Resolved problem with fake email address

[rout3rx]

hello
there is a problem with mail service in plesk.
when you add a user in outlook you can change your account setting and change the user information filed and save, finally your emails sent with your changes, for example your valid email is : [email protected]
but you can send emails with : [email protected]


how can i restrict this?

 

[UFHH01]

Hi rout3rx,

did you check as well the header of the mail and the mail - log, to confirm your statement, that it is possible to send an eMail with fake settings?

 

[rout3rx]

hello UFHH01
it authorized with a real email user password but you can change "your name and email address as you see in picture : [email protected].
now you can send email with [email protected]

 

[UFHH01]

Hi rout3rx,

there is nothing wrong here, rout3rx. Even that you don't like the idea, that an eMail-client - user can define user-informations of his choice, this is nothing you can prevent or control.

It is a bit misleading, when you write:

now you can send email with [email protected]

The user can't send eMails with "[email protected]"... these are just user-defined information fields. - Pls. investigate eMail - headers and log - files if you want a proof of the "correct" eMail-adress.

 

[rout3rx]

thanks.
assume that you can send emails by every name you want!!
it's so critical and gmail or yahoo block this!
i think there is a policy in postfix against this.

 

[UFHH01]

Hi rout3rx,

pls. read http://www.postfix.org/ADDRESS_VERIFICATION_README.html , if you would like to inform yourself about the possible configuration settings.
If you need help, pls. post your current configuration files.

 

[rout3rx]

this is :

readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , hash:/var/spool/postfix/plesk-pop/poplock
smtpd_sender_restrictions = hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
myhostname = host..ir
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
message_size_limit = 102400000

i try check_sender_access but it not works good.

 

[rout3rx]

is anyone have this problem???

 

[UFHH01]

Hi rout3rx,

your settings are a bit misconfigured:

smtpd_sender_restrictions = hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists

should be :

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re

Second, your master,cf is missing and it would really help, if you would add as well your mail - log, because I tested your statement again and mails won't be delivered - they stay in the cue and won't be delivered:

May 25 16:39:47 MYSERVERNAME postfix/qmgr[6318]: BBD781802A47: from=<[email protected]>, size=161042, nrcpt=1 (queue active)
May 25 16:39:47 MYSERVERNAME postfix/qmgr[6318]: warning: connect to transport private/smtp: Connection refused
May 25 16:39:48 MYSERVERNAME postfix/error[11324]: BBD781802A47: to=<[email protected]>, relay=none, delay=435, delays=435/0.01/0/0.09, dsn=4.3.0, status=deferred (mail transport unavailable)

 

[rout3rx]

thanks a lot
i fixed your first change, nothing changed :

May 26 07:36:45 host courier-pop3s: Connection, ip=[::ffff:2.184.51.164]
May 26 07:36:45 host courier-pop3s: LOGIN, [email protected], ip=[::ffff:5.184.51.100], port=[40728]
May 26 07:36:45 host courier-pop3s: LOGOUT, [email protected], ip=[::ffff:5.184.51.100], port=[40728], top=0, retr=0, rcvd=12, sent=45, time=0, stls=1
May 26 07:36:47 host postfix/smtpd[11867]: table hash:/var/spool/postfix/plesk-pop/poplock(0,lock|fold_fix) has changed -- restarting
May 26 07:36:47 host postfix/smtpd[11902]: connect from unknown[5.184.51.100]]
May 26 07:36:51 host postfix/smtpd[11902]: B01AA4400CF: client=unknown[5.184.51.100]]
May 26 07:36:51 host greylisting filter[11909]: Starting greylisting filter...
May 26 07:36:51 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: handlers_stderr: SKIP
May 26 07:36:51 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: SKIP during call 'grey' handler
May 26 07:36:51 host postfix/cleanup[11871]: B01AA4400CF: message-id=<>
May 26 07:36:52 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: handlers_stderr: PASS
May 26 07:36:52 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: PASS during call 'limit-out' handler
May 26 07:36:52 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: handlers_stderr: SKIP
May 26 07:36:52 host /usr/lib64/plesk-9.0/psa-pc-remote[22534]: SKIP during call 'check-quota' handler
May 26 07:36:52 host postfix/qmgr[11727]: B01AA4400CF: from=<[email protected]>, size=582, nrcpt=1 (queue active)
May 26 07:36:52 host postfix/smtpd[11902]: disconnect from unknown[5.184.51.100]
May 26 07:36:59 host postfix/smtp[11876]: B01AA4400CF: to=<[email protected]>, relay=mail.nickstel.com[54.225.71.66]:25, delay=12, delays=4.7/0/6.3/0.79, dsn=2.0.0, status=sent (250 OK (DCDB49FF-F72D-40D7-9420-08E8FF1B12BE.1) (DCDB49FF-F72D-40D7-9420-08E8FF1B12BE.1))
May 26 07:36:59 host postfix/qmgr[11727]: B01AA4400CF: removed

