My main restrictions in main.cf are (on macOS Server)
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders check_policy_service unix:private/policy permit
Rbl and greylisting helps to filter out most spam attempts. I have to turn of greylisting for a few hours today, and a message came through that had both From: and To: set to my email address. This was accepted because I am the delivery agent for that domain.
But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail?
Am 15.10.2017 um 18:34 schrieb Gerben Wierda:
> My main restrictions in main.cf are (on macOS Server)
> smtpd_client_restrictions =
> reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_restrictions = permit_sasl_authenticated
> reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks
> reject_unauth_destination reject_unlisted_recipient check_client_access
> check_policy_service unix:private/policy permit
> Rbl and greylisting helps to filter out most spam attempts. I have to
> turn of greylisting for a few hours today, and a message came through
> that had both From: and To: set to my email address. This was accepted
> because I am the delivery agent for that domain.
> But an outside, non SASL-authenticated client that says it wants to
> deliver mail From my domain is illegal. Apparently, that one still gets
> through (though is generally blocked by greylisting). Anyway, is there a
> way to block that without blocking legitimate mail?
> Gerben Wierda
> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
> Mastering ArchiMate <http://masteringarchimate.com/>
> Architecture for Real Enterprises
> <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at
> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
are you informed about dkim,spf,dmarc ?
Do you relay for third party ?
MfG Robert Schetterer
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
In reply to this post by Gerben Wierda
On 15 October 2017 at 17:34, Gerben Wierda <[hidden email]> wrote:
You could add your domain to /Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders as a reject:
Any sender purporting to be from your domain but not authenticated should be blocked by this. Authenticated senders will not be touched by this because they are already approved by permit_sasl_authenticated.
> /.*@mydomain.tld/ REJECT
The leading .* is not needed. You should escape the period before tld (\.). You can
also send a message:
/@.*example\.com$/ REJECT You are not me (40,000).
This works for me. Note: I'm using pcre instead of regexp.
On 10/15/2017 1:04 PM, Dominic Raferd wrote:
On 15.10.17 16:52, Bill Shirley wrote:
>> /.*@mydomain.tld/ REJECT
>The leading .* is not needed. You should escape the period before tld (\.). You can
>also send a message:
>/@.*example\.com$/ REJECT You are not me (40,000).
>This works for me. Note: I'm using pcre instead of regexp.
and this .* is dangerous. it denies subdomains as well as other domains
ending as example.com - e.hg. myexample.com might be foreign domain but you
will reject it.
instead of regexp (or pcre) I recommend using simple checks like hash:
example.com REJECT Authentication needed for this domain.
you can still use regular expressions afterwards.
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
On 16 October 2017 at 11:38, Matus UHLAR - fantomas <[hidden email]> wrote:
On 15.10.17 16:52, Bill Shirley wrote:
This regex will not deny subdomains or other domains:
In general hash table is simpler (and faster) but OP is already using regex table so this avoids having to amend main.cf and create and hash a new file.
|Free forum by Nabble||Edit this page|