How can I "reject_unverified_LOCAL_sender"?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I "reject_unverified_LOCAL_sender"?

Rick van Rein
Hello,

I see a lot of spam entering that claims to have come from a local
domain, usually guessing a non-existent account.  I've been looking for
a way to "reject_unverified_local_sender", by which I mean that the
sender address is verified iff it occurs in virtual_alias_domains (and
perhaps a few other lists).

One way to go could be to create a database of sender domains to
validate, enter my own domains in it, and use "external" access to my
own MTA and probing it.  But that leads to cyclic probing!  I suppose I
am really looking for something simpler -- namely an invocation of the
virtual(8) server for addresses on the said lists.

I don't see how I can do this with Postfix, and it's not even simple in
a policy due to the cyclic risk.  What are others doing in this respect?

Thanks,
 -Rick




Reply | Threaded
Open this post in threaded view
|

Re: How can I "reject_unverified_LOCAL_sender"?

Philip Paeps
On 2017-10-20 19:51:07 (+0200), Rick van Rein wrote:
>I see a lot of spam entering that claims to have come from a local
>domain, usually guessing a non-existent account.  I've been looking for
>a way to "reject_unverified_local_sender", by which I mean that the
>sender address is verified iff it occurs in virtual_alias_domains (and
>perhaps a few other lists).

Wouldn't it be a lot easier simply to reject those with SPF?  If you're
seeing mail from one of your domains coming in from a host you know
couldn't have legitimately sent it, you can reject it outright.

If you don't want to use SPF, you could use a combination of a
check_client_access to whitelist your hosts followed by a
check_sender_access.

>One way to go could be to create a database of sender domains to
>validate, enter my own domains in it, and use "external" access to my
>own MTA and probing it.  But that leads to cyclic probing!  I suppose I
>am really looking for something simpler -- namely an invocation of the
>virtual(8) server for addresses on the said lists.

Why bother validating the address?

>I don't see how I can do this with Postfix, and it's not even simple in
>a policy due to the cyclic risk.  What are others doing in this
>respect?

I use SPF.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: How can I "reject_unverified_LOCAL_sender"?

Rick van Rein
Hi Philip,

> Wouldn't it be a lot easier simply to reject those with SPF?  If
> you're seeing mail from one of your domains coming in from a host you
> know couldn't have legitimately sent it, you can reject it outright.

That would block not just the spam, but also legitimate bypassing
through forwarders and email lists (if they don't do VERP).  I would
prefer not to go there for something that could be solved with local
information.
>
> If you don't want to use SPF, you could use a combination of a
> check_client_access to whitelist your hosts followed by a
> check_sender_access.
>
That's a neat work-around.  It hinges on not having any checks or
rejects after these ones, but for the sender_restrictions, that is
currently true.

>> One way to go could be to create a database of sender domains to
>> validate, enter my own domains in it, and use "external" access to my
>> own MTA and probing it.  But that leads to cyclic probing!  I suppose
>> I am really looking for something simpler -- namely an invocation of
>> the virtual(8) server for addresses on the said lists.
>
> Why bother validating the address?

Because that is the vital piece of information that sets the attempts by
spammers aside from proper behaviour.  Because that gives a good source
for detecting, with high degree of certainty, that a party is sending spam.

>
>> I don't see how I can do this with Postfix, and it's not even simple
>> in a policy due to the cyclic risk.  What are others doing in this
>> respect?

Thanks, for your input Phil!

-Rick

Reply | Threaded
Open this post in threaded view
|

Re: How can I "reject_unverified_LOCAL_sender"?

