Re: Replacing reject_unlisted_sender with an access map

From: mouss (no email)
Date: Wed Apr 25 2007 - 16:32:24 EDT

  • Next message: Wietse Venema: "Re: Incorrect client address when connection is reset"

    Darren Pilgrim wrote:
    > I have a postfix configuration where the MTA and MSA components
    > are separated (separate smtp and submission ports). Everything works,
    > but now I'd like to start clamping down on what the MTA will accept.
    > I already block 89-92% of spam at the door (55-70% of total traffic)
    > thanks to other tricks, like client profiling and selective greylisting.
    >
    > About half of the spam that gets through has a local sender, so
    > the task at hand is rejecting any mail where the sender is in a local
    > domain. I'm using virtual mailboxes, so I want to reject mail if the
    > sender domain in the virtual_mailbox_domains table. I've already done
    > some testing and it looks like I can just copy the domains.mysql file
    > and add a rejection result such as:
    >
    > result_format = REJECT Port 25 does not accept mail from local senders.
    >
    > the effect appears to be if the domain is local, return a REJECT
    > code--exactly what I want. If I put that in sender_acl.mysql and
    > replace reject_unlisted_sender in smtpd_recipient_restrictions with:
    >
    > check_sender_access proxy:mysql:${config_directory}/sender_acl.mysql
    >
    > I think it should work. Is this a sound thing to do or will doing so
    > remove some additional function of reject_unlisted_sender?
    >

    This is ok provided you never want such mail. there are legitimate cases
    where the sender is "local" in inbound mail:
    - some services use the "subscriber" address as the sender
    - forwarded mail (foo at local --send--> bar at remote --forward--> bar2 at local)
    - telecommuters sending via their ISP

    this may or may not be an issue. only you can judge.

    otherwise, if you implement this, then you don't need
    reject_unlisted_sender.

    >
    > # postconf -n
    > alias_database =
    > alias_maps =
    > bounce_template_file = ${config_directory}/bounce.cf
    > command_directory = /usr/local/sbin
    > config_directory = /usr/local/etc/postfix
    > daemon_directory = /usr/local/libexec/postfix
    > disable_vrfy_command = yes
    > fast_flush_domains =
    > html_directory = no
    > in_flow_delay = 0
    > inet_interfaces = $myhostname
    > local_recipient_maps =
    > mail_owner = postfix
    > mailq_path = /usr/local/bin/mailq
    > manpage_directory = /usr/local/man
    > message_size_limit = 104857600
    > mydestination =
    > mydomain = $myhostname
    > myhostname = mail.example.com
    > mynetworks = 127.0.0.0/8, $myhostname
    > myorigin = srv.example.com
    > newaliases_path = /usr/local/bin/newaliases
    > parent_domain_matches_subdomains =
    > proxy_read_maps =
    > $virtual_alias_maps
    > $virtual_mailbox_domains
    > $virtual_mailbox_maps
    > $transport_maps
    > $smtpd_recipient_restrictions
    > queue_directory = /var/spool/postfix
    > readme_directory = no
    > recipient_delimiter = +
    > relay_domains =
    > sample_directory = /usr/local/etc/postfix
    > sendmail_path = /usr/local/sbin/sendmail
    > setgid_group = maildrop
    > smtpd_banner = $myhostname ESMTP (NO UCE)
    > smtpd_data_restrictions = reject_unauth_pipelining permit
    > smtpd_discard_ehlo_keywords = ETRN
    > smtpd_error_sleep_time = 0
    > smtpd_hard_error_limit = 5
    > smtpd_helo_required = yes
    > smtpd_recipient_restrictions =
    > reject_non_fqdn_helo_hostname
    > reject_invalid_helo_hostname
    > reject_non_fqdn_sender
    > reject_unlisted_sender
    > reject_unknown_sender_domain
    > reject_non_fqdn_recipient
    > reject_unlisted_recipient
    > reject_unknown_recipient_domain
    > reject_unauth_destination
    > check_client_access cidr:${config_directory}/bogons.cidr
    > check_helo_access cidr:${config_directory}/bogons.cidr
    > check_sender_mx_access cidr:${config_directory}/bogons.cidr
    > check_sender_ns_access cidr:${config_directory}/bogons.cidr
    > check_recipient_access hash:${config_directory}/rcpt_acl_pre
    > check_sender_access hash:${config_directory}/sender_acl
    > check_client_access pcre:${config_directory}/client_acl.pcre
    > check_helo_access pcre:${config_directory}/helo_acl.pcre
    > check_recipient_access hash:${config_directory}/rcpt_acl_post
    > check_policy_service inet:127.0.0.25:10001
    > reject_rbl_client zen.spamhaus.org
    > reject_rhsbl_sender rhsbl.ahbl.org
    > reject_rhsbl_sender dsn.rfc-ignorant.org
    > permit
    > smtpd_restriction_classes = greylist, suspect_client
    > smtpd_sasl_auth_enable = no
    > smtpd_sasl_security_options = noanonymous,noplaintext
    > smtpd_sasl_tls_security_options = noanonymous
    > smtpd_tls_CAfile = /usr/local/etc/sslcerts/cacert.pem
    > smtpd_tls_cert_file = /usr/local/etc/sslcerts/mail.example.com.pem
    > smtpd_tls_loglevel = 1
    > smtpd_tls_session_cache_database =
    > btree:${queue_directory}/private/smtpd_tls_session_cache
    > smtpd_use_tls = no
    > strict_rfc821_envelopes = yes
    > transport_maps = proxy:mysql:${config_directory}/transports.mysql
    > unknown_local_recipient_reject_code = 550
    > virtual_alias_maps =
    > hash:${config_directory}/canonical_aliases
    > proxy:mysql:${config_directory}/aliases.mysql
    > virtual_mailbox_domains =
    > hash:${config_directory}/canonical_domains
    > proxy:mysql:${config_directory}/domains.mysql
    > virtual_mailbox_maps = proxy:mysql:${config_directory}/mailboxes.mysql
    > # End postconf -n output
    >


  • Next message: Wietse Venema: "Re: Incorrect client address when connection is reset"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD