Re: Can I use reject_unlisted_sender for domain names

From: mouss (no email)
Date: Sun Jul 15 2007 - 19:32:00 EDT

  • Next message: R.L. Nevot: "Re: Log monitor"

    ram wrote:
    > On Sat, 2007-07-14 at 12:52 +0200, Robert Schetterer wrote:
    >
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> ram schrieb:
    >>
    >>> Is there a feature like reject_unlisted_sender_domain
    >>>
    >>> We are providing smtpd services for our clients using smtp
    >>> authentication. Our clients are using multiple sender addresses
    >>> When any client desktop gets compromised we end up relaying a lot of
    >>> spams
    >>>
    >>> Can I have a list of domains , only those are allowed in from addresses
    >>> after amtp auth
    >>>
    >>>
    >>> Thanks
    >>> Ram
    >>>
    >>>
    >> do i.e
    >>
    >> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
    >> reject_non_fqdn_recipient,
    >>
    >> smtpd_sender_restrictions = reject_unknown_sender_domain,
    >> reject_non_fqdn_sender,
    >>
    >> before
    >>
    >> permit_sasl_authenticated,
    >> permit_mynetworks, ( if you use nets for relay auth )
    >>
    >>
    >>
    >
    >
    >
    > Can I use reject_unknown_sender_domain and use only a set of domains
    > from a file
    >
    > I dont want smtp-authed users to use any domain in their from id at
    > random. But I cant use a smtp login map . Because senders use far too
    > many from ids
    >
    >
    >
    >
    > Currently I use
    >
    > smtpd_recipient_restrictions =
    > check_recipient_access hash:/etc/postfix/badrecipients
    > check_recipient_access regexp:/etc/postfix/blockedrecipients
    > check_sender_access hash:/etc/postfix/access
    > check_sender_access hash:/etc/postfix/allowlist
    > permit_sasl_authenticated,
    > permit_mynetworks,
    > reject_unauth_destination
    >
    > smtpd_sender_restrictions =
    > check_sender_access regexp:/etc/postfix/badsenders
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >

    to deny relay if the sender domain is not in a given list, you can use:

    smtpd_sender_restrictions =
        ...
        check_sender_access hash:/etc/postfix/sender_might_relay
        reject_unauth_destination

    == sender_might_relay:
    domain.example OK
    .domain.example OK

    (see parent_domain_matches_.... for the last entry).

    Note that:
    - the check is done under smtpd_sender_restrictions. putting it under
    smtpd_recipient_restrictions requires some work (restriction classes can
    help).
    - sender addresses are easily forged. but you get what you asked for ;-p

    you should scan relayed mail for viruses and for spam. you should also
    write scripts that watch the logs for abnormal behaviour...


  • Next message: R.L. Nevot: "Re: Log monitor"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD