Bypass restrictions for postmaster/abuse

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bypass restrictions for postmaster/abuse

mrobti
Hello all,

Is there a best practices for exempting the postmaster/abuse address
from certain smtpd_mumble_restrictions?

For example, we see some small businesses who have trouble getting past
reject_unknown_helo_hostname and reject_unknown_client_hostname and if
we reach out to them, we need to allow their reply to our postmaster
address to get delivered, obviously bypassing the checks that originally
caused the rejections.

I think each organization will have restrictions that they deem
important enough to place even before exemptions for postmaster, but I'd
like to learn what other Postfix administrators have done, how they've
done it, and if there is commonly agreed upon way to approach this.

Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

Noel Jones-2
On 3/8/2017 2:53 PM, MRob wrote:
> Hello all,
>
> Is there a best practices for exempting the postmaster/abuse address
> from certain smtpd_mumble_restrictions?
>


The procedure to whitelist a recipient is to use a
check_recipient_access map prior to whatever rule might reject the
mail.  If you have restrictions in each of the smtpd_*_restrictions
sections, then you must add your whitelist in each section.
Exactly how you order your restrictions and where you put the
whitelist may vary depending on your needs.

Simple example assuming all your restrictions are in
smtpd_recipient_restrictions:

# /etc/postfix/whitelist_recipients
[hidden email]  OK

# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_recipient_access hash:/etc/postfix/whitelist_recipients
  reject_unknown_...
  reject_rbl_client ...
  ... more restrictions ...


Note: make sure your whitelist comes AFTER reject_unauth_destination
to prevent open-relay accidents.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

Ansgar Wiechers
On 2017-03-08 Noel Jones wrote:

> On 3/8/2017 2:53 PM, MRob wrote:
>> Is there a best practices for exempting the postmaster/abuse address
>> from certain smtpd_mumble_restrictions?
>
> The procedure to whitelist a recipient is to use a
> check_recipient_access map prior to whatever rule might reject the
> mail.  If you have restrictions in each of the smtpd_*_restrictions
> sections, then you must add your whitelist in each section.
> Exactly how you order your restrictions and where you put the
> whitelist may vary depending on your needs.
>
> Simple example assuming all your restrictions are in
> smtpd_recipient_restrictions:
>
> # /etc/postfix/whitelist_recipients
> [hidden email]  OK
>
> # main.cf
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   reject_unauth_destination
>   check_recipient_access hash:/etc/postfix/whitelist_recipients
>   reject_unknown_...
>   reject_rbl_client ...
>   ... more restrictions ...
>
> Note: make sure your whitelist comes AFTER reject_unauth_destination
> to prevent open-relay accidents.
> http://www.postfix.org/SMTPD_ACCESS_README.html#danger

This is probably just personal preference, but in addition to
whitelisting postmaster recipients I put a client blacklist before the
whitelist where I block all clients who deemed sending spam to a
postmaster address a good idea.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

mrobti
In reply to this post by Noel Jones-2
On 2017-03-08 15:23, Noel Jones wrote:

> On 3/8/2017 2:53 PM, MRob wrote:
>> Hello all,
>>
>> Is there a best practices for exempting the postmaster/abuse address
>> from certain smtpd_mumble_restrictions?
>>
>
>
> The procedure to whitelist a recipient is to use a
> check_recipient_access map prior to whatever rule might reject the
> mail.  If you have restrictions in each of the smtpd_*_restrictions
> sections, then you must add your whitelist in each section.
> Exactly how you order your restrictions and where you put the
> whitelist may vary depending on your needs.
>
> Simple example assuming all your restrictions are in
> smtpd_recipient_restrictions:
>
> # /etc/postfix/whitelist_recipients
> [hidden email]  OK
>
> # main.cf
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   reject_unauth_destination
>   check_recipient_access hash:/etc/postfix/whitelist_recipients
>   reject_unknown_...
>   reject_rbl_client ...
>   ... more restrictions ...
>
>
> Note: make sure your whitelist comes AFTER reject_unauth_destination
> to prevent open-relay accidents.
> http://www.postfix.org/SMTPD_ACCESS_README.html#danger

Thanks, Noel. Are there any admins with opinions where in the order is
best for postmaster/abuse whitelisting?
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

/dev/rob0
On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
> Are there any admins with opinions where in the order is best
> for postmaster/abuse whitelisting?

My opinion is "don't do it."  I use smtpd_reject_footer to point to
my web page for frustrated human senders.  If they're not smart
enough to read the fine error message they got, they're going to
struggle with fixing the problem, also.

One thing my page suggests is that they can contact me through any
typical freemail services, such as gmail, Yahoo, and GMX.  Which is
true: my postscreen and smtpd restrictions do not block them.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

mrobti
On 2017-03-09 14:35, /dev/rob0 wrote:

> On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
>> Are there any admins with opinions where in the order is best
>> for postmaster/abuse whitelisting?
>
> My opinion is "don't do it."  I use smtpd_reject_footer to point to
> my web page for frustrated human senders.  If they're not smart
> enough to read the fine error message they got, they're going to
> struggle with fixing the problem, also.
>
> One thing my page suggests is that they can contact me through any
> typical freemail services, such as gmail, Yahoo, and GMX.  Which is
> true: my postscreen and smtpd restrictions do not block them.

OK, that's a great idea. Thank you for the tip. Is this quite common?
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

/dev/rob0
On Thu, Mar 09, 2017 at 04:12:32PM -0800, MRob wrote:

> On 2017-03-09 14:35, /dev/rob0 wrote:
> >On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
> >>Are there any admins with opinions where in the order is best
> >>for postmaster/abuse whitelisting?
> >
> >My opinion is "don't do it."  I use smtpd_reject_footer to
> >point to my web page for frustrated human senders.  If they're
> >not smart enough to read the fine error message they got,
> >they're going to struggle with fixing the problem, also.
> >
> >One thing my page suggests is that they can contact me through
> >any typical freemail services, such as gmail, Yahoo, and GMX.
> >Which is true: my postscreen and smtpd restrictions do not
> >block them.
>
> OK, that's a great idea. Thank you for the tip. Is this quite
> common?

I can't speak to what is common, nor do I think anyone truly can.
But I can tell you my story.

I tried that, once, bypassing restrictions for my postmaster@ and
abuse@ addresses.  Of all the addresses I have, my postmaster@
addresses are the most heavily spammed.

My site is small but it cannot be exclusive, because it's a free
software project with worldwide users and contributors.  I've only
seen a handful of actual, legitimate messages to postmaster.  (And
then a few non-spam that should not have been sent to postmaster,
also.)

Sure, you can do what you want, and in theory it sounds prudent to
exempt postmaster & abuse from spam controls, but in practice, it
turns out only to be a way to get yourself a lot more spam.

I don't have enough rejections to be able to gauge what others are
doing at their sites.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Bypass restrictions for postmaster/abuse

Viktor Dukhovni

> On Mar 10, 2017, at 12:03 AM, /dev/rob0 <[hidden email]> wrote:
>
> Sure, you can do what you want, and in theory it sounds prudent to
> exempt postmaster & abuse from spam controls, but in practice, it
> turns out only to be a way to get yourself a lot more spam.
>
> I don't have enough rejections to be able to gauge what others are
> doing at their sites.

At a small enough domain, one can take the view that a RBL listing
in SpamHaus is the sender's problem to resolve, since they'll have
issues sending email to half the planet.  Therefore, if you're only
blocking the same things that everyone else does, you don't need
a whitelist.  If you're maintaining manual filters beyond what's
common, a whitelist for postmaster may be prudent for such filters.

--
        Viktor.