From: Noel Jones (no email)
Date: Thu Aug 01 2002 - 12:13:00 EDT
At 11:21 AM 8/1/02 -0400, Wietse Venema wrote:
>Noel Jones:
> > At 10:51 AM 8/1/02 -0400, Vivek Khera wrote:
> > >What I do is block hotmail.com senders when the remote server's DNS
> > >name is not within the hotmail.com domain. Only occasionally does
> > >this have a false positive: when someone uses, eg, Evite to send me an
> > >invitation with a hotmail address, and when hotmail's DNS is hosed or
> > >misconfigured for a while.
> > >
> > >I do the same for @yahoo.com, @msn.com, and @aol.com addresses as
> > >well.
> >
> > care to share how you are doing this?
>
>Either one uses a patch from Ron Guilmette, or one uses existing
>Postfix features and some duct tape that does almost the same:
>it stops mail from aol.com, hotmail.com etc. that does not come
>from an aol.com, hotmail.com or legitimate forwarding site.
>
>The result looks like this:
>
> Jul 31 00:31:59 spike postfix/smtpd[56456]: reject: RCPT from
> dyn-0.pat.lac00-nrp7.cha.dsl.cantv.net[200.11.240.121]: 554
> <>: Sender address rejected: Mail must
> be sent from yahoo.com systems; from=<>
> to=<>
>
>Limitation: this will accept mail from that is
>sent from an aol.com machine, but that is not a problem for me.
>
>Configuration example below.
>
> Wietse
>
>/etc/postfix/main.cf:
> smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/spoof_sender_map
> smtpd_restriction_classes = match_client_domain
> match_client_domain =
> reject_unknown_client
> check_client_access hash:/etc/postfix/spoof_client_map
> check_sender_access regexp:/etc/postfix/strict_client.regexp
> reject
>
># List of domains that are often forged.
>/etc/postfix/spoof_sender_map:
> aol.com match_client_domain
> hotmail.com match_client_domain
> yahoo.com match_client_domain
>
># The above domains, plus any sites that are legitimate mail forwarders.
>/etc/postfix/spoof_client_map:
> aol.com OK
> hotmail.com OK
> yahoo.com OK
> legitimate.forwarder.com OK
>
># Tell anyone else to bugger off.
>/etc/postfix/strict_client.regexp:
> /@([^@]+)$/ 554 Mail must be sent from $1 systems
>-
>To unsubscribe, send mail to with content
>(not subject): unsubscribe postfix-users
First, thanks to everyone for answering this again.
I should have mentioned that I am already using the method outlined by
Wietse, but we have lately been getting some spam with a sender address
@yahoo.com but received from an aol.com client. (or maybe the other way
around, I don't remember)
The solution outlined by Vivek, of using a separate db for each domain, I'm
sure works but obviously won't scale well.
I looked at Ron Guilmette's patch several months ago, and the concept seems
like a good idea to me, but the patch was for postfix 1.1.7 and would not
work with the current version.
I suppose I was really hoping for functionality similar to Ron's patch that
worked with the current version, so I guess I'll implement a hybrid
solution using separate db's for aol and yahoo and continue to lump the
others together until I find a better solution.
Thanks again for responding!
-- Noel Jones - To unsubscribe, send mail to with content (not subject): unsubscribe postfix-users
|
|
|