Blocking mail from clients who

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking mail from clients who

Gerben Wierda
My main restrictions in main.cf are (on macOS Server)

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders check_policy_service unix:private/policy permit

Rbl and greylisting helps to filter out most spam attempts. I have to turn of greylisting for a few hours today, and a message came through that had both From: and To: set to my email address. This was accepted because I am the delivery agent for that domain.

But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail?


Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from clients who

Robert Schetterer-2
Am 15.10.2017 um 18:34 schrieb Gerben Wierda:

> My main restrictions in main.cf are (on macOS Server)
>
> smtpd_client_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_client_access
> regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
> reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
> permit
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_mynetworks,
> reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,
> permit
> smtpd_recipient_restrictions = permit_sasl_authenticated
> reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks
> reject_unauth_destination reject_unlisted_recipient check_client_access
> regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
> check_sender_access
> regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
> check_policy_service unix:private/policy permit
>
> Rbl and greylisting helps to filter out most spam attempts. I have to
> turn of greylisting for a few hours today, and a message came through
> that had both From: and To: set to my email address. This was accepted
> because I am the delivery agent for that domain.
>
> But an outside, non SASL-authenticated client that says it wants to
> deliver mail From my domain is illegal. Apparently, that one still gets
> through (though is generally blocked by greylisting). Anyway, is there a
> way to block that without blocking legitimate mail?
>
> Gerben Wierda
> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
> Mastering ArchiMate <http://masteringarchimate.com/>
> Architecture for Real Enterprises
> <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at
> InfoWorld
> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
>

are you informed about dkim,spf,dmarc ?
Do you relay for third party ?


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from clients who

Dominic Raferd
In reply to this post by Gerben Wierda


On 15 October 2017 at 17:34, Gerben Wierda <[hidden email]> wrote:
My main restrictions in main.cf are (on macOS Server)

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
​​
permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders check_policy_service unix:private/policy permit

Rbl and greylisting helps to filter out most spam attempts. I have to turn of greylisting for a few hours today, and a message came through that had both From: and To: set to my email address. This was accepted because I am the delivery agent for that domain.

But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail?

​You could add your domain to /Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders as a reject:

/.*@mydomain.tld/ REJECT

Any sender purporting to be from your domain but not authenticated should be blocked by this. Authenticated senders will not be touched by this because they are already approved by ​permit_sasl_authenticated.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from clients who

Bill Shirley
> /.*@mydomain.tld/ REJECT

The leading .* is not needed.  You should escape the period before tld (\.).  You can
also send a message:
/@.*example\.com$/        REJECT You are not me (40,000).
This works for me.  Note: I'm using pcre instead of regexp.

Bill

On 10/15/2017 1:04 PM, Dominic Raferd wrote:


On 15 October 2017 at 17:34, Gerben Wierda <[hidden email]> wrote:
My main restrictions in main.cf are (on macOS Server)

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
​​
permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders check_policy_service unix:private/policy permit

Rbl and greylisting helps to filter out most spam attempts. I have to turn of greylisting for a few hours today, and a message came through that had both From: and To: set to my email address. This was accepted because I am the delivery agent for that domain.

But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail?

​You could add your domain to /Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders as a reject:

/.*@mydomain.tld/ REJECT

Any sender purporting to be from your domain but not authenticated should be blocked by this. Authenticated senders will not be touched by this because they are already approved by ​permit_sasl_authenticated.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from clients who

Matus UHLAR - fantomas
On 15.10.17 16:52, Bill Shirley wrote:
>> /.*@mydomain.tld/ REJECT
>
>The leading .* is not needed.  You should escape the period before tld (\.).  You can
>also send a message:
>/@.*example\.com$/        REJECT You are not me (40,000).
>This works for me.  Note: I'm using pcre instead of regexp.

and this .* is dangerous. it denies subdomains as well as other domains
ending as example.com - e.hg. myexample.com might be foreign domain but you
will reject it.

instead of regexp (or pcre) I recommend using simple checks like hash:

example.com REJECT Authentication needed for this domain.

you can still use regular expressions afterwards.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from clients who

Dominic Raferd


On 16 October 2017 at 11:38, Matus UHLAR - fantomas <[hidden email]> wrote:
On 15.10.17 16:52, Bill Shirley wrote:
/.*@mydomain.tld/ REJECT

The leading .* is not needed.  You should escape the period before tld (\.).  You can
also send a message:
/@.*example\.com$/        REJECT You are not me (40,000).
This works for me.  Note: I'm using pcre instead of regexp.

and this .* is dangerous. it denies subdomains as well as other domains
ending as example.com - e.hg. myexample.com might be foreign domain but you
will reject it.

instead of regexp (or pcre) I recommend using simple checks like hash:

example.com     REJECT Authentication needed for this domain.

you can still use regular expressions afterwards.

This regex will not deny subdomains or other domains:

/@example\.com$/ REJECT

In general hash table​ is simpler (and faster) but OP is already using regex table so this avoids having to amend main.cf and create and hash a new file.