Block IP rcpt-to or block MX

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Block IP rcpt-to or block MX

Emanuel

Hello,

Is it possible to create a list where the IP of certain recipients can be blocked?

Here and example:

Oct 19 10:15:09 smtp01 postfix/smtpd[11048]: 5C28C20018459: client=myserver[172.17.111.242]
Oct 19 10:15:09 smtp01 postfix/cleanup[6836]: 5C28C20018459: message-id=[hidden email]
Oct 19 10:15:09 smtp01 postfix/qmgr[3054]: 5C28C20018459: from=[hidden email], size=16981, nrcpt=1 (queue active)
Oct 19 10:15:25 smtp01 smht-101-41/smtp[7698]: 5C28C20018459: to=[hidden email], relay=mail.h-email.net[198.133.159.122]:25, delay=16, delays=0.15/0/9.2/6.3, dsn=2.0.0, status=sent (250 Queued!)
Oct 19 10:15:25 smtp01 postfix/qmgr[3054]: 5C28C20018459: removed

Our users incorrectly type the domain name of the recipient.

hotmial.com ==> hotmail.com

My idea is block the MX or IP ==> mail.h-email.net - 198.133.159.122

Any ideas?

Regards,

Emanuel.

--
envialosimple.com
Emanuel Gonzalez
Deliverability Specialist
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Dominic Raferd
On 20 October 2017 at 14:21, Emanuel <[hidden email]> wrote:

Hello,

Is it possible to create a list where the IP of certain recipients can be blocked?

Here and example:

Oct 19 10:15:09 smtp01 postfix/smtpd[11048]: 5C28C20018459: client=myserver[172.17.111.242]
Oct 19 10:15:09 smtp01 postfix/cleanup[6836]: 5C28C20018459: message-id=[hidden email]
Oct 19 10:15:09 smtp01 postfix/qmgr[3054]: 5C28C20018459: from=[hidden email], size=16981, nrcpt=1 (queue active)
Oct 19 10:15:25 smtp01 smht-101-41/smtp[7698]: 5C28C20018459: to=[hidden email], relay=mail.h-email.net[198.133.159.122]:25, delay=16, delays=0.15/0/9.2/6.3, dsn=2.0.0, status=sent (250 Queued!)
Oct 19 10:15:25 smtp01 postfix/qmgr[3054]: 5C28C20018459: removed

Our users incorrectly type the domain name of the recipient.

hotmial.com ==> hotmail.com

My idea is block the MX or IP ==> mail.h-email.net - 198.133.159.122


​A better idea is to block the sending by recipient domain, with a suitable warning:

<snip>
transport_maps = hash:/etc/postfix/transport
<snip>

/etc/postfix/transport:
hotmial.com error:5.1.2 maybe you mean hotmail.com
hotmal.com error:5.1.2 maybe you mean hotmail.com
hoitmail.com error:5.1.2 maybe you mean hotmail.com
homail.com error:5.1.2 maybe you mean hotmail.com
hotrmail.com error:5.1.2 maybe you mean hotmail.com
hotmil.com error:5.1.2 maybe you mean hotmail.com
hotmaill.com error:5.1.2 maybe you mean hotmail.com


Obvs you need to hash the transport file and then reload postfix. This transport file can easily be extended to cover similar cases.
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Matus UHLAR - fantomas
In reply to this post by Emanuel
On 20.10.17 10:21, Emanuel wrote:
>Is it possible to create a list where the IP of certain recipients
>can be blocked?

IPs not, domains yes, use check_recipient_access
http://www.postfix.org/SMTPD_ACCESS_README.html

>Our users incorrectly type the domain name of the recipient.
>
>*hotmial.com ==> hotmail.com*
>
>My idea is block the MX or IP ==> mail.h-email.net - 198.133.159.122

unless you know that hotmial.com is an malicious site, don't block it.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Emanuel
In reply to this post by Dominic Raferd

It's a good idea.

Quota: Obvs you need to hash the transport file and then reload postfix. This transport file can easily be extended to cover similar cases.

how to make this?


El 20/10/17 a las 10:36, Dominic Raferd escribió:
On 20 October 2017 at 14:21, Emanuel <[hidden email]> wrote:

Hello,

Is it possible to create a list where the IP of certain recipients can be blocked?

Here and example:

Oct 19 10:15:09 smtp01 postfix/smtpd[11048]: 5C28C20018459: client=myserver[172.17.111.242]
Oct 19 10:15:09 smtp01 postfix/cleanup[6836]: 5C28C20018459: message-id=[hidden email]
Oct 19 10:15:09 smtp01 postfix/qmgr[3054]: 5C28C20018459: from=[hidden email], size=16981, nrcpt=1 (queue active)
Oct 19 10:15:25 smtp01 smht-101-41/smtp[7698]: 5C28C20018459: to=[hidden email], relay=mail.h-email.net[198.133.159.122]:25, delay=16, delays=0.15/0/9.2/6.3, dsn=2.0.0, status=sent (250 Queued!)
Oct 19 10:15:25 smtp01 postfix/qmgr[3054]: 5C28C20018459: removed

Our users incorrectly type the domain name of the recipient.

hotmial.com ==> hotmail.com

My idea is block the MX or IP ==> mail.h-email.net - 198.133.159.122


​A better idea is to block the sending by recipient domain, with a suitable warning:

<snip>
transport_maps = hash:/etc/postfix/transport
<snip>

/etc/postfix/transport:
hotmial.com error:5.1.2 maybe you mean hotmail.com
hotmal.com error:5.1.2 maybe you mean hotmail.com
hoitmail.com error:5.1.2 maybe you mean hotmail.com
homail.com error:5.1.2 maybe you mean hotmail.com
hotrmail.com error:5.1.2 maybe you mean hotmail.com
hotmil.com error:5.1.2 maybe you mean hotmail.com
hotmaill.com error:5.1.2 maybe you mean hotmail.com


Obvs you need to hash the transport file and then reload postfix. This transport file can easily be extended to cover similar cases.

--
envialosimple.com
Emanuel Gonzalez
Deliverability Specialist
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Dominic Raferd
On 20 October 2017 at 14:50, Emanuel <[hidden email]> wrote:

Quota: Obvs you need to hash the transport file and then reload postfix. This transport file can easily be extended to cover similar cases.

how to make this?

postmap /etc/postfix/transport
postfix reload​

Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

/dev/rob0
On Fri, Oct 20, 2017 at 03:06:32PM +0100, Dominic Raferd wrote:

> On 20 October 2017 at 14:50, Emanuel
> <[hidden email]> wrote:
>
> > Quota: *Obvs you need to hash the transport file and then reload
> > postfix. This transport file can easily be extended to cover
> > similar cases.*
> >
> > how to make this?
> ​
> postmap /etc/postfix/transport
> postfix reload​

The reload is not necessary after the postmap command.  A reload
speeds things up for configuration changes or for changes in in-
memory map types.  For hash: maps, no.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Bill Cole-3
In reply to this post by Matus UHLAR - fantomas
On 20 Oct 2017, at 9:38 (-0400), Matus UHLAR - fantomas wrote:

> unless you know that hotmial.com is an malicious site, don't block it.

Go to http://hotmial.com with a JavaScript-enabled browser and tell me
what you think.

Or, DON'T DO THAT!

At least, don't do it on a weakly-defended system. I give you my word:
it IS a malicious site.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Matus UHLAR - fantomas
>On 20 Oct 2017, at 9:38 (-0400), Matus UHLAR - fantomas wrote:
>>unless you know that hotmial.com is an malicious site, don't block it.

On 20.10.17 10:43, Bill Cole wrote:
>Go to http://hotmial.com with a JavaScript-enabled browser and tell
>me what you think.
>
>Or, DON'T DO THAT!
>
>At least, don't do it on a weakly-defended system. I give you my
>word: it IS a malicious site.

then I really wonder why it's not listed in domain blacklist (just searched
through blacklistalert and mxtoolbox)

in those cases reject_rhsbl_recipient should do the job.