and my master.cf

#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 1 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

plesk_virtual unix - n n - - pipe flags=DORhu user=popuseropuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes

submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

plesk-85.9.66.34- unix - n n - - smtp -o smtp_bind_address=85.66.9.30 -o smtp_bind_address6= -o smtp_address_preference=ipv4

 

[UFHH01]

Hi rout3rx,

pls. note:

1. Your global postfix - setting for port 25 are set as:
   

   smtp inet n - n - - smtpd

   Which is basically the standart postfix settings - no specifications are set.
   
   
2. Your global postfix - setting for port 465 are set as:
   

   smtps inet n - n - - smtpd
       -o smtpd_tls_wrappermode=yes

   
   Which is basically the standart postfix settings - only one setting is set.
   
   
3. Your global postfix - setting for port 587 are set as:
   

   submission inet n - n - - smtpd
       -o smtpd_enforce_tls=yes
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

   Which is the basic Plesk - configuration.
   
   
4. Your Plesk - IP - configuration is set as:
   

   plesk-85.XXX.XXX.XXX- unix - n n - - smtp
       -o smtp_bind_address=85.XXX.XXX.XXX
       -o smtp_bind_address6=
       -o smtp_address_preference=ipv4

   Which is the basic Plesk - configuration.

Your REVERSE DNS for your IP is not a valid hostname. The reverse check for your SMTP "host.YOUR-HOST-DOMAIN.ir" points to your IP, but your IP points to "www.YOUR-DOMAIN.net", "mail.YOUR-DOMAIN.net" and "YOUR-DOMAIN.net" as PTR.
Because of your insufficient configuration, your SMTP banner doesn't match your REVERSE DNS ( see root cause in the previous statement ).



Suggestions:

1. You could change the hostname ( file = "/etc/hostname" ) to your desired domain.
2. If you don't want to do this, you could change as well:

• Your global postfix - setting for port 25 could be set as:
  

  localhost:smtp inet n - - - - smtpd 
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/host.YOUR-HOST-DOMAIN.ir
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/host.YOUR-HOST-DOMAIN.ir
      -o smtp_helo_name=YOUR-HOST-DOMAIN.ir
      -o myhostname=host.YOUR-HOST-DOMAIN.ir
     
  85.XXX.XXX.XXX:smtp inet n - - - - smtpd 
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/mail.YOUR-DOMAIN.net
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/mail.YOUR-DOMAIN.net
      -o smtp_helo_name=YOUR-DOMAIN.net
      -o myhostname=mail.YOUR-DOMAIN.net

• Your global postfix - setting for port 465 could be set as:
  

  localhost:smtps   inet n - - - - smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/host.YOUR-HOST-DOMAIN.ir
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/host.YOUR-HOST-DOMAIN.ir
      -o smtp_helo_name=YOUR-HOST-DOMAIN.ir
      -o myhostname=host.YOUR-HOST-DOMAIN.ir
     
