Anti spam settings just for incoming emails?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Anti spam settings just for incoming emails?

Bob001
Hello All,
Couple questions. Appreciate your responses.

1. Is there any way to set anti spam settings just for incoming emails
to server? It is announce-only mailing list.  So, not much worried
about outgoing stuff for now.  We can change it later to check for
both ways if the reason arises so.

2. Here are settings I intent to use. Kindly suggest if you see any
risk to outgoing emails. We really don't want to try checking any
out-going emails.

Settings source :-
http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html

==
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
====

- Regards,
Bob.
Reply | Threaded
Open this post in threaded view
|

Re: Anti spam settings just for incoming emails?

Noel Jones-2
bob 001 wrote:
> Hello All,
> Couple questions. Appreciate your responses.
>
> 1. Is there any way to set anti spam settings just for incoming emails
> to server? It is announce-only mailing list.  So, not much worried
> about outgoing stuff for now.  We can change it later to check for
> both ways if the reason arises so.

If the list manager server is part of mynetworks, no filtering
will be performed on outgoing list mail.

> 2. Here are settings I intent to use. Kindly suggest if you see any
> risk to outgoing emails. We really don't want to try checking any
> out-going emails.
>
> Settings source :-
> http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html

Outdated, but a good starting point.

>
> ==
> disable_vrfy_command = yes

Rather useless since the attacker can get the same info using
RCPT, but OK if it makes you feel better.

> smtpd_delay_reject = yes

"yes" is the default.  Don't change it.

> smtpd_helo_required = yes

OK, but rarely rejects anything.

> smtpd_recipient_restrictions =
>    permit_sasl_authenticated,

You'll want to add here:
     permit_mynetworks
     reject_unauth_destination

>    reject_invalid_hostname,
>    reject_non_fqdn_hostname,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,

OK.

>    reject_unknown_recipient_domain,

Remove this.  The only possible effect here is to reject your
own domain if your DNS hiccups.

>    reject_rbl_client list.dsbl.org,

Dead list.  Remove it.

>    reject_rbl_client sbl.spamhaus.org,
>    reject_rbl_client cbl.abuseat.org,

The above two should be replaced by
     reject_rbl_client zen.spamhaus.org
be sure to check spamhaus' web site for usage restrictions,
they are no longer free for everyone.

>    reject_rbl_client dul.dnsbl.sorbs.net,

OK.

>    permit

Default action, but doesn't hurt anything.

> smtpd_error_sleep_time = 1s
> smtpd_soft_error_limit = 10
> smtpd_hard_error_limit = 20

These are default values.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Anti spam settings just for incoming emails?

Bob001
Thank you for the response.

After some more thoughts being an announce only list, how about
something like this..

1. Only specific email addresses are allowed to send email to announce-list.
    E.g.-> only [hidden email] , [hidden email] and [hidden email] can send
email to mail ids on our server)

2. Only specific email addresses can receive the email(s) from outside server.
    E.g-> (only list-subscribe, list-unsubscribe, list-request can
receive email from *anyone*)

Is there a way to configure above two independent scenarios in single
instance of postfix? Is so, you mind sharing the exact steps? That
would serve the purpose too.

Sorry, above questions are rather spontaneous and haven't done much
research. Hope, this appears to be really interesting question. If
this works out, all announce-only lists people can use it w/o any need
of maintaining very complex (and sometime to be paid for blacklists).


- TIA
Bob.



