Postfix / Spamassassin: Undelivered Mail Returned to Sender

Question

I'm having an issue with a newly configured mailserver where spam emails that are spoofed to come from the local domain are actually accepted by the mailserver, the mail isnt delivered as is though, the spamassassin tags it as spam and then send an email "Undelivered Mail Returned to Sender" to the spoofed local user.

I know there is a way of fixing this in the configuration but i have no idea where, i'm hoping someone can point me in the right direction.

To be clear, the mailserver is not relaying, this is only a local user issue. I want postfix to reject any emails supposedly from local users that aren't sent internally. It would stop this problem.

Here is an email to show you whats happening. I've changed the domain to example.com.au.

###############################################

This is the mail system at host example.com.au.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

[email protected]: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, id=11887-07 - SPAM (in reply to end of DATA command)
?
Reporting-MTA:dns; example.com.au
X-Postfix-Queue-ID: 661DC5D1DE
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Tue, 5 May 2009 06:21:38 +1000 (EST)

Final-Recipient: rfc822;[email protected]
Original-Recipient:rfc822;[email protected]
Action: failed Status: 5.7.0
Remote-MTA: dns; 127.0.0.1
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=11887-07 - SPAM ?

From: Berenice Penez [email protected]
Date: Mon, 4
May 2009 22:21:41 +0200
To: [email protected] Subject: Were it you, on forum?

Reliable quality and no delays with
delivery! Super online store for
disease treating
http://www.xopfekec.cn/

###############################################

Postfix main.cf (the important parts, not complete)

readme_directory = /usr/share/doc/postfix
mydomain_fallback = localhost
message_size_limit = 0
mailbox_size_limit = 0
myhostname = example.com.au
mailbox_transport = cyrus
mydomain = example.com.au
inet_interfaces = all
enable_server_options = yes
mydestination = $myhostname,localhost.$mydomain,localhost,example.com.au
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_invalid_hostname
smtpd_pw_server_security_options = plain,login
content_filter = smtp-amavis:[127.0.0.1]:10024
mynetworks = 127.0.0.0/8, 10.0.1.0/24
smtpd_client_restrictions = permit_sasl_authenticated,reject_rbl_client dnsbl.sorbs.net

Answer 1

A few different points:

• This should be on serverfault.com, but since I'm not on the beta there I'll answer it here.

• The output of postconf -n is better than including what you think are the relevant lines in main.cf. Also include relevant lines from master.cf if you have parameter overrides or other customisations in there.

• Don't accept then bounce mail like that. If you are using SpamAssassin as an after-queue filter in Postfix (the usual way of running it), you need to either tag-and-deliver (and filter with client-side rules) or quarantine the mail without notifying the sender. From the look of your question, you are probably a backscatter source. Stop it. See for example http://www.postfix.org/BACKSCATTER_README.html. Do consider amavisd-new for integrating SpamAssassin into Postfix with all kinds of useful features.

• Consider collapsing all of your restrictions into smtpd_recipient_restrictions. It's generally easier to manage the linear flow of restrictions like that than to deal with the interactions between smtpd_{client,helo,sender,recipient}_restrictions.

• To prevent Postfix from accepting mail from outside, add a sender_access map that rejects mail claiming to be from your domains:

smtpd_recipient_restrictions = 
  permit_sasl_authenticated, 
  permit_mynetworks, 
  reject_unauth_destination, 
  check_sender_access hash:$config_directory/reject_mydomains
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_invalid_hostname

And in reject_mydomains

example.com.au REJECT you are not me

This will probably be prone to false positives with mail that comes from senders with a legitimate(?) reason to use your domain as the envelope sender (E-cards, invitations, maybe some outsourced service like surveys or whatnot). You can whitelist around your you-are-not-me rules with a client_access map before your sender_access map that returns OK or an appropriate restriction class (see http://www.postfix.org/RESTRICTION_CLASS_README.html).

You can use similar HELO checks to weed out clients HELO-ing with your own Hostname/IP or known bad HELO strings

smtpd_recipient_restrictions = 
  permit_sasl_authenticated, 
  permit_mynetworks, 
  reject_unauth_destination, 
  check_helo_access hash:$config_directory/helo_checks
  check_sender_access hash:$config_directory/reject_mydomains
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_invalid_hostname

and in helo_checks:

example.com.au             REJECT BAD-HELO you are not example.com.au
mailserver.example.com.au  REJECT BAD-HELO you are not me
localhost                  REJECT BAD-HELO you are not me
localhost.localdomain      REJECT BAD-HELO you are not me
# where 1.2.3.4 is the IP of your server
1.2.3.4                    REJECT BAD-HELO you are not me
127.0.0.1                  REJECT BAD-HELO you are not me

Lastly, it's a very good idea to subscribe to a good reputation service such as an RBL. The best RBL for most purposes is zen.spamhaus.org. It's free to use for light to moderate loads, and if your usage is high enough to cross over their free/paid threshold, the cost is well worth it. To configure in Postfix, add

reject_rbl_client zen.spamhaus.org

to your smtpd_recipient_restrictions. Do that after your cheap local checks to save on DNS query load and latency, but before expensive local checks like reject_unverified_recipient (you aren't using that one and probably don't need it from your problem description).