  85.XXX.XXX.XXX:smtps   inet n - - - - smtpd 
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/mail.YOUR-DOMAIN.net
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/mail.YOUR-DOMAIN.net
      -o smtp_helo_name=YOUR-DOMAIN.net
      -o myhostname=mail.YOUR-DOMAIN.net

• Your global postfix - setting for port 587 could be set as:
  

  localhost:submission inet n - - - - smtpd
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/host.YOUR-HOST-DOMAIN.ir
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/host.YOUR-HOST-DOMAIN.ir
      -o smtpd_enforce_tls=yes
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
      -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
      -o smtp_helo_name=YOUR-HOST-DOMAIN.ir
      -o myhostname=host.YOUR-HOST-DOMAIN.ir
  
  85.XXX.XXX.XXX:submission inet n - - - - smtpd
      -o smtpd_tls_key_file=/path/to/your/certificate/private-key/for/mail.YOUR-DOMAIN.net
      -o smtpd_tls_cert_file=/path/to/your/certificate/cert-file/for/mail.YOUR-DOMAIN.net
      -o smtpd_enforce_tls=yes
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
      -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
      -o smtp_helo_name=YOUR-DOMAIN.net
      -o myhostname=mail.YOUR-DOMAIN.net

• Your Plesk - IP - configuration could be set as:
  

  plesk-YOUR-DOMAIN.net-85.XXX.XXX.XXX- unix - n n - - smtp 
      -o smtp_bind_address=85.XXX.XXX.XXX 
      -o smtp_bind_address6= 
      -o smtp_address_preference=ipv4 
      -o smtp_helo_name=YOUR-DOMAIN.net
      -o myhostname=mail.YOUR-DOMAIN.net

I recommend as well the setting at your "main.cf":

...
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unlisted_recipient,
    reject_unlisted_sender
...

Wellllllll... I hope I didn't leave out something... if you have problems with the configuration, pls. post again your current configuration - files and as well, the mail - log for investigations.

 

[Deepak M]

If you add below line in /etc/postfix/main.cf it will reject mail from non local user and sender id must exist on you local server

smtpd_reject_unlisted_sender = yes

 

[rout3rx]

dear UFHH01, really thanks for your best and clear explain
but unfortunatly nothing has been changed.
please see this email sending log:

May 27 15:42:47 host postfix/smtpd[1217]: connect from unknown[77.237.167.205]
May 27 15:42:47 host postfix/smtpd[1217]: 8CEAC4400D7: client=unknown[77.237.167.205]
May 27 15:42:47 host greylisting filter[1219]: Starting greylisting filter...
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: SKIP
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: SKIP during call 'grey' handler
May 27 15:42:47 host postfix/cleanup[1181]: 8CEAC4400D7: message-id=<[email protected]>
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: PASS
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: PASS during call 'limit-out' handler
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: SKIP
May 27 15:42:47 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: SKIP during call 'check-quota' handler
May 27 15:42:47 host postfix/qmgr[1164]: 8CEAC4400D7: from=<[email protected]>, size=2695, nrcpt=1 (queue active)
May 27 15:42:50 host postfix/smtpd[1217]: disconnect from unknown[77.237.167.205]
May 27 15:43:00 host postfix/smtp[1168]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c01::1a]:25: Network is unreachable
May 27 15:43:05 host postfix/smtp[1168]: 8CEAC4400D7: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.195.26]:25, delay=18, delays=0.43/0/17/0.69, dsn=2.0.0, status=sent (250 2.0.0 OK 1464348306 up6si25312069wjc.157 - gsmtp)
May 27 15:43:05 host postfix/qmgr[1164]: 8CEAC4400D7: removed
May 27 15:43:57 host courier-pop3s: Connection, ip=[::ffff:77.237.167.205]
May 27 15:43:57 host courier-pop3s: LOGIN, [email protected], ip=[::ffff:77.237.167.205], port=[35197]
May 27 15:43:58 host courier-pop3s: LOGOUT, [email protected], ip=[::ffff:77.237.167.205], port=[35197], top=0, retr=0, rcvd=24, sent=1711, time=1, stls=1
May 27 15:44:27 host postfix/anvil[1202]: statistics: max connection rate 1/60s for (smtp:180.193.104.7) at May 27 15:42:18
May 27 15:44:27 host postfix/anvil[1202]: statistics: max connection count 1 for (smtp:180.193.104.7) at May 27 15:42:18
May 27 15:44:27 host postfix/anvil[1202]: statistics: max cache size 3 at May 27 15:42:30
May 27 15:44:29 host postfix/smtpd[1217]: table hash:/var/spool/postfix/plesk-pop/poplock(0,lock|fold_fix) has changed -- restarting
May 27 15:44:29 host postfix/smtpd[1267]: connect from unknown[77.237.167.205]
May 27 15:44:29 host postfix/smtpd[1267]: 94DDF4400D7: client=unknown[77.237.167.205]
May 27 15:44:29 host greylisting filter[1270]: Starting greylisting filter...
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: SKIP
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: SKIP during call 'grey' handler
May 27 15:44:29 host postfix/cleanup[1269]: 94DDF4400D7: message-id=<[email protected]>
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: PASS
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: PASS during call 'limit-out' handler
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: handlers_stderr: SKIP
May 27 15:44:29 host /usr/lib64/plesk-9.0/psa-pc-remote[27020]: SKIP during call 'check-quota' handler
May 27 15:44:30 host postfix/qmgr[1164]: 94DDF4400D7: from=<[email protected]>, size=2697, nrcpt=1 (queue active)
May 27 15:44:30 host postfix/smtp[1168]: 94DDF4400D7: to=<[email protected]>, relay=mail.......[xx.xx.xx.xx]:25, delay=0.92, delays=0.48/0/0.31/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AEB97BD089)
May 27 15:44:30 host postfix/qmgr[1164]: 94DDF4400D7: removed
May 27 15:44:32 host postfix/smtpd[1267]: disconnect from unknown[77.237.167.205]

just when i add : check_sender_access in smtpd_recipient_restrictions all users such as fake or real ones gets 4.2.2 error and can not authentication, that's all the postfix changed effect...
what things check these users? dkim? spf?
please guide me... someones uses this options for malicious works...

mr deepak me, i test it before but not worked

 

[rout3rx]

plesk has an option named as : relay option : it's can set for authorization on pop3
why this option not worked???

 

[José María Antón]

Hi, i have similar problem. When i enable sendmail from scripts, a lot of spam are going out. My postfix main.cf is:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name WW
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = MYSERVER.stratoserver.net
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.stratoserver.net, localhost, localhost.localdomain
relayhost =
mynetworks =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_sender_domain, reject_non_fqdn_sender
smtpd_helo_restrictions = reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = no
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = inet:127.0.0.1:12768 inet:127.0.0.1:12345
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
virtual_mailbox_limit = 0
message_size_limit = 10240000
non_smtpd_milters =
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
milter_connect_macros = j {daemon_name} {client_connections} {client_addr} {client_ptr} v
milter_default_action = accept

 

[rout3rx]

Hello
i tried your config but when i add : "smtpd_helo_restrictions = reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname" every valid users rejects!
how you use it?
now your problem has been solved when you changed user information in for example outlook?

 

[rout3rx]

hello all
in plesk, is there any way for solve this problem???? if i should buy any add-ons please told me.

 

[trialotto]

@rout3rx

I have read the entire topic thread globally, but it is recommended that you post a screenshot of your Mail Server Settings (go to "Tools & Settings").

If I am not mistaken, you can disable the nasty Outlook behaviour by making some changes in the mail server settings, amongst others disabling the submission port 587.

This should leave Outlook to be obliged to actually connect as an existing user (a fake mailadres will not have a chance).

Also, set the "Outgoing mail mode" to "Send from domain IP addresses", otherwise some known issues can arise, with these issues related to your current problem.

There are a lot of other things that you can or should do, but I will leave them as is for the moment.

I hope that you will be able to post the before mentioned screenshot.

Regards....

 

[rout3rx]

thanks
please find the attachment.
if i should to change any setting please told me.
thanks a lot

 

[trialotto]

@rout3rx

You have a quite odd mail server configuration, so I will give you a very blain and basic one, that allows you to have a more flexible and secure mail server.

Note that not all individual values are set at an optimum, but the combination of values is quite flexible and, in terms of security, safe enough.

I will provide some explanation, where necessary or meaningful.

1) decrease the max message size from 100.000 to 10.000 (kilobytes)

Note: it is not "good practice" to allow huge attachments, which are the largest part of "huge" messages.

In fact, you are allowing messages of the staggering size of 97,65 MB.

Mail servers are able to process tenthousands of mail messages per second, implying that a spammer could (try to) send a huge amount of mails with huge attachments.

In your case, this would get you Terabytes of traffic per second and your system is not able to process that kind of traffic volume, implying that your system shuts down or gets blocked.

2) increase the "Maximum number of connections (IMAP, POP3, IMAP over SSL, or POP3 over SSL)" to the default value of 1024

3) set the "Maximum number of connections for a user per IP address" to a value of 10

4) uncheck the "Enable SMTP service on port 587 on all IP addresses" for the time being, unless some of your clients are using that port

Note: you should allow SMTP connections, but not with the 587 port. This sounds odd, but let me explain.

Plesk uses the ports 25 (smtp), 110 (pop3), 143 (imap) AND 465 (smpts), 993 (imaps) and 995 (pop3s) with the added "s" standing for the secure counterpart of the normal ports.

One should enforce that all customers use (mail) clients that are configured to use the before mentioned counterparts, implying that the 587 port should be barely relevant.

5) set the "Outgoing mail mode" to "Send from domain IP addresses" and you are always safe.

Note: a whole explanation can be given for this, but take for granted that this is the proper choice.

6) Relaying: set "authorization is required", but ONLY check the "SMTP" checkbox, UNCHECK the "POP3 before SMTP lock time ... minutes".

Note: this is very likely to be the reason why you are subject to the current problem, you can check that by simply disabling the "POP3 before..." checkbox.

7) Disable "DomainKeys spam protection" completely.

Note: this sounds odd, but if your server and DNS records are not properly configured (which is the case, I assume), activating these settings can have a negative impact.

8) Activate "Switch on SPF spam protection" (check the checkbox) and do

- Leave "SPF checking continues when there are DNS lookup problems" unchecked
- Set "SPF checking mode" to "Reject mail when SPF resolves to "fails" (soft deny)
- Set "SPF local rules" and "SPF guess rules" to: v=spf1 +a/24 +mx/24 +ptr ?all include:spf.trusted-forwarder.org

and note that these settings actually have very little effect, unless your Plesk instance serves as a primary nameserver.

In case your Plesk instance is not a primary nameserver (for instance, you use DNS management at the registrar), just do (in addition to the above)

- create a TXT record, with text: v=spf1 a mx ip:<server ip> include:spf.trusted-forwarder.org ~all

and do not forget to replace <server ip> with the IP assigned to your server.

9) Activate "Switch on spam protection based on DNS blackhole lists" (check the checkbox) and to the textbox: zen.spamhaus.org

Note: normally one wants to add to the textbox: zen.spamhaus.org;bl.spamcop.net

However, the spamcop blocking list (bl.spamcop.net) can cause a lot of problems, since SendGrid servers are apparently on the list, without any justified cause.

So, keep the (more reliable) zen.spamhaus.org.


Finally, note that all of the above is in very rough outlines, a whole lot more can or should be done to "get your mail safe".

Anyway, you can always send me a PM.

Regards.....