facelordgists
6/11/2013 - 9:58 PM

email: postfix SPAM and security tricks & tips

email: postfix SPAM and security tricks & tips

Postfix tricks and tips

http://www.shaunfreeman.co.uk/install-fail2ban-on-centos-6-with-plesk/

http://forum.parallels.com/showthread.php?72464-Shell-script-for-checking-mail-queue

http://www.devcu.com/forums/topic/274-locking-down-postfix-against-spam/

Useful commands

Log Location

/usr/local/psa/var/log/maillog

View the log in realtime

tail -f /usr/local/psa/var/log/maillog

Display number of emails being sent to each domain and how long they have been in the active queue.

See more into about Qshape here

qshape active

Display differed queue

qshape deferred

Display hold queue

qshape deferred

Display Custom Queue script (see below for how to create)

/root/mailq.pl

Check Postfix Queue

postqueue -p

Perform actions on the Queue

Remove all unsent mailer daemon notifications

mailq|awk ' /^[0-9A-F][0-9A-F]*[^*].*MAILER-DAEMON$/ {print $1}'|sudo xargs -rn1 postsuper -d

#delete based on the from address:

mailq|awk ' /^[0-9A-F][0-9A-F]*.*mail.ru$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d

Read a message in the Postfix Queue

postcat -q MESSAGE_ID

Resend messages in the queue

postqueue -f

Delete all messages in Queue

postsuper -d ALL

Test Email sending from postfix

echo "Test mail from postfix" | mail -s "Test Postfix" person@example.com

Check for serious errors in the log

egrep '(reject|warning|error|fatal|panic):' /usr/local/psa/var/log/maillog | more

Postfix Guides

Create a little script for managing Queue

Create file /root/mailq.pl

Set permissions to allow root execution

Dump this into it:

#!/usr/bin/env perl

use strict;
use warnings;
use Symbol;
sub count {
      my ($dir) = @_;
      my $dh = gensym();
      my $c = 0;
      opendir($dh, $dir) or die "$0: opendir: $dir: $!\n";
      while (my $f = readdir($dh)) {
              if ($f =~ m{^[A-F0-9]{5,}$}) {
                      ++$c;
              } elsif ($f =~ m{^[A-F0-9]$}) {
                      $c += count("$dir/$f");
              }
      }
      closedir($dh) or die "closedir: $dir: $!\n";
      return $c;
}
my $qdir = `postconf -h queue_directory`;
chomp($qdir);
chdir($qdir) or die "$0: chdir: $qdir: $!\n";
printf "Incoming: %d\n", count("incoming");
printf "Active: %d\n", count("active");
printf "Deferred: %d\n", count("deferred");
printf "Bounced: %d\n", count("bounce");
printf "Hold: %d\n", count("hold");
printf "Corrupt: %d\n", count("corrupt");

Execute by typing /root/mailq.pl

Secure postfix by customizing the configuration

http://www.freesoftwaremagazine.com/articles/focus_spam_postfix

Secure postfix using fail2ban

http://www.dp.cx/blog/postfix---fail2ban---win.html#.UYFohCs4XOU


Switch Mail Transfer Agents in Plesk from Qmail to Postfix and back

Determine which MTA is currently in use

/usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server

Stop SMTP Service and let queue send out what's in it first, as the queue is destroyed when switching

/usr/local/psa/admin/sbin/mailmng --stop-smtpd

To flush the queue (deliver all mail in it), use the following commands:

  • QMail MTA: ```kill -ALRM `pidof qmail-send````

  • Postfix MTA: postqueue -f

Switch MTA

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix
/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component qmail

Add Gmail to certificate

http://stevejenkins.com/blog/2011/06/fixing-postfix-certificate-verification-failed-for-gmail-untrusted-issuer-error-message/

Fix Google SSL support

edit /etc/postfix/main.cf

Find/edit this section:

smtpd_tls_security_level = none
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no

Further steps to secure sever

http://www.howtoforge.com/virtual_postfix_antispam

etc/postfix/mail.cf

Remove announcement details

By default Postfix appends a little announcement to outgoing messages saying that this email is powered by Postfix. It's best to give hackers as little information as possible about your server, so you should remove the banner by finding the line for smtpd_banner in the configuration file and setting it to:

smtpd_banner = $myhostname ESMTP

Set to only accept local emails for delivery

change inet_interfaces = all to ```inet_interfaces = localhost``

Add this stuff to block bad SMTP requests

### Checks to remove badly formed email
smtpd_helo_required     = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes

unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:  /etc/postfix/helo.regexp, permit

smtpd_recipient_restrictions =
  reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
### reject_non_fqdn_hostname,
##################################
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  reject_unauth_destination,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net

/etc/postfix/helo.regexp

Create /etc/postfix/helo.regexp and set contents to:

/^subdomain\.host\.com$/           550 Don't use my own hostname
/^xxx\.yyy\.zzz\.xxx$/             550 Don't use my own IP address
/^\[xxx\.yyy\.zzz\.xxx\]$/         550 Don't use my own IP address
/^[0-9.]+$/                        550 Your software is not RFC 2821 compliant
/^[0-9]+(\.[0-9]+){3}$/            550 Your software is not RFC 2821 compliant