Blocking TLDs with check_sender_access

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking TLDs with check_sender_access

Alex Regan
HI,

I have a check_sender_access restriction that blocks many TLDs like
.red and .space. Problem is that we have one legitimate .red customer
(what was he thinking?) that needs to send us mail. How can I allow
this single domain?

smtpd_sender_restrictions =
        permit_mynetworks,
        check_sender_access hash:/etc/postfix/sender_checks,
        check_sender_access pcre:/etc/postfix/sender_checks.pcre,
        check_sender_access hash:/etc/postfix/spamsources,
        check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf,
        reject_unknown_sender_domain

/etc/postfix/spamsources contains lines like:

red     500 This TLD sends spam
pw      500 This TLD sends spam
trade   500 This TLD sends spam
party   500 This TLD sends spam

I see that it's legitimately blocking this domain, but when I use
postmap to test, it fails:

# postmap -q [hidden email] hash:/etc/postfix/spamsources
#

I would have expected "This TLD sends spam". I've tried adding the
following at the top of the file then recreating the hash db, but
testing doesn't seem to work:

[hidden email] OK
sub.red           OK

What am I missing?
Reply | Threaded
Open this post in threaded view
|

Re: Blocking TLDs with check_sender_access

Wietse Venema
Alex:

> HI,
>
> I have a check_sender_access restriction that blocks many TLDs like
> .red and .space. Problem is that we have one legitimate .red customer
> (what was he thinking?) that needs to send us mail. How can I allow
> this single domain?
>
> smtpd_sender_restrictions =
>         permit_mynetworks,
>         check_sender_access hash:/etc/postfix/sender_checks,
>         check_sender_access pcre:/etc/postfix/sender_checks.pcre,
>         check_sender_access hash:/etc/postfix/spamsources,
>         check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf,
>         reject_unknown_sender_domain
>
> /etc/postfix/spamsources contains lines like:
>
> red     500 This TLD sends spam
> pw      500 This TLD sends spam
> trade   500 This TLD sends spam
> party   500 This TLD sends spam
>
> I see that it's legitimately blocking this domain, but when I use
> postmap to test, it fails:
>
> # postmap -q [hidden email] hash:/etc/postfix/spamsources
> #
>
> I would have expected "This TLD sends spam". I've tried adding the
> following at the top of the file then recreating the hash db, but
> testing doesn't seem to work:

Postmap command does not know that this is an access map. Until
it does, you need to manually make the queries described in the
"man 5 access": the queries are sub.red then red.

To exclude sub.red::

red     500 This TLD sends spam
sub.red DUNNO
pw      500 This TLD sends spam
trade   500 This TLD sends spam
party   500 This TLD sends spam

The result does not have to be upper case.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Blocking TLDs with check_sender_access

@lbutlr
In reply to this post by Alex Regan
On 25 Jun 2018, at 14:45, Alex <[hidden email]> wrote:
> I have a check_sender_access restriction that blocks many TLDs like
> .red and .space. Problem is that we have one legitimate .red customer
> (what was he thinking?) that needs to send us mail. How can I allow
> this single domain?

I use header checks:

/.*\.example.top/ DUNNO
/.*\.FriendwithJokeDoamin.xxx/ OK
/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz)$/ DUNNO
/.*\.*/ 550 Mail to or from this TLD is not allowed

But this should basically work much the same in check_sender_access

red  500 This TLD sends spam
good.red DUNNO

--
A bartender is just a pharmacist with a limited inventory.


Reply | Threaded
Open this post in threaded view
|

Re: Blocking TLDs with check_sender_access

Viktor Dukhovni


> On Jun 26, 2018, at 6:07 AM, @lbutlr <[hidden email]> wrote:
>
> I use header checks:
>
> /.*\.example.top/ DUNNO
> /.*\.FriendwithJokeDoamin.xxx/ OK
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz)$/ DUNNO
> /.*\.*/ 550 Mail to or from this TLD is not allowed
>
> But this should basically work much the same in check_sender_access

No, it works substantially better in check_sender_access, and very poorly
in header_checks.  DO NOT use header checks for sender address blacklists.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking TLDs with check_sender_access

@lbutlr
On Jun 26, 2018, at 09:10, Viktor Dukhovni <[hidden email]> wrote:
> No, it works substantially better in check_sender_access, and very poorly
> in header_checks.

It works very well for me, and has for years.

--
This is my signature. There are many like it, but this one is mine.


Reply | Threaded
Open this post in threaded view
|

Re: Blocking TLDs with check_sender_access

Viktor Dukhovni


> On Jun 26, 2018, at 1:15 PM, @lbutlr <[hidden email]> wrote:
>
>> No, it works substantially better in check_sender_access, and very poorly
>> in header_checks.
>
> It works very well for me, and has for years.

The regular expressions you posted are fragile, subject to easy false
posititves and should not be used by anyone else.  If this happens to
have worked for you so far, enjoy, but this is not suitable for general
use.

--
        Viktor.