Often Spam will be sent to a variety of addresses at your domain. Some addresses will be based on educated guesswork, such as sales or info. Others may form the basis of a ‘directory attack’ by bombarding your server with many different names in the hope that some will make it through. It is particularly these sorts of attacks that can lead to slowdown or possibly even server failure due to resource exhaustion.
The best method of defence against these is to reject unkown users at SMTP stage so that MailScanner only has to analyse mail for real users and your out going queues don’t fill up with MAILER-DAEMON bounce messages, since you never accept responsibility for the message(s) (as per the RFCs). It is quite safe to do this, since it will remain the sending MTAs responsibility to generate the bounces and, presuming the sender actually is an MTA, will also do so (spam-sending tools tend not to be real MTAs).
For the purposes of this section, a local user user is one who has mail delivered to a mailbox on the MailScanner machine.
To reject mail for these users, simply ensure that the line
local_recipient_maps = $alias_maps, unix:passwd.byname
is in your main.cf. Ensure that you have defined the alias_maps parameter further down main.cf with the type and location of your aliases file.
If you use a chroot jail for Postfix, be sure to use the proxy:unix:passwd.byname construct. This is so that Postfix can get at the real passwd file, not the fake one in the jail.
To reject unknown users for virtual domains a variety of user databases can be used. These include ‘hash’ files, MySQL and PostgreSQL. A full list and explanation can be obtained here.
This section will deal with the simplist type, the ‘hashed’ flat file.
1. Specify the virtual domains that you receive mail for by adding to main.cf virtual_mailbox_domains = <domain names>
2. Now tell Postfix which mailboxes exist by adding to main.cf virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps
3. If there are any virtual alises add virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
4. You will also need to add values to the following in main.cf
virtual_uid_maps = static:<virtual mail users uid>
virtual_minimum_uid =
virtual_gid_maps = static:<virtual mail user gid>
virtual_mailbox_base = <virtual mailbox home directory>
virtual_mailbox_limit = <Quota for mailbox - if any>
5. Don’t forget to reload Postfix after you have made the change
postfix reload
6. All you need to do now is fill the virtual_mailbox_maps file like so
user@virtual.domain /vmail/virtual.domain/user (add /.Maildir/ if you wish to use maildir mailboxes, the trailing ‘/’ is important)
and for virtual_alias_maps
alias@virtual.domain user@virtual.domain
7. Then once you have finished and saved the changes then map these text files to the database file for Postfix to read
postmap virtual_alias_maps
postmap virtual_mailbox_maps
This method is suitable for any destination mail hub that can reject unknown recipient at the SMTP stage (e.g. Exchange >= 2003, Domino, Sendmail, Postfix, Exim etc.) and is the equivalent to using ‘milter-ahead’ in Sendmail (but this functionality is built into Postfix). This requires Postfix 2.1 or greater.
1) Confirm that master.cf contains the following line and add it if not:
verify unix - - n - 1 verify
2) Add the following to main.cf
In smtpd_recipient_restrictions add the following options:
reject_unknown_recipient_domain, reject_unverified_recipient
Then add the following options:
unverified_recipient_reject_code = 550
address_verify_map = btree:/etc/postfix/verify
3) Restart postfix and test functionality
You should start seeing log entries like the following:
Nov 20 09:00:00 foo postfix/smtpd[9628]: NOQUEUE: reject: RCPT from example.net [1.2.3.4]: 550 example@example.org: Recipient address rejected: undeliverable address: host mailhub.example.org [4.3.2.1] said: 550 Invalid recipient address (no such address at this site) (in reply to RCPT TO command); from=sender@badexample.com to=example@example.org proto=SMTP helo=<localhost.localdomain>
There are a variety of scripts around to pull user data from MS Exchange. Further details can be found here.
Thanks to Pete Russell for this section. (Latest info and scripts always available at http://www.eatathome.com.au/maps)
Simply, this is a couple of perl scripts that can be used to query Lotus Domino directory, and Microsoft Active Directory (without Exchange), and build the results into access, recipient, relay user maps for postfix, you could EASILY adapt these to work with any other MTA that maps text files in hashed DBs. We use Lotus Domino and Microsoft AD internally and use a MailScanner/Postfix combination anto spam, anti virus email gateway to protect our internal mail systems against spam and viruses. This all works great, except when you don’t use some form of access map with postfix. Postfix will accept mail addressed to ANY@atyourdomain.com, an this causes a lot of extra work maintaining mail queues and processing mail that is almost always not intended for your users. So we use perl to query the LDAP and build a list of acceptable users. Its all very easy, if you have some code to pinch, and some one clever to help you modify it. Do the following to implement this.
1. On your postfix machine install Net::LDAP, just use
CPAN #perl -MCPAN -e shell
cpan>install Net::LDAP
2. Download the Script you need. Inside is comments and config options. 2.1 getsmtp.tar - Domino users, shortnames, fi.lastname, firstname.lastname 2.2 getgroup.tar - Domino groups - gets all multi purpose and mail only groups (you can turn of one group type if you want.) 2.3 getad.tar - Microsoft Active Directory users - grabs all the aAMAccountname values. 3. After you have downloaded and configured your script/s, chmod +x them and test them (make sure LDAP is configured and running in Domino - see Domino admin help DB). #./getsmtp.pl > recipient_names #cat recipient_names
4. Once it has been tested successfully (do I need to tell you to make sure your bosses email address appears in the list?) start thinking about using it with postfix. You could schedule it to run with a cron job. Thanks Chris Covington for this example.
#!/bin/sh /pathto/getsmtp.pl > /etc/postfix/recipients; postmap recipients
5. Now build whatever maps types you like, like relay_recipients. I found the same guys who wrote the original script have a guide on using “makefile” to automate the building of your maps, and the refreshing of postfix. http://www.unixwiz.net/techtips/postfix-makefiles.html and remember to add the required lines to your main.cf (eg relay_recipient_maps = hash:/etc/postfix/relay_recipients) And dont forget to reload postfix after these changes. examplepostfix -c /etc/postfix/ reload
Finally modifed to have die –>email postmaster errors, so we recieve emails when the script fails. AND the least the script will NOT write a blank file, if no ldap data is found the script will exit and preserve your existing map files. I need to update the scripts avilable for download will do by end of Feb 05.