Postfix limit incoming or receiving email rate

Posted on February 12, 2012 by

Over the years of having a postfix server up and running, we’ve notice a common tactic the spammers love to implement. They continually try to make a connection to the the main server, it’s known as a E-mail flooding attack. Silly spammers….  Main severs are for legitimate users.

So how can you limit this attack? Easy…..  Implement incoming E-mail rates!

The Postfix smtpd daemon can enforce a number of limits on incoming E-mail.

Okay….  A Spammer or a bot has you in their sights…. Well they will connect to your server and send garbage commands or SPAM, attempting to crash your server. To weather the storm you can limit:

  • The length of lines in a message and so on
  • The size of messages
  • The number of recipients for a single delivery

Where’s what we suggest:

  • smtpd_error_sleep_time
    The SMTP server response delay after a client has made more than $smtpd_soft_error_limit errors, and fewer than smtpd_hard_error_limit errors, without delivering mail.
  • smtpd_soft_error_limit
    The number of errors a remote SMTP client is allowed to make without delivering mail before the Postfix SMTP server slows down all its responses.
  •  smtpd_hard_error_limit
    The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The Postfix SMTP server disconnects when the limit is exceeded.

This how to implement this:

Open the postfix configuration file:

[codesyntax lang="text" lines="no"]

# vi main.cf

[/codesyntax]

Add the following lines to the file:

[codesyntax lang="text" lines="no"]

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

[/codesyntax]

 

Save the file and restart the Postfix server:

[codesyntax lang="text" lines="no"]

# /etc/init.d/postfix restart

[/codesyntax]

 

Now… The Postfix server waits one second before each error such as HELO command not provided or FQDN hostname does not exists etc After 10 such errors postfix will start to increase delay. If error limits touches 20 Postfix will disconnect client. Feel free to modify the time limits to suit your needs. Check your mail log to see it in action: You should see lines similar to the lone listed:

[codesyntax lang="text" lines="no"]
Feb 12 14:15:38 tesla postfix/anvil[993]: statistics: max connection rate 1/60s for (smtp:64.50.172.232) at Feb 12 14:07:10
Feb 12 14:15:38 tesla postfix/anvil[993]: statistics: max connection count 1 for (smtp:64.50.172.232) at Feb 12 14:07:10
Feb 12 14:15:38 tesla postfix/anvil[993]: statistics: max cache size 2 at Feb 12 14:07:21

[/codesyntax]

 

Posted in PostFix | Tagged , , , , | Leave a comment

Postfix configure anti-spam with blacklist checking

Posted on February 12, 2012 by

Postfix is free and powerful MTA. You can easily configure Postfix to block spam by implementing a few lines. You need to add following directives to /etc/postfix/main.cf file:

  • disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
  • smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
  • smtpd_helo_required = yes : Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions onHELO command:
    smtpd_helo_restrictions = permit_mynetworks,
  • reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don’t have FQDN names.
  • reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don’t have valid internet hostname

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.

  • smtpd_recipient_restrictions =
  • reject_invalid_hostname, – Reject email if it not valid hostname
  • reject_non_fqdn_hostname, – Reject email if it not valid FQDN
  • reject_non_fqdn_sender, – Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
  • reject_non_fqdn_recipient, – Reject the request when the RCPT TO address is not in fully-qualified domain form
  • reject_unknown_sender_domain, – Reject email, if sender domain does not exists
  • reject_unknown_recipient_domain, Reject email, if recipient domain does not exists

 

If you would like to check the message against some popular SPAM blocklistsyou can add the following:

  • reject_rbl_client sbl.spamhaus.org,
    rejject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,

Open /etc/postfix/main.cf file :
# vi /etc/postfix/main.cf

Here is what the lines may look like in your main.cf

[codesyntax lang="text" lines="no"]

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit

smtpd_recipient_restrictions =
     permit_sasl_authenticated,
     reject_invalid_hostname,
     reject_non_fqdn_hostname,
     reject_non_fqdn_sender,
     reject_non_fqdn_recipient,
     reject_unknown_sender_domain,
     reject_unknown_recipient_domain,
     permit_mynetworks,
     reject_rbl_client sbl.spamhaus.org,
     reject_rbl_client cbl.abuseat.org,
     reject_rbl_client dul.dnsbl.sorbs.net,
     permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

[/codesyntax]

The last three lines limit the incoming or receiving E-mail rate. This also aids in avoiding SPAM.

Save and close main.cf and then restart postfix:
# /etc/init.d/postfix restart

Posted in PostFix | Tagged , | Leave a comment

Compress a Whole Linux Directory

Posted on December 11, 2011 by

There are time when you want to compress an entire directory in Linux. This may be to move it to another location or to just create a backup.One way is ti use TAR.

In the Windows realm WinZip and WinRAR are to very popular utilities that perform similar functions.

The tar command line is listed below:

tar -zcvf archive-name.tar.gz directory-name

Where,

  • -z: Compress archive using gzip program
  • -c: Create archive
  • -v: Verbose i.e display progress while creating archive
  • -f: Archive File name

For example, you have directory called /home/myfiles and you would like to compress this directory then you can type tar command as follows:

$ tar -zcvf myfiles.tar.gz /home/myfiles

Above command will create an archive file called myfiles.tar.gz in current directory. If you wish to restore your archive then you need to use following command (it will extract all files in current directory):

$ tar -zxvf myfiles.tar.gz

Where,

  • -x: Extract files
  • -v: Print verbose
  • -z: Compress / Uncompress automatically
  • -f: The archive file name is given on the command line (required whenever the tar output is going to a file)

If you wish to extract files in particular directory, for example in /other then you need to use following command:

$ tar -zxvf myfiles.tar.gz -C /other
$ cd /other
$ ls – >

 

Posted in Linux | Leave a comment

Robocopy Commands

Posted on December 8, 2011 by

Robocopy, or “Robust File Copy”, is a command-line directory replication command. It has been available as part of the Windows Resource Kit starting with Windows NT 4.0, and was introduced as a standard feature of Windows_Vista, Windows_7 and Windows Server 2008. The command is robocopy.

Syntax: ROBOCOPY Source_folder Destination_folder [files_to_copy] [options]

Key: file(s)_to_copy : A list of files or a wildcard. (defaults to copying *.*)

Source options
/S : Copy Subfolders.
/E : Copy Subfolders, including Empty Subfolders.
/COPY:copyflag[s] : What to COPY (default is /COPY:DAT)
(copyflags : D=Data, A=Attributes, T=Timestamps
S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
/SEC : Copy files with SECurity (equivalent to /COPY:DATS).
/DCOPY:T : Copy Directory Timestamps. ##
/COPYALL : Copy ALL file info (equivalent to /COPY:DATSOU).
/NOCOPY : Copy NO file info (useful with /PURGE).

/A : Copy only files with the Archive attribute set.
/M : like /A, but remove Archive attribute from source files.
/LEV:n : Only copy the top n LEVels of the source tree.

/MAXAGE:n : MAXimum file AGE – exclude files older than n days/date.
/MINAGE:n : MINimum file AGE – exclude files newer than n days/date.
(If n < 1900 then n = no of days, else n = YYYYMMDD date).

/FFT : Assume FAT File Times (2-second date/time granularity).
/256 : Turn off very long path (> 256 characters) support.

Copy options
/L : List only – don’t copy, timestamp or delete any files.
/MOV : MOVe files (delete from source after copying).
/MOVE : Move files and dirs (delete from source after copying).

/Z : Copy files in restartable mode (survive network glitch).
/B : Copy files in Backup mode.
/ZB : Use restartable mode; if access denied use Backup mode.
/IPG:n : Inter-Packet Gap (ms), to free bandwidth on slow lines.

/R:n : Number of Retries on failed copies – default is 1 million.
/W:n : Wait time between retries – default is 30 seconds.
/REG : Save /R:n and /W:n in the Registry as default settings.
/TBD : Wait for sharenames To Be Defined (retry error 67).

Destination options
/A+:[RASHCNET] : Set file Attribute(s) on destination files + add.
/A-:[RASHCNET] : UnSet file Attribute(s) on destination files – remove.
/FAT : Create destination files using 8.3 FAT file names only.
/CREATE : CREATE directory tree structure + zero-length files only.
/DST : Compensate for one-hour DST time differences ##
/PURGE : Delete dest files/folders that no longer exist in source.
/MIR : MIRror a directory tree – equivalent to /PURGE plus all subfolders (/E)

Logging options
/L : List only – don’t copy, timestamp or delete any files.
/NP : No Progress – don’t display % copied.
/LOG:file : Output status to LOG file (overwrite existing log).
/UNILOG:file : Output status to Unicode Log file (overwrite) ##
/LOG+:file : Output status to LOG file (append to existing log).
/UNILOG+:file : Output status to Unicode Log file (append) ##
/TS : Include Source file Time Stamps in the output.
/FP : Include Full Pathname of files in the output.
/NS : No Size – don’t log file sizes.
/NC : No Class – don’t log file classes.
/NFL : No File List – don’t log file names.
/NDL : No Directory List – don’t log directory names.
/TEE : Output to console window, as well as the log file. /NJH : No Job Header.
/NJS : No Job Summary.

Repeated Copy Options
/MON:n : MONitor source; run again when more than n changes seen.
/MOT:m : MOnitor source; run again in m minutes Time, if changed.
/RH:hhmm-hhmm : Run Hours – times when new copies may be started.
/PF : Check run hours on a Per File (not per pass) basis.

Job Options
/JOB:jobname : Take parameters from the named JOB file.
/SAVE:jobname : SAVE parameters to the named job file
/QUIT : QUIT after processing command line (to view parameters).
/NOSD : NO Source Directory is specified.
/NODD : NO Destination Directory is specified. /IF : Include the following Files.

Advanced options you’ll probably never use
/EFSRAW : Copy any encrypted files using EFS RAW mode. ##
/MT[:n] : Multithreaded copying, n = no. of threads to use (1-128) ### default = 8 threads, not compatible with /IPG and /EFSRAW The use of /LOG is recommended for better performance.
/SECFIX : FIX file SECurity on all files, even skipped files.
/TIMFIX : FIX file TIMes on all files, even skipped files.
/XO : eXclude Older – if destination file exists and is the same date or newer than the source – don’t bother to overwrite it.
/XC | /XN : eXclude Changed | Newer files
/XL : eXclude “Lonely” files and dirs (present in source but not destination) This will prevent any new files being added to the destination.
/XX : eXclude “eXtra” files and dirs (present in destination but not source) This will prevent any deletions from the destination. (this is the default)
/XF file [file]… : eXclude Files matching given names/paths/wildcards.
/XD dirs [dirs]… : eXclude Directories matching given names/paths. XF and XD can be used in
combination e.g. ROBOCOPY c:\source d:\dest /XF *.doc *.xls /XD c:\unwanted /S
/IA:[RASHCNETO] : Include files with any of the given Attributes
/XA:[RASHCNETO] : eXclude files with any of the given Attributes
/IS : Include Same, overwrite files even if they are already the same.
/IT : Include Tweaked files.
/XJ : eXclude Junction points. (normally included by default).

/MAX:n : MAXimum file size – exclude files bigger than n bytes.
/MIN:n : MINimum file size – exclude files smaller than n bytes.
/MAXLAD:n : MAXimum Last Access Date – exclude files unused since n.
/MINLAD:n : MINimum Last Access Date – exclude files used since n. (If n < 1900 then n = n days, else n = YYYYMMDD date).
/BYTES : Print sizes as bytes.
/X : Report all eXtra files, not just those selected & copied.
/V : Produce Verbose output log, showing skipped files.
/ETA : Show Estimated Time of Arrival of copied files.

## = New Option in Vista (XP027) all other options on this page are for the XP version of Robocopy (XP010)
### = New Option in Windows 7 and Windows 2008 R2

Robocopy EXIT CODES
File Attributes [RASHCNETO]
R – Read only
A – Archive
S – System
H – Hidden
C – Compressed
N – Not content indexed
E – Encrypted
T – Temporary
O – Offline

If either the source or desination are a “quoted long foldername” do not include a trailing backslash as this will be treated as an escape character, i.e. “C:\some path\” will fail but “C:\some path\\” or “C:\some path\.” or “C:\some path” will work.

Robocopy will fail to copy files that are ‘locked’ by other users or applications, limiting the number of retries with /R:0 will speed up large jobs.

By copying only the files that have changed, robocopy can be used to backup very large volumes.
To limit the network bandwidth used by robocopy, specify the Inter-Packet Gap parameter /IPG:n
This will send packets of 64 KB each followed by a delay of n Milliseconds.

ROBOCOPY will accept UNC pathnames including UNC pathnames over 256 characters long.

/REG Writes to the registry at HKCU\Software\Microsoft\ResKit\Robocopy

/B (backup mode) will allow Robocopy to override file and folder permission settings (ACLs).

/XX If used in conjunction with /Purge or /Mir, this switch will take precedence and prevent any files being deleted from the destination.

All versions of Robocopy will copy security information (ACLs) for directories, version XP010 will not copy file security changes unless the file itself has also changed, this greatly improves performance.

Posted in Power Tools | Tagged | Leave a comment