Fixing an open relay on Postfix

Sunday, May 11, 2008, 3:05 PM
Other Stuff by John

On some levels GoDaddy really sucks. One of those levels happens to be their almost craven willingness to leave the base install of their virtual dedicated servers in a deliberately sorry state in order to pressure customers into paying for their assisted support plan.

GoDaddy leave their virtual dedicated servers open to being exploited as open relays. Of course, the default limit for relayed emails per day is 1,000. So, you can see where a spam attack could become a source of real angst very fast.

Advertisements

Yeah, I get that if you purchase a server without a support plan that you are expected to be able to admin it yourself. But, it is lame to willfully deploy crippled servers that act as open relays for spam email, and are thereby a nuisance to many more than just the customer refusing to buy an assisted support plan. It is at best lazy and at worst a disgusting brand of cynical capitalism.

In the past I have asked GoDaddy tech support to address the issue and they have accommodated. Apparently this policy of accommodating making the internet less spammy is now over. I emailed them twice asking them to fix the problem and got no joy at all. GoDaddy apparently just didn't give a damn that they are aiding the spread of even more spam across the internet.

Classy, huh?

So, time to suck it up and learn what I needed to do to fix Postfix so that it wasn't acting as an open relay.

Here's what you need to do:

Make a copy of the main.cf file found in the /etc/postix/ folder on your server. Small hint: if you don't know how to access this folder, you probably shouldn't be screwing around with main.cf for Postfix.

Then add to it the following lines:

smtpd_helo_required = yes
smtpd_delay_reject = no
disable_vrfy_command = yes

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname

This forces any incoming request to pause and identify itself. It also prevents the incoming request from trying to verify user names that might be on the server.

Upload the new main.cf file to the server and then restart Postfix. Once you have done that, go to Abuse.net's website and plug in the name of your mail server to test for any relays that might still be open.

All of this is based on info I found here. I trimmed this down to the first two suggestions because you really should limit how crazy you get attacking Postfix. But, if you need more robust ideas to handle a much larger scale attack, there are some good suggestions there.

For point of reference, my relay was passing 238 from midnight until 5 pm yesterday. Now, a fair number of those are legit, but this is the weekend and every website on the server in question is a small website. So, there is no justification for that much traffic.

Today (a Sunday) I checked the relay and it has passed five emails.

Tada! Problem fixed.

And with a big no thanks to GoDaddy. Yay.

Mail article to a friend

Tools

Check Google PageRank

Recent articles

Welcome!

Wonder where to start with your web design business?

This blog follows along with my efforts to build and grow a website design business, Pro Content and Design.

The goal of this blog is to fill in blanks that may be empty as you get your business rolling.

This blog, particularly the source code section, is not intended for beginners. If you are not comfortable with databases, Ajax, DOM objects and other advanced methods, I strongly suggest you go take a look over at W3 Schools before even reading -- let alone tinkering with -- any of the code here.

I hope this blog has some value to web designers as they attempt to get their businesses going.

Good luck, and happy reading.

Thank you,
John Crawford
Pro Content and Design