Controlling submission recipients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Controlling submission recipients

Alex Regan
Hi,

We have postfix-3.1.4 set up on fedora25 to use submission for
outbound mail. How can I control the number of recipients that can be
addressed in any one email?

Below is my submission config from master.cf. Perhaps it would just be
setting smtpd_recipient_limit specifically for submission?

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=$submission_overrides
  -o syslog_name=postfix/submission

On a related question, how can we limit the number of recipients
addressed in any one inbound email? What does the sender receive when
that limit is reached? Will this cause problems with legitimate mail?

The problem we're trying to solve is primarily disgruntled employees
retaliating via email and sending business-related information to all
employees. Obviously this is not a perfect solution, but one we hope
will deter the most egregious offenders. We also can't really restrict
it via our spam measures because the body contents are directly
business related. Of course we'd also like any of the anti-spam abuse
protections from this as well.

Thanks,
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Alex Regan
Hi,

Following up with my own email, I'd also like to generate a list of
all accounts that have sent an email with greater than ten recipients,
but this information doesn't appear to be available in one line:

Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: connect from
unknown[13.82.28.69]
Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: Anonymous TLS
connection established from unknown[13.82.28.69]: TLSv1.1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: 9D14386956765:
client=unknown[13.82.28.69], sasl_method=login, sasl_username=alice
Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: disconnect from
unknown[13.82.28.69] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1
quit=1 commands=8

Is there a more convenient way to represent this information, or is it
necessary to build something that parses multiple lines and somehow
associates the IP with data from other lines?



On Tue, Dec 12, 2017 at 11:29 AM, Alex <[hidden email]> wrote:

> Hi,
>
> We have postfix-3.1.4 set up on fedora25 to use submission for
> outbound mail. How can I control the number of recipients that can be
> addressed in any one email?
>
> Below is my submission config from master.cf. Perhaps it would just be
> setting smtpd_recipient_limit specifically for submission?
>
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
>   -o receive_override_options=$submission_overrides
>   -o syslog_name=postfix/submission
>
> On a related question, how can we limit the number of recipients
> addressed in any one inbound email? What does the sender receive when
> that limit is reached? Will this cause problems with legitimate mail?
>
> The problem we're trying to solve is primarily disgruntled employees
> retaliating via email and sending business-related information to all
> employees. Obviously this is not a perfect solution, but one we hope
> will deter the most egregious offenders. We also can't really restrict
> it via our spam measures because the body contents are directly
> business related. Of course we'd also like any of the anti-spam abuse
> protections from this as well.
>
> Thanks,
> Alex
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Noel Jones-2
In reply to this post by Alex Regan
On 12/12/2017 10:29 AM, Alex wrote:

> Hi,
>
> We have postfix-3.1.4 set up on fedora25 to use submission for
> outbound mail. How can I control the number of recipients that can be
> addressed in any one email?
>
> Below is my submission config from master.cf. Perhaps it would just be
> setting smtpd_recipient_limit specifically for submission?
>
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
>   -o receive_override_options=$submission_overrides
>   -o syslog_name=postfix/submission
>

Yes, you could add -o smtpd_recipient_limit to the submission
service. HOWEVER, this feature isn't intended to limit abuse.

Postfix will accept recipients up to $smtpd_recipient_limit and then
temp-fail excess recipients. This will likely cause desktop software
to give a confusing message, which might be sufficient for your purpose.

A real MTA will disconnect and retry the excess recipients, possibly
after a delay.


> On a related question, how can we limit the number of recipients
> addressed in any one inbound email? What does the sender receive when
> that limit is reached? Will this cause problems with legitimate mail?
>
> The problem we're trying to solve is primarily disgruntled employees
> retaliating via email and sending business-related information to all
> employees. Obviously this is not a perfect solution, but one we hope
> will deter the most egregious offenders. We also can't really restrict
> it via our spam measures because the body contents are directly
> business related. Of course we'd also like any of the anti-spam abuse
> protections from this as well.

If your intention is to reject mail with excess recipients, use a
policy service in smtpd_data_restrictions. The policy service has a
recipient_count attribute.
http://www.postfix.org/SMTPD_POLICY_README.html
http://postfwd.org/



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Noel Jones-2
In reply to this post by Alex Regan
On 12/12/2017 10:56 AM, Alex wrote:

> Hi,
>
> Following up with my own email, I'd also like to generate a list of
> all accounts that have sent an email with greater than ten recipients,
> but this information doesn't appear to be available in one line:
>
> Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: connect from
> unknown[13.82.28.69]
> Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: Anonymous TLS
> connection established from unknown[13.82.28.69]: TLSv1.1 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits)
> Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: 9D14386956765:
> client=unknown[13.82.28.69], sasl_method=login, sasl_username=alice
> Dec 11 23:59:17 mail postfix/submission/smtpd[13636]: disconnect from
> unknown[13.82.28.69] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1
> quit=1 commands=8
>
> Is there a more convenient way to represent this information, or is it
> necessary to build something that parses multiple lines and somehow
> associates the IP with data from other lines?

A policy service can log the requested information.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Alex Regan
In reply to this post by Noel Jones-2
Hi,

>> On a related question, how can we limit the number of recipients
>> addressed in any one inbound email? What does the sender receive when
>> that limit is reached? Will this cause problems with legitimate mail?
>>
>> The problem we're trying to solve is primarily disgruntled employees
>> retaliating via email and sending business-related information to all
>> employees. Obviously this is not a perfect solution, but one we hope
>> will deter the most egregious offenders. We also can't really restrict
>> it via our spam measures because the body contents are directly
>> business related. Of course we'd also like any of the anti-spam abuse
>> protections from this as well.
>
> If your intention is to reject mail with excess recipients, use a
> policy service in smtpd_data_restrictions. The policy service has a
> recipient_count attribute.
> http://www.postfix.org/SMTPD_POLICY_README.html
> http://postfwd.org/

I've downloaded postfwd and have read through the manual and sample config.

Can you help me develop a rule that will just log all requests for the
submission service that includes the IP, time/date and sasl username?

I don't understand which of the ITEMs to pick, and I'm assuming action
would just be DUNNO?
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Noel Jones-2
On 12/12/2017 1:16 PM, Alex wrote:

> Hi,
>
>>> On a related question, how can we limit the number of recipients
>>> addressed in any one inbound email? What does the sender receive when
>>> that limit is reached? Will this cause problems with legitimate mail?
>>>
>>> The problem we're trying to solve is primarily disgruntled employees
>>> retaliating via email and sending business-related information to all
>>> employees. Obviously this is not a perfect solution, but one we hope
>>> will deter the most egregious offenders. We also can't really restrict
>>> it via our spam measures because the body contents are directly
>>> business related. Of course we'd also like any of the anti-spam abuse
>>> protections from this as well.
>>
>> If your intention is to reject mail with excess recipients, use a
>> policy service in smtpd_data_restrictions. The policy service has a
>> recipient_count attribute.
>> http://www.postfix.org/SMTPD_POLICY_README.html
>> http://postfwd.org/
>
> I've downloaded postfwd and have read through the manual and sample config.
>
> Can you help me develop a rule that will just log all requests for the
> submission service that includes the IP, time/date and sasl username?
>
> I don't understand which of the ITEMs to pick, and I'm assuming action
> would just be DUNNO?
>

Sorry, I don't know the recipe for that off the top of my head.
Maybe someone else can jump in here.
There is a postfwd-user list that can probably help.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Andreas Schamanek
In reply to this post by Alex Regan

On Tue, 12 Dec 2017, at 14:16, Alex wrote:

>> http://postfwd.org/
>
> I've downloaded postfwd and have read through the manual and sample config.
>
> Can you help me develop a rule that will just log all requests for the
> submission service that includes the IP, time/date and sasl username?

This is already in postfix's log:

   Dec 12 08:01:20 iac postfix/submission/smtpd[21991]: E604F21031:
   client=unknown[95.151.52.23], sasl_method=PLAIN, sasl_username=so

> I don't understand which of the ITEMs to pick, and I'm assuming action
> would just be DUNNO?

Postfwd has an action called "debug" and can WARN. But RTFM again or,
as Noel wrote, get on the Postfwd mailing list.

--
-- Andreas

     :-)

Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Alex Regan
Hi,

On Tue, Dec 12, 2017 at 3:12 PM, Andreas Schamanek
<[hidden email]> wrote:

>
> On Tue, 12 Dec 2017, at 14:16, Alex wrote:
>
>>> http://postfwd.org/
>>
>>
>> I've downloaded postfwd and have read through the manual and sample
>> config.
>>
>> Can you help me develop a rule that will just log all requests for the
>> submission service that includes the IP, time/date and sasl username?
>
> This is already in postfix's log:
>
>   Dec 12 08:01:20 iac postfix/submission/smtpd[21991]: E604F21031:
>   client=unknown[95.151.52.23], sasl_method=PLAIN, sasl_username=so

Yes, but I was also hoping to collect the number of recipients, and I
don't have enough perl knowledge to join or associate then parse
multiple lines.

>> I don't understand which of the ITEMs to pick, and I'm assuming action
>> would just be DUNNO?
>
> Postfwd has an action called "debug" and can WARN. But RTFM again or, as
> Noel wrote, get on the Postfwd mailing list.

Thanks for your help on the postfwd-users list. I will be able to use
that as well.

Thanks again to Noel for helping, as always.

Thanks,
Alex


>
> --
> -- Andreas
>
>     :-)
>
Reply | Threaded
Open this post in threaded view
|

Re: Controlling submission recipients

Andreas Schamanek

On Tue, 12 Dec 2017, at 16:27, Alex wrote:

> I don't have enough perl knowledge to join or associate then parse
> multiple lines.

Did you have a look at auxiliary/collate from Postfix's source?

--
-- Andreas

     :-)