Home / server / Questions / 645450
Accepted
Shirker
Asked: 2014-11-20 03:26:02 +0800 CST

tell Postfix to close connection right after "Relay access denied"

  • 772

I have seen on some good setup mail servers, they terminate connection right after error 

454 4.7.1 <[email protected]>: Relay access denied

which is probably saving a lot of resources and traffic. And my Postfix still keeps SMTP session opened for future commands, whose, probably, are going to be only spam.

How can I tell Postfix to terminate session (like those smart servers) right after this error was given to the spammer?

Info

  • Postfix version 2.10.1

  • Output of postconf -n

    [root@mail ~]# postconf -n
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_check
inet_protocols = ipv4
local_recipient_maps =
mydestination = example.com, $myhostname, localhost.$myhostname, $mydomain, localhost.$mydomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 10.0.0.0/16
myorigin = example.com
relay_domains = example.com
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = 
    permit_mynetworks, 
    reject_unauth_destination, 
    reject_invalid_hostname, 
    reject_unauth_pipelining, 
    reject_non_fqdn_sender, 
    reject_unknown_recipient_domain, 
    reject_unknown_sender_domain, 
    check_sender_access hash:/etc/postfix/access
smtpd_sender_restrictions = 
    check_recipient_access hash:/etc/postfix/recipients,
    reject_non_fqdn_sender,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
postfix

1 Answers

  1. Best Answer

    I have good and bad news for you regarding this question.

    The good news is Postfix indeed has a mechanism to disconnect when a client is misbehaving. It is documented on this page. Three parameters control the behavior: smtpd_soft_error_limit, smtpd_hard_error_limit, smtpd_error_sleep_time. This pseudocode will illustrate how it works.

    While smtpd get connection from client
    error_counter = 0

    if there ERROR* in SMTP transaction
        error_counter = error_counter + 1

    if error_counter > $smtpd_soft_error_limit
        show the error message with delay $smtpd_soft_error_delay
    else if error_counter > $smtpd_hard_error_limit
        DISCONNECT client
    else
        show the error message IMMEDIATELY

    if one message transfered successfully
        error_counter = 0 //reset the counter

    Note: In postfix terms, ERROR* is triggered when a client request is unrecognized or unimplemented, when a client request violates access restrictions, or when some other error happens.

    See, if we set the smtpd_hard_error_limit with 1, postfix will happily to disconnect the client when error happened.

    The bad news is we can't filter which error that triggered smtpd_hard_error_limit. Your intention to limit this disconnect-behavior to Relay Access Denied error can't be implemented. After you set smtpd_hard_error_limit to 1, every error like 

    Recipient access rejected, user not Found

    or

    Sender address rejected: Domain not found;

    will result of disconnected client. The postfix documentation states some effect when smtpd_hard_error_limit = 1.

    Under conditions of stress, use an smtpd_hard_error_limit of 1 instead of the default 20. This helps by disconnecting clients after a single error, giving other clients a chance to connect. However, this may cause significant delays with legitimate mail, such as a mailing list that contains a few no-longer-active user names that didn't bother to unsubscribe. No mail should be lost, as long as this measure is used only temporarily.

    Alternative solution

    For the alternative solution for zombie-like client, you can enable postscreen in postfix. Postscreen will add one layer to smtpd process so the server should deal with legitimate client. See the documentations in here and here

    Why my server show error 4XX instead 5XX?

    Postfix 2.10 introduces one parameter called smtpd_relay_restriction. You can read the documentation in postconf(5). By default this parameter has values

    smtpd_relay_restrictions = 
    permit_mynetworks 
    permit_sasl_authenticated 
    defer_unauth_destination

    Parameter defer_unauth_destination will throw error 4xx instead 5xx.

    The best advice is split the restriction in two parameter smtpd_relay_restriction and smtpd_recipient_restriction. However if you insist to keep old config (e.g. in smtpd_recipient_restriction only), you can set smtpd_relay_restriction empty in main.cf

    smtpd_relay_restriction =
    • 5