Wietse Venema
In reply to this post by Rick van Rein
Rick van Rein:

> Hello,
>
> I see a lot of spam entering that claims to have come from a local
> domain, usually guessing a non-existent account.  I've been looking for
> a way to "reject_unverified_local_sender", by which I mean that the
> sender address is verified iff it occurs in virtual_alias_domains (and
> perhaps a few other lists).
>
> One way to go could be to create a database of sender domains to
> validate, enter my own domains in it, and use "external" access to my
> own MTA and probing it.  But that leads to cyclic probing!  I suppose I
> am really looking for something simpler -- namely an invocation of the
> virtual(8) server for addresses on the said lists.
>
> I don't see how I can do this with Postfix, and it's not even simple in
> a policy due to the cyclic risk.  What are others doing in this respect?

/etc/postfix/main.cf
    smtpd_reject_unlisted_sender = yes

That will reject MAIL FROM commands with a non-existent local sender.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How can I "reject_unverified_LOCAL_sender"?

Philip Paeps
In reply to this post by Rick van Rein
On 2017-10-20 21:28:29 (+0200), Rick van Rein wrote:
> On 2017-10-20 21:17:26 (+0200), Philip Paeps wrote:
>> On 2017-10-20 19:51:07 (+0200), Rick van Rein wrote:

>>Wouldn't it be a lot easier simply to reject those with SPF?  If
>>you're seeing mail from one of your domains coming in from a host you
>>know couldn't have legitimately sent it, you can reject it outright.
>
>That would block not just the spam, but also legitimate bypassing
>through forwarders and email lists (if they don't do VERP).  I would
>prefer not to go there for something that could be solved with local
>information.

It would break legitimate forwarders, but that's easy to whitelist
because (hopefully) you know your forwarders.  The salient part of my
configuration is:

    smtpd_sender_restrictions =
        permit_mynetworks
        reject_unknown_sender_domain
        check_client_access cidr:$config_directory/access_client.cidr
        check_client_access hash:$config_directory/access_forwarders
        check_recipient_access pcre:$config_directory/access_recipient.pcre
        check_spf

The `access_forwarders` table lists all legitimate forwarders.  There
are a couple of forwarders in `access_recipient` too: forwarders whose
IP addresses I can't (easily) control, I configure to forward to a
unique (and opaque and non-guessable) alias.

But SPF does rely on information that is not local (to Postfix).

>>If you don't want to use SPF, you could use a combination of a
>>check_client_access to whitelist your hosts followed by a
>>check_sender_access.
>
>That's a neat work-around.  It hinges on not having any checks or
>rejects after these ones, but for the sender_restrictions, that is
>currently true.

Since there's not all that much you can check in sender restrictions,
that shouldn't be a big problem.  You may be able to fiddle with (not)
deferring reject if that's a limitation for you.

If you don't want to rely on SPF, you should be able to modify my
configuration by adding a `check_sender_access` after the whitelists.

>>>One way to go could be to create a database of sender domains to
>>>validate, enter my own domains in it, and use "external" access to my
>>>own MTA and probing it.  But that leads to cyclic probing!  I suppose
>>>I am really looking for something simpler -- namely an invocation of
>>>the virtual(8) server for addresses on the said lists.
>>
>>Why bother validating the address?
>
>Because that is the vital piece of information that sets the attempts
>by spammers aside from proper behaviour.  Because that gives a good
>source for detecting, with high degree of certainty, that a party is
>sending spam.

If you really have no control over your forwarders, this is true.

It may be worth the effort to take control over the forwarders though.  
SPF blocks a lot of crap.  As I wrote: the forwarders you know by IP
address can simply be a check_client_access.  Forwarders whose IP
addresses are variable can hopefully be taught to forward to a unique
address.

For bootstrapping new restrictions, I find `warn_if_reject` extremely
helpful.

Good luck.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: How can I "reject_unverified_LOCAL_sender"?

Rick van Rein
In reply to this post by Wietse Venema
Ah!

>> I don't see how I can do this with Postfix, and it's not even simple in
>> a policy due to the cyclic risk.  What are others doing in this respect?
>
> /etc/postfix/main.cf
>     smtpd_reject_unlisted_sender = yes

I mistook the documentation of this option to also work on external senders!

Thanks,
 -Rick