Re: Can I use reject_unlisted_sender for domain names

• Previous message: Dave McGuire: "Re: passwd -> MySQL?"
• In reply to: ram: "Re: Can I use reject_unlisted_sender for domain names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

ram wrote:
> On Sat, 2007-07-14 at 12:52 +0200, Robert Schetterer wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> ram schrieb:
>>
>>> Is there a feature like reject_unlisted_sender_domain
>>>
>>> We are providing smtpd services for our clients using smtp
>>> authentication. Our clients are using multiple sender addresses
>>> When any client desktop gets compromised we end up relaying a lot of
>>> spams
>>>
>>> Can I have a list of domains , only those are allowed in from addresses
>>> after amtp auth
>>>
>>>
>>> Thanks
>>> Ram
>>>
>>>
>> do i.e
>>
>> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
>> reject_non_fqdn_recipient,
>>
>> smtpd_sender_restrictions = reject_unknown_sender_domain,
>> reject_non_fqdn_sender,
>>
>> before
>>
>> permit_sasl_authenticated,
>> permit_mynetworks, ( if you use nets for relay auth )
>>
>>
>>
>
>
>
> Can I use reject_unknown_sender_domain and use only a set of domains
> from a file
>
> I dont want smtp-authed users to use any domain in their from id at
> random. But I cant use a smtp login map . Because senders use far too
> many from ids
>
>
>
>
> Currently I use
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/badrecipients
> check_recipient_access regexp:/etc/postfix/blockedrecipients
> check_sender_access hash:/etc/postfix/access
> check_sender_access hash:/etc/postfix/allowlist
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination
>
> smtpd_sender_restrictions =
> check_sender_access regexp:/etc/postfix/badsenders
>
>
>
>
>
>
>
>
>
>

to deny relay if the sender domain is not in a given list, you can use:

smtpd_sender_restrictions =
    ...
    check_sender_access hash:/etc/postfix/sender_might_relay
    reject_unauth_destination

== sender_might_relay:
domain.example OK
.domain.example OK

(see parent_domain_matches_.... for the last entry).

Note that:
- the check is done under smtpd_sender_restrictions. putting it under
smtpd_recipient_restrictions requires some work (restriction classes can
help).
- sender addresses are easily forged. but you get what you asked for ;-p

you should scan relayed mail for viruses and for spam. you should also
write scripts that watch the logs for abnormal behaviour...

• Previous message: Dave McGuire: "Re: passwd -> MySQL?"
• In reply to: ram: "Re: Can I use reject_unlisted_sender for domain names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]