix-local: from=Garcia.Ryan@iter.ru, to=name@domain.com, dirname=/var/qmail/mailnames
Nov 24 14:16:25 sof postfix-local[8481]: postfix-local: from=Garcia.Ryan@iter.ru, to=name@domain.com, dirname=/var/qmail/mailnames
Nov 24 14:16:25 sof spamc[8483]: connect(AF_UNIX) to spamd /tmp/spamd_full.sock failed: No such file or directory
Nov 24 14:16:25 sof spamc[8483]: connect(AF_UNIX) to spamd /tmp/spamd_full.sock failed: No such file or directory
Nov 24 14:16:25 sof postfix-local[8481]: handlers_stderr: PASS
Nov 24 14:16:25 sof postfix-local[8481]: handlers_stderr: PASS
Nov 24 14:16:25 sof postfix-local[8481]: PASS during call ‘spam’ handler
Nov 24 14:16:25 sof postfix-local[8481]: PASS during call ‘spam’ handler
Nov 24 14:16:25 sof postfix/pipe[8435]: 9467B848368A: to=, orig_to=, relay=plesk_virtual, delay=7.9, delays=7.9/0/0/0.02, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 24 14:16:25 sof postfix/pipe[8435]: 9467B848368A: to=, orig_to=, relay=plesk_virtual, delay=7.9, delays=7.9/0/0/0.02, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 24 14:16:25 sof postfix/qmgr[19747]: 9467B848368A: removed
Nov 24 14:16:25 sof postfix/qmgr[19747]: 9467B848368A: removed
Nov 24 14:16:27 sof postfix/smtpd[8221]: disconnect from unknown[190.237.252.197]
Nov 24 14:16:27 sof postfix/smtpd[8221]: disconnect from unknown[190.237.252.197]

here is part of my main.cf file

smtpd_tls_cert_file = /etc/postfix/domain.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_helo_required = yes

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access pcre:/etc/postfix/rejected_domains,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unlisted_sender,
permit

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit

smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_rbl_client regexp:/etc/postfix/postfix_client_blacklist,
reject_unauth_destination,
reject_unknown_sender_domain,
check_client_access hash:/etc/postfix/rbl_whitelist,
check_client_access pcre:/var/spool/postfix/plesk/no_relay.re,
reject_rbl_client bl.spamcop.net,
permit

here is the postfix_client_blacklist file

/^.unknown.$/ REJECT FCrDNS # I tried all kinds of ways found on the Internet.

My answer:


You’re looking for reject_unknown_client_hostname.

From the documentation:

reject_unknown_client_hostname (with Postfix < 2.3:
reject_unknown_client)
Reject the request when 1) the client IP
address->name mapping fails, 2) the name->address mapping fails, or 3)
the name->address mapping does not match the client IP address. This
is a stronger restriction than the
reject_unknown_reverse_client_hostname feature, which triggers only
under condition 1) above. The unknown_client_reject_code parameter
specifies the response code for rejected requests (default: 450). The
reply is always 450 in case the address->name or name->address lookup
failed due to a temporary problem.

Sample usage: (as seen on my live mail server)

smtpd_client_restrictions =
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_unknown_client_hostname,
        permit

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.