On 1/30/06 5:40 PM, Charles Yeomans <email@hidden> wrote:
> I'm seeing some regular entries in my mail server log like the
> following; perhaps someone better understands what's being attempted
> here.
>
> Jan 30 12:58:50 FileServer postfix/smtpd[4488]: connect from
> 15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
> Jan 30 12:58:50 FileServer postfix/smtpd[4488]: DF5955F64D5:
> client=15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
> Jan 30 12:58:51 FileServer postfix/cleanup[4489]: DF5955F64D5:
> message-id=<email@hidden>
> Jan 30 12:58:52 FileServer postfix/qmgr[19245]: DF5955F64D5:
> from=<email@hidden>, size=24247, nrcpt=1 (queue active)
> Jan 30 12:58:52 FileServer postfix/smtpd[4541]: connect from
> xserve.desuetude.com[192.168.0.253]
> Jan 30 12:58:52 FileServer postfix/smtp[4540]: warning: host
> xserve.desuetude.com[192.168.0.253] greeted me with my own hostname
> desuetude.com
> Jan 30 12:58:52 FileServer postfix/smtp[4540]: warning: host
> xserve.desuetude.com[192.168.0.253] replied to HELO/EHLO with my own
> hostname desuetude.com
> Jan 30 12:58:52 FileServer postfix/smtp[4540]: DF5955F64D5:
> to=<email@hidden>,
> relay=xserve.desuetude.com[192.168.0.253], delay=2, status=bounced
> (mail for mail.desuetude.com loops back to myself)
> Jan 30 12:58:52 FileServer postfix/smtpd[4541]: lost connection after
> EHLO from xserve.desuetude.com[192.168.0.253]
> Jan 30 12:58:52 FileServer postfix/smtpd[4541]: disconnect from
> xserve.desuetude.com[192.168.0.253]
> Jan 30 12:58:52 FileServer postfix/cleanup[4489]: DD4895F64D7:
> message-id=<email@hidden>
> Jan 30 12:58:52 FileServer postfix/qmgr[19245]: DD4895F64D7: from=<>,
> size=25905, nrcpt=1 (queue active)
> Jan 30 12:58:53 FileServer postfix/smtpd[4488]: disconnect from
> 15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
> Jan 30 12:58:54 FileServer postfix/smtp[4543]: DD4895F64D7:
> to=<email@hidden>, relay=mail.jumpy.it[213.215.144.26], delay=2,
> status=sent (250 <43DB1B5D00211060> Mail accepted)
>
> Presumably the evil initiator of the connection is trying to pass
> himself off as my server. And I'm hoping that the last line is my
> server bouncing the mail back to the stated return address.
>
> I'm running OS X Server 10.3.9, using Kerberos for SMTP authorization
> and SMTP relay limited to localhost; is there something else to be
> doing?
Dan Shoop <email@hidden> said (and thank-you for the info, I will
reference it when I have a chance to try working with Exim, hopefully soon):
> Run exim, either as a replacement for postfix (which is far to
> convoluted) or as a front end. Exim's concept of strong ACLs drop
> more spam and nasty tricks like these than any other MTA
<snip> (details about Exim settings)
> Who is 192.168.0.253???
Perhaps you may have a misconfigured server:
xserve.desuetude.com[192.168.0.253], delay=2, status=bounced
(mail for mail.desuetude.com loops back to myself)
What is the IP of your server ?
What do you have listed in Server Admin under Mail / Settings / Advanced,
Localhost aliases ?
As for blocking spoofing attempts, you do have an option for Postfix, which
came with your OS X Server (vs. Dropping it and using Exim instead).
Read the UCE tips/texts for Postfix,
http://www.postfix.org/docs.html
The section titled UCE/Virus.
Bear in mind that some of the other articles there are not applicable for OS
X Server.
I'd suggest http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt,
The "For 2.x versions of Postfix" , but do read it thoroughly.
AND for the OS X Server, Apple-supplied version of Postfix, where the author
says "dbm" you'll need to use "hash"
Before editing anything by hand, backup your /etc/postfix/main.cf and
/etc/postifx/master.cf files, and consider it a one-way trip: don't use the
GUI after you've made hand-edits. Of course, please don't touch these files
with a GUI app... That way leads to pain & suffering.
Note where to add
check_helo_access hash:/etc/postfix/helo_checks
(order is important).
And then start helo_checks with
xserve.desuetude.com REJECT Spoofing attempt
Ip.ofyour.server REJECT Spoofing, don't use my own IP address
127.0.0.1 REJECT Must not use loopback address
localhost REJECT Spoofing - You are not this machine
Where "ip.ofyour.server" is of course its actual IP Address.
Once you've created that file, you'll need to run:
postmap /etc/postfix/helo_checks
And if you've only just updated your settings in /etc/postfix/main.cf
You'll also need to issue:
reload postfix
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
