How do I protect postfix from filling up my server with log files and discarded emails

ubuntu postfix

I was having trouble with my server being used as a smtp relay. I think I fixed that, but now what happens is my mail.log fills up and queued incoming emails fills up. Apparently, postfix is blocking the mail, but it is writing to the log file when it does that. I am using postfix to just forward emails for domains I have control of. How do I either further block emails from getting to my server, or prevent the log from filling up. I'm sure this is taxing on my server as well as it is constantly filling up. How do I set my logging up out of mail services? I already have it rotating, but the mail log gets huge. How do I have the rejected emails go directly to the trash?

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 550
default_process_limit = 100
disable_vrfy_command = yes
header_size_limit = 51200
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 550
mailbox_size_limit = 0
maximal_backoff_time = 3h
message_size_limit = 10485760
minimal_backoff_time = 180s
mydestination = localhost.$mydomain, localhost, $mydomain
mydomain = <mydomain>
myhostname = <mydomain>
mynetworks = 127.0.0.1
myorigin = $mydomain
non_fqdn_reject_code = 550
queue_minfree = 20971520
readme_directory = no
recipient_delimiter = +
relayhost = smtp.<mydomain>
smtp_always_send_ehlo = yes
smtp_generic_maps = hash:/etc/postfix/generic
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = AUTH LOGIN
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = permit_sasl_authenticated,    permit_mynetworks, reject_unauth_destination,   reject_unknown_sender_domain, reject_non_fqdn_recipient,  reject_unknown_recipient_domain, reject_unlisted_recipient,  reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,   permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_timeout = 30s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/oh-joy.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oh-joy.org/privkey.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,   mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd -o   syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o   smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o  smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o  smtpd_client_restrictions=permit_sasl_authenticated,reject -o  milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       -       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter=spamassassin
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-    rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp -o syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F   user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R  user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR   user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
spamassassin unix -      n       n       -       -       pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}  ${recipient}

Solution 1:

Beyond compatibility_level=550 (that has to be a typo) and the fact you are using defer_unauth_destination instead of reject_unauth_destination after configuring your destinations and relay, I do not see anything obviously wrong with your config. Sure, deferring instead of rejecting bad mail does increase your load because senders will more likely retry, but it does not explain unexpected mail in your queue.

If a local or authenticated user is continuing submission of unauthorized mail to your server, you should determine who that is, e.g. by calling postcat -qe QUEUEID on any suspicious queue id seen in postcat -p. If indeed local or sasl credentials are misused, reset them and carefully investigate whether additional compromise has happened.

If what you show is just the configuration after you changed your smtpd_*_restrictions and its just mail queued from when you wrongly accepted spam, cleanup your queue: The recommendation by Michael Hampton, postsuper -d ALL will remove ALL outstanding deliveries, and this is likely what you want expecting all or almost all mail in your queue to be junk.

Addendum: What would be a good value for compatibility_level?

Its a safety net - setting an arbitrary high value effectively disables it. Your distribution likely setup compatibility_level=2 for you, and the only reason you would want to change that is because after an upgrade you reviewed your configuration, found/made it ready for the new behaviour in the new postfix version. You would normally only increase it to the value suggested in the warning emitted by postfix. Read /usr/share/doc/postfix/COMPATIBILITY_README (you can install postfix documentation using sudo apt install postfix-doc) for a more detailed explanation of that feature.

Related

Asymptotics of number of ways of putting balls into bins with constraints
Physical intuition for the solution to $y' = y$.
Mathematical book on "Maxwell" equation
Cards game and probabilities
Determine all integers $x,\ y,\ z$ that satisfy $x+y+z=(x-y)^{2}+(y-z)^{2}+(z-x)^{2}$
Evaluating $\int_{0}^{2\pi}x^2\ln^2(1-\cos x)dx$
$\operatorname{rank}(A^2)+\operatorname{rank}(B^2)\geq2\operatorname{rank}(AB)$ whenever $AB=BA$?
Understanding iterated covariant derivatives to define Sobolev spaces on manifolds
Maclaurin expansion of $\arctan(x)/(1 − x).$
Solve differential equation $-f'(x)= a_1 f(a_2 x+a_3)$ with $f(0)=1$.
Category Theory & Artificial Intelligence (AI)
Approximating $\displaystyle \int_{-\infty}^{\infty}\frac{e^{R+i\,u}}{\ln(R+i\,u)}du$