I have a server with Postfix, running in Docker. The server is supposed to only receive emails, not send them.
I added the following iptables rules to try to block anything getting out from port 25:
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
sudo iptables -I DOCKER-USER -o eth0 -p tcp --dport 25 -j REJECT
sudo iptables -I DOCKER-USER -o docker0 -p tcp --dport 25 -j REJECT
To get the following iptables -L
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:http
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:smtp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
This is my Postfix main.cf
file:
compatibility_level = 3.6
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix/readme
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
maillog_file = /dev/stdout
myhostname = mydomainmane.com
mydomain = mydomainmane.com
mydestination = mydomainmane.com, localhost.localdomain, localhost
myorigin = $mydomain
relayhost = [mail.xxxxx.xxx]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
always_add_missing_headers = yes
smtp_host_lookup = native,dns
transport_maps = lmdb:/dkvolume/transport
virtual_alias_maps = proxy:mysql:/dkvolume/mysql-virtual_email2email.cf
virtual_mailbox_maps = proxy:mysql:/dkvolume/mysql-virtual_mailboxes.cf
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
smtpd_relay_restrictions = defer_unauth_destination
default_transport = error:No outside emails
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomainmane.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomainmane.com/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
relay_domains = $mydomain
smtpd_banner = $mydomain
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 2097152
smtpd_recipient_limit = 5
disable_vrfy_command = yes
smtpd_helo_required = yes
mynetworks = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_client_message_rate_limit = 5
anvil_rate_time_unit = 120s
smtpd_client_recipient_rate_limit = 10
smtpd_tls_auth_only = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname
smtpd_error_sleep_time = 3s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
default_destination_rate_delay = 2s
smtpd_reject_unlisted_recipient = no
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit
smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
strict_rfc821_envelopes = yes
After all of this I'm still getting emails to random email addresses in my domain, such as [email protected]
, with subjects like "邮件投递超时错误" (Mail delivery timeout error), "Undelivered Mail Returned to Sender" or "系统退信" (System bounce)...
This mean that someone (mainly from China) is using my server to send spam and, among the receives, some of this spam emails respond with errors.
How can I block ANY email from leaving my server? What am I doing wrong?