Re: Force Auth by domain

• Previous message: Len Conrad: "RE: posfix SAV tarpitted"
• Maybe in reply to: Warrick FitzGerald: "Re: Force Auth by domain"
• Next in thread: Keith Matthews: "Re: Force Auth by domain"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

mouss wrote:

> Patrick Ben Koetter a écrit :
>
>> You MUST (as in RFC) allow mails for postmaster@ and abuse@ if the
>> server is
>> publicly referenced or your server will sooner or later be
>> blacklisted on
>> rfc-ignorant.org.
>>
>>
> well, if he requires authentication for his domain, then
> - the domain isn't public
> - should ideally not be an mx
> - should never send mail to "public" domains (because we need to bounce)
> - should be listed as an "invalid" domain in public BLs (so that
> spammers don't forge it)
> - shouldn't care to accept pm/abuse (this is only required for
> "public" domains. other domains just need to make sure they stay private)
>
>
>
Was hoping not to have to explain this, but here goes:

- The server receives mail for more than one domain
- We use a SPAM filter service called MessageLabs
- Mail for DomainA.com goes through MessageLabs and is then forwarded
to InterfaceA on the mail server
- Mail for all other domains go directly to InterfaceB
- I have 2 instances of Postfix running on the server. One instance
runs on InterfaceA and does not do any more SPAM checking. The other
instance receives mail from the world and gets pushed through amavis.
- So technically mail for DomainA.com should only be received on
InterfaceA, as that's where MessageLabs forwards mail to. The firewall
rules in front of InterfaceA also only allow port 25 connections from
their network.
- The problem is that some smarty pants spammers out there have
figured out that you can connect to InterfaceB and inject mail for
DomainA.com, technically bypassing the SPAM checks provided my message
labs.
- What I would like to do is tell the instance of Postfix on
InterfaceB that if it receives mail for DomainA.com that it should
reject it, as I know it should only be coming in on InterfaceA. Problem
is that my external users connect to InterfaceB with their mail clients
and DO need to be able to send mail to DomainA.com.

So long story short, mail for domainA.com should not come from the
Public internet unless the person sending it was authenticated by SASL.
The problem I'm having is telling Postfix only allow traffic to
DomainA.com when the sender is authenticated.

Thanks
Warrick

• Previous message: Len Conrad: "RE: posfix SAV tarpitted"
• Maybe in reply to: Warrick FitzGerald: "Re: Force Auth by domain"
• Next in thread: Keith Matthews: "Re: Force Auth by domain"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]