However my recommendation was generic:

don't block domains only because your users mistype.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Emanuel
In reply to this post by Dominic Raferd

Thanks for your help.


El 20/10/17 a las 11:06, Dominic Raferd escribió:
On 20 October 2017 at 14:50, Emanuel <[hidden email]> wrote:

Quota: Obvs you need to hash the transport file and then reload postfix. This transport file can easily be extended to cover similar cases.

how to make this?

postmap /etc/postfix/transport
postfix reload​


--
envialosimple.com
Emanuel Gonzalez
Deliverability Specialist
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Bill Cole-3
In reply to this post by Matus UHLAR - fantomas
On 20 Oct 2017, at 12:25 (-0400), Matus UHLAR - fantomas wrote:

>> On 20 Oct 2017, at 9:38 (-0400), Matus UHLAR - fantomas wrote:
>>> unless you know that hotmial.com is an malicious site, don't block
>>> it.
>
> On 20.10.17 10:43, Bill Cole wrote:
>> Go to http://hotmial.com with a JavaScript-enabled browser and tell
>> me what you think.
>>
>> Or, DON'T DO THAT!
>>
>> At least, don't do it on a weakly-defended system. I give you my
>> word: it IS a malicious site.
>
> then I really wonder why it's not listed in domain blacklist (just
> searched
> through blacklistalert and mxtoolbox)

You'd have to ask the people who maintain those blacklists, but my first
guess would be that it is an entirely passive malicious domain, slurping
up mail and web hits from typos.

The web site redirects hits using JavaScript, with the initial reply
varying based on User-Agent. After the 3rd such redirection it pops up a
bogus warning frame claiming to be alerting the user to a backdoor
trojan infection that can only be removed by calling a phone number, and
asserting that if the user fails to do so, their Internet access will be
blocked.

If you hit the site with curl, wget, or no User-Agent header, it yields
a simple "403 Forbidden" response, which is what provider-nuked sites
often do. It may be that domain blacklists intended for email usage are
blind to the existence of the domain because it does not appear in spam,
they may be fooled by the fact that the website is playing dead to
simple web clients, or it may be that some blacklists intended for email
intentionally avoid listing domains that are known bad but never show up
in spam.

> in those cases reject_rhsbl_recipient should do the job.
>
> However my recommendation was generic:
>
> don't block domains only because your users mistype.

Yes.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Emanuel
In reply to this post by Matus UHLAR - fantomas



El 20/10/17 a las 13:25, Matus UHLAR - fantomas escribió:
On 20 Oct 2017, at 9:38 (-0400), Matus UHLAR - fantomas wrote:
unless you know that hotmial.com is an malicious site, don't block it.

On 20.10.17 10:43, Bill Cole wrote:
Go to http://hotmial.com with a JavaScript-enabled browser and tell me what you think.

Or, DON'T DO THAT!

At least, don't do it on a weakly-defended system. I give you my word: it IS a malicious site.

then I really wonder why it's not listed in domain blacklist (just searched
through blacklistalert and mxtoolbox)

in those cases reject_rhsbl_recipient should do the job.
I not find information for "reject_rhsbl_recipient".

is the same option? reject_rbl_client

However my recommendation was generic:

don't block domains only because your users mistype.

Thanks

--
envialosimple.com
Emanuel Gonzalez
Deliverability Specialist
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Block IP rcpt-to or block MX

Noel Jones-2
On 10/23/2017 11:13 AM, Emanuel wrote:

>> in those cases reject_rhsbl_recipient should do the job.
> I not find information for "reject_rhsbl_recipient".

http://www.postfix.org/postconf.5.html#reject_rhsbl_recipient


>
> is the same option?*|reject_rbl_client|*

No.  http://www.postfix.org/postconf.5.html#reject_rbl_client




  -- Noel Jones