0

I have a server with Postfix, running in Docker. The server is supposed to only receive emails, not send them.

I added the following iptables rules to try to block anything getting out from port 25:

sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT 
sudo iptables -I DOCKER-USER -o eth0 -p tcp --dport 25 -j REJECT
sudo iptables -I DOCKER-USER -o docker0 -p tcp --dport 25 -j REJECT

To get the following iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:smtp reject-with icmp-port-unreachable

Chain DOCKER (3 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.19.0.4           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.19.0.6           tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:smtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:smtp reject-with icmp-port-unreachable

This is my Postfix main.cf file:

compatibility_level = 3.6
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix/readme
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
maillog_file = /dev/stdout
myhostname = mydomainmane.com
mydomain = mydomainmane.com
mydestination = mydomainmane.com, localhost.localdomain, localhost
myorigin = $mydomain
relayhost = [mail.xxxxx.xxx]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
always_add_missing_headers = yes
smtp_host_lookup = native,dns
transport_maps = lmdb:/dkvolume/transport
virtual_alias_maps = proxy:mysql:/dkvolume/mysql-virtual_email2email.cf
virtual_mailbox_maps = proxy:mysql:/dkvolume/mysql-virtual_mailboxes.cf
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
smtpd_relay_restrictions = defer_unauth_destination
default_transport = error:No outside emails
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomainmane.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomainmane.com/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
relay_domains = $mydomain
smtpd_banner = $mydomain
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 2097152
smtpd_recipient_limit = 5
disable_vrfy_command = yes
smtpd_helo_required = yes
mynetworks = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_client_message_rate_limit = 5
anvil_rate_time_unit = 120s
smtpd_client_recipient_rate_limit = 10
smtpd_tls_auth_only = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname
smtpd_error_sleep_time = 3s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
default_destination_rate_delay = 2s
smtpd_reject_unlisted_recipient = no
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit
smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
strict_rfc821_envelopes = yes

After all of this I'm still getting emails to random email addresses in my domain, such as [email protected], with subjects like "邮件投递超时错误" (Mail delivery timeout error), "Undelivered Mail Returned to Sender" or "系统退信" (System bounce)...

This mean that someone (mainly from China) is using my server to send spam and, among the receives, some of this spam emails respond with errors.

How can I block ANY email from leaving my server? What am I doing wrong?

3
  • 2
    Some people will send you bounces or messages crafted to look similar to such without you ever sending messages, we call this "backscatter". Before you jump to conclusions, read the headers of the supposedly "returned" messages and compare your logs whether they plausibly originated from your machine.
    – anx
    Commented Sep 10, 2022 at 9:08
  • Thanks @anx. But why would they do that?
    – Nifhel
    Commented Sep 10, 2022 at 10:35
  • 1
    Because that is just what happens if you run stuff like everyone did before sender authentication or bounce validation schemes were a thing. If you run older software, or improperly setup different software to work in conjunction, you can easily unintentionally become a source of backscatter.
    – anx
    Commented Sep 10, 2022 at 13:03

1 Answer 1

1

Postfix's smtpd access control applies to recieving mail session only.

If you want to recieve mail it should go somewhere to its destination. So if you recievie mail destined not for your domain postfix try to send it to its destination.

You can't explicitly deny postfix from sending mail but you can use

 smtpd_recipient_restrictions =  permit_auth_destination, reject.

to recieving mail destined for you domain only so postfix has nothing it should send somewhere.

But it also stops recieving mail from you users to other domains too if use same smtpd server for recieving from your users and others.

This mean that someone (mainly from China) is using my server to send spam and, among the receives, some of this spam emails respond with errors.

You have permit in

 smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit

So anyone outside can send to your domain. Replace with

 smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

Also it is may be:

  • some (infected) computers from you networks (mynetworks = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) sends spam and you get bounces for it

  • someone in the internet sends spam mail to someone using your address as forged sender address. And all errors and reply emails bounced to you server of course. So you can't get rid of these spoofed mail by blocking sending mail.

Stopping postfix from sending mail with firewall is generally wrong idea - you may block legitimate emails in the postfix queue.

But with relayhost it is ok.

But with rule like

iptables -A OUTPUT -p tcp --dport 25 -j REJECT 

you effictively broke all postfix conversations, not only sending as you think because normal client-server traffic is bidirectional.

You should use stateful checks to allow incoming connections but drop outgoing connections for postfix like

iptables -A OUTPUT -p tcp --dport 25 -m state --state ESTABLISHED,RELATED -j DROP
5
  • Thanks @gapsf. I added the iptables rules because all emails are read from a webapp in the same server, reading them from a mysql database. So I don't need any other client than that. I'll try to use reject in smtpd_sender_restrictions and see if the issue persist.
    – Nifhel
    Commented Sep 10, 2022 at 10:42
  • > "someone in the internet sends spam mail to someone using your address as forged sender address." - I'm using that domain for private purposes, it is a very unknown domain, I don't know why someone would use my domain for that.
    – Nifhel
    Commented Sep 10, 2022 at 10:44
  • Is it you server has public IP? Is it your domain publshed in global DNS? Have it MX record? Public IP is just enough to send email to you server. Anyone can connect to you public ip on 25 tcp port and talk with your server via smtp protocol.
    – gapsf
    Commented Sep 10, 2022 at 10:50
  • Yes to all 3. I'm already correctly receiving emails to my server.
    – Nifhel
    Commented Sep 10, 2022 at 10:54
  • >it is a very unknown domain So its doesnt matter. Network scanner scan ip range, detects working smtp server on your ip and voila any who know this may send you. Its not so hard at all for spammers and malware.
    – gapsf
    Commented Sep 10, 2022 at 11:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .