From: Michael Tokarev (no email)
Date: Sat Jun 01 2002 - 04:45:42 EDT
Robert Dalton wrote:
>
> Hi !
>
> monkeys.com has a old postfix patch for stopping frequently forged domains. It
> compares the MAIL FROM: domain with the smtp client PTR record. If these 2 don't
> match up with parent or subdomains, it rejects the email. Their selective test
> is only applied when the sender domain claims to be from a list of frequently
> forged domains like hotmail.com, and yahoo.com. They claim that only a small
> amount of valid email was rejected using this on production servers.
>
> http://www.monkeys.com/anti-spam/filtering/additions.html
>
> I've previously asked about a feature like this, but there were concerns about
> rejecting legitimately forwarded email.
>
> Im wondering if a rewrite of this patch has any potential of becoming part of a
> current snapshot. It looks like a nice feature to have in postfix.
>
> As I was writing this I thought of a method that may help with this problem,
> using what's available in recent postfix releases. This will selectively
> reject email claiming to be from hotmail, yahoo, etc... if the smtp client
> ip address has no PTR record.
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ...other stuff...
> check_sender_access hash:/etc/postfix/forged_domains
> ...other stuff...
>
> /etc/postfix/forged_domains
>
> hotmail.com reject_unknown_client
> yahoo.com reject_unknown_client
> msn.com reject_unknown_client
> ....more listings....
>
> Im testing this now, and it works.
For quite a long time, my main.cf contains:
smtpd_restriction_classes = freeemail
smtpd_recipient_restrictions =
...
reject_unauth_destination,
...
check_sender_access fnmatch:yahoo.com|hotmail.com|mail.ru|mail.com|...:freeemail,
...
freeemail =
check_client_access fnmatch:*.yahoo.com|*.hotmail.com|*.mail.ru|*.mail.com|...:OK,
reject
This works *almost* like the patch found @monkeys.com. But this is somewhat funny:
I myself block SMTP access from our local users to outside, so they are forced to
use our smtp server. So if anyone here has e.g. mail.ru account, email with that
address will be sent by our server, not by mail.ru servers. Note that many ISPs
now blocks outgoing SMTP port as well.
`fnmatch' map (it is not in standard postfix) may be changed to hash or whatether,
I use it here as it is easy to read.
BTW, reject_unknown_client is the default here, but I don't recommend to use
it.
/mjt
-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users
|
|
|