On Fri, May 8, 2009 at 3:19 PM, Noel Jones <[hidden email]> wrote:

> bob 001 wrote:
>>
>> Hello All,
>> Couple questions. Appreciate your responses.
>>
>> 1. Is there any way to set anti spam settings just for incoming emails
>> to server? It is announce-only mailing list.  So, not much worried
>> about outgoing stuff for now.  We can change it later to check for
>> both ways if the reason arises so.
>
> If the list manager server is part of mynetworks, no filtering will be
> performed on outgoing list mail.
>
>> 2. Here are settings I intent to use. Kindly suggest if you see any
>> risk to outgoing emails. We really don't want to try checking any
>> out-going emails.
>>
>> Settings source :-
>>
>> http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
>
> Outdated, but a good starting point.
>
>>
>> ==
>> disable_vrfy_command = yes
>
> Rather useless since the attacker can get the same info using RCPT, but OK
> if it makes you feel better.
>
>> smtpd_delay_reject = yes
>
> "yes" is the default.  Don't change it.
>
>> smtpd_helo_required = yes
>
> OK, but rarely rejects anything.
>
>> smtpd_recipient_restrictions =
>>   permit_sasl_authenticated,
>
> You'll want to add here:
>    permit_mynetworks
>    reject_unauth_destination
>
>>   reject_invalid_hostname,
>>   reject_non_fqdn_hostname,
>>   reject_non_fqdn_sender,
>>   reject_non_fqdn_recipient,
>>   reject_unknown_sender_domain,
>
> OK.
>
>>   reject_unknown_recipient_domain,
>
> Remove this.  The only possible effect here is to reject your own domain if
> your DNS hiccups.
>
>>   reject_rbl_client list.dsbl.org,
>
> Dead list.  Remove it.
>
>>   reject_rbl_client sbl.spamhaus.org,
>>   reject_rbl_client cbl.abuseat.org,
>
> The above two should be replaced by
>    reject_rbl_client zen.spamhaus.org
> be sure to check spamhaus' web site for usage restrictions, they are no
> longer free for everyone.
>
>>   reject_rbl_client dul.dnsbl.sorbs.net,
>
> OK.
>
>>   permit
>
> Default action, but doesn't hurt anything.
>
>> smtpd_error_sleep_time = 1s
>> smtpd_soft_error_limit = 10
>> smtpd_hard_error_limit = 20
>
> These are default values.
>
>  -- Noel Jones
>
Reply | Threaded
Open this post in threaded view
|

Re: Anti spam settings just for incoming emails?

mouss-4
bob 001 a écrit :

> Thank you for the response.
>
> After some more thoughts being an announce only list, how about
> something like this..
>
> 1. Only specific email addresses are allowed to send email to announce-list.
>     E.g.-> only [hidden email] , [hidden email] and [hidden email] can send
> email to mail ids on our server)
>
> 2. Only specific email addresses can receive the email(s) from outside server.
>     E.g-> (only list-subscribe, list-unsubscribe, list-request can
> receive email from *anyone*)
>
> Is there a way to configure above two independent scenarios in single
> instance of postfix? Is so, you mind sharing the exact steps? That
> would serve the purpose too.
>


http://www.postfix.org/RESTRICTION_CLASS_README.html

something like

smtpd_restriction_classes =
        ...
        announce_class
        allowed_rcpt

smtpd_helo_restrictions =
        check_recipient_access hash:/etc/postfix/announce_rcpt

smtpd_sender_restrictions =
        check_recipient_access hash:/etc/postfix/allowed_rcpt
        reject

announce_class =
        check_sender_access hash:/etc/postfix/announce_sender
        reject

== announce_rcpt:
[hidden email] announce_class

== announce_sender:
[hidden email] OK
...

== allowed_rcpt:
[hidden email] OK
...

note that two different restrictions (helo and sender) are used. this is
because you want independent "controls". and
smtpd_recipient_restrictions isn't used here, because it already
contains many checks and it would be unwise to make it more complex.

for more infos, do read (and reread until you feel confortable):
        http://www.postfix.org/SMTPD_ACCESS_README.html
        http://www.postfix.org/RESTRICTION_CLASS_README.html

as well as the man page:
        http://www.postfix.org/access.5.html

More generally,
        http://www.postfix.org/documentation.html
is an excellent place.

> Sorry, above questions are rather spontaneous and haven't done much
> research. Hope, this appears to be really interesting question. If
> this works out, all announce-only lists people can use it w/o any need
> of maintaining very complex (and sometime to be paid for blacklists).
>
>
> - TIA
> Bob.
>