- Previous message: Ralf Hildebrandt: "Re: Spam/AV gateway with traffic shaper?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Robert Felber (no email)
Date: Fri Jul 01 2005 - 03:57:59 EDT
On Tue, 2005-06-28 at 16:07 -0500, /dev/rob0 wrote:
> > I solved it with DynDNS (and verify that all DNS entries are correct
> > with policyd-weight which never returns with "OK" or anything):
>
> Aha! Yes, this could work, but I do think the TLS certificate idea is
> better.
I think so too. :)
> > file main.cf:
> > smtpd_recipient_restrictions =
> > permit_mynetworks,
> > check_policy_service unix:private/policy
> > permit_valid_relayer
> > reject_unauth_destination
> >
> > smtpd_restriction_classes = permit_valid_relayer
> > check_helo
> >
> > permit_valid_relayer =
> > check_sender_access hash:/usr/local/etc/postfix/ek_muc_relayers
> >
> > check_helo =
> > check_helo_access hash:/usr/local/etc/postfix/allowed_helos
> > reject
> >
> > file ek_muc_relayers:
> > ek-muc.de check_helo
> >
> > file allowed_helos:
> > robtone.is-a-geek.org Ok
>
> So, if policyd-weight allowed it through, and the sender domain is
> ek-muc.de and the HELO is robtone.is-a-geek.org, relaying is allowed?
> So if I try to do this, I'm clean in the RBL checks, but I'll fail with
> CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 MAIL_SEEMS_FORGED=2.5,
> with a score of 5.5 - 4.5 = 1. Right?
Yes, I had a hard time to let myself through, because njabl had my
ISP on their DUL list and so on.
I'm soon gonna change that anyway because I have a ugly feeling with
that.
> But if I changed the scoring as I suggested offlist earlier, this would
> be a real (albeit minor) opening. (It also changes the very nature of
> policyd-weight, since mail could not fail on DNS/HELO alignment alone!)
Yes. Thus TLS certs are a better solution.
> > You need to setup DynDNS hosts for the dyn ip's and activate the MX
> > feature. (www.dyndns.org).
>
> With an MX you could also check_helo_mx_access, just a thought.
Hm hm. Need to think about that, never used that restriction.
> > NOTE: if someone finds a serious issue, then let me know. TIA.
>
> I think you're safe enough. I made a kludge like this with my own
> dynamic DNS service. Clients who need to relay must update their
> dynamic hostname (this service is running on the Postfix server.) The
> CGI script which updates the DNS also rewrites /etc/hosts, so Postfix
> uses that rather than the actual rDNS. Ugly and elegant all in one. :)
Well, or something like TLS pop-before-smtp (issued by a ifup script.)
But then -if TLS is already setup for popping, then it can also be setup
for relaying :)
-- Robert Felber (EDV-Leitung) Autohaus Erich Kuttendreier Drosselweg 21 81827 Muenchen Tel: +49 (0) 89 / 453 12-86 Fax: +49 (0) 89 / 453 12-80 PGP: 896CF30B PGP-Fingerprint: CF36 AA93 9716 63E8 962F 15CC A80E 1A79 BF77 25EA
|
|
|