Thursday, June 24, 2010

Stopping spammers using old MX records with Postfix.

So, we had this problem with our new cloud-based anti-spam service. Well, not with the service as much as with the spammers (and who doesn't, right?).

With cloud based spam-scanning you make the anti-spam service MX for your domain, and they do the scanning and forward mail on to your server(s). Sounds simple enough, but spammers don't play by the rules, and they're quite happy to ignore your MX record (particularly if it changes to one of a large well-known anti-spam service) or use old cached ones if it suits them.
So, when we changed our MX a lot of spam just kept coming to our server - the old MX for the domain, even days after the change (even as I write this, spammers are still trying to send mail to that host).

We had a machine (the old MX) that was sitting in our DMZ handling email for the whole oganisation, which consisted of three separate mail domains (Domain A, Domain B and Domain C), only Domain A was using cloud-based scanning. This machine ran Postfix, and we needed Posfix to have a rule something along the lines of "If mail is delivered to Domain A from any host other than our Anti-Spam service, or hosts on our network, reject it".

That sounded complicated, but it really wasn't, with the help of the postfix-user mailing list we got it done easily. See the examples below:

We added the following two lines in red to the Postfix main.cf file:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_client_access hash:/etc/postfix/cloudspamsubnets
check_recipient_access hash:/etc/postfix/restrictourdomain

The file /etc/postfix/cloudspamsubnets contained a list of subnets our spam scanning service uses to forward mail to us, in the format:
100.1.2 OK
100.3.4 OK

100.5.6 OK
You'll notice the subnet notation is a little odd. Apparently, 100.1.2.0/24 or 100.1.2.0/255.255.255.0 don't work.
Next, the file /etc/postfix/restrictourdomain was a simple list of our domain and any subdomains:
subdomain.domaina.com OK
anothersubdomain.domaina.com OK

domaina.com REJECT
Postfix will reject any subdomains of Domain A if it's responsible for those as well, so you need to list them with an OK to have them let through.

And apart from running postmap /etc/postfix/restrictourdomain and postmap /etc/postfix/cloudspamsubnets and restarting Postfix, that pretty much did the trick!

Seeya!

P.S. Thanks to Sahil Tandon for suggesting this bit of config.

2 comments:

neugi said...

whicht service are you using? i'm intressed to also use such service

thx

System Administrivia said...

We're using these fine folks:

http://www.messagelabs.com.au/

It's early days yet, but they seem quite good.