Re: Restrict 'sender' and 'from' to one domain on outbound smtp

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Restrict 'sender' and 'from' to one domain on outbound smtp

D G Teed-2
On Wed, May 7, 2008 at 4:41 PM, D G Teed <[hidden email]> wrote:
I'm having a little trouble finding the option I need in postfix.

I have a little smtp service for outbound which will only serve
a web mail service.  I want to enforce that the from, reply-to
and sender in the envelope are all from @mydomain.com
and reject if from some other domain.

What is the best path for this?  header_checks perhaps?

--Donald


I've found part of a solution in an older reply from mouss on the list for
controlling the sender in MAIL FROM:

I was close before, but the extra feature I found useful was "reject_unlisted_sender"
combined with "check_sender_access".

Sometimes the granularity of the documentation doesn't make it obvious how to
make necessary recipes with the many options.  Maybe someone
wise could assemble a "Postfix Cookbook" of commonly
needed solutions with applicable solutions - it would cut down
on questions to the list.  O'Reilly could jump on this opportunity.

In main.cf I now have:

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender
, check_sender_access hash:/etc/postfix-internal/localdomain, reject

while in /etc/postfix-internal/localdomain:

mydomain.ca     OK

We use a
virtual_alias_map = hash:/etc/postfix-internal/virtual

Which lists all of our accounts and email aliases, so this kicks in
with reject_unlisted_sender.

Again, this is purely outbound SMTP, and it is designed to combat
a webmail weakness, so it is very useful.  Hmmm, maybe now the
reject_unknown_sender_domain I had from before isn't needed, but
anyway, this works.

The other restriction which might be useful would be restricting
Reply-To and From domains in the headers.

There has been a rash of phishing emails at many Universities, resulting
in spammers abusing webmail interfaces through automated browser tools
to deliver spam.  I'd imagine I'm not alone in looking for these types
of sender/from/reply-to restriction controls for dedicated webmail
outbound SMTP.

The other main config we have to defeat the spam we deliver from
compromised webmail accounts is:

smtpd_recipient_limit = 10

Regards,

--Donald

Reply | Threaded
Open this post in threaded view
|

Re: Restrict 'sender' and 'from' to one domain on outbound smtp

mouss-2
D G Teed wrote:

> On Wed, May 7, 2008 at 4:41 PM, D G Teed <[hidden email]> wrote:
>
>  
>> I'm having a little trouble finding the option I need in postfix.
>>
>> I have a little smtp service for outbound which will only serve
>> a web mail service.  I want to enforce that the from, reply-to
>> and sender in the envelope are all from @mydomain.com
>> and reject if from some other domain.
>>
>> What is the best path for this?  header_checks perhaps?
>>
>> --Donald
>>
>>    
>
>
> I've found part of a solution in an older reply from mouss on the list for
> controlling the sender in MAIL FROM:
>
> I was close before, but the extra feature I found useful was
> "reject_unlisted_sender"
> combined with "check_sender_access".
>
> Sometimes the granularity of the documentation doesn't make it obvious how
> to
> make necessary recipes with the many options.  Maybe someone
> wise could assemble a "Postfix Cookbook" of commonly
> needed solutions with applicable solutions - it would cut down
> on questions to the list.  O'Reilly could jump on this opportunity.
>
> In main.cf I now have:
>
> smtpd_sender_restrictions = reject_unknown_sender_domain,
> reject_unlisted_sender
> , check_sender_access hash:/etc/postfix-internal/localdomain, reject
>
> while in /etc/postfix-internal/localdomain:
>
> mydomain.ca     OK
>
> We use a
> virtual_alias_map = hash:/etc/postfix-internal/virtual
>
> Which lists all of our accounts and email aliases, so this kicks in
> with reject_unlisted_sender.
>
> Again, this is purely outbound SMTP, and it is designed to combat
> a webmail weakness, so it is very useful.  Hmmm, maybe now the
> reject_unknown_sender_domain I had from before isn't needed, but
> anyway, this works.
>
> The other restriction which might be useful would be restricting
> Reply-To and From domains in the headers.
>  

you can use header_checks. something along these lines (pcre):

if /^(From|Reply\-to):/
/@(example\.com|example\.org)/      DUNNO
/./                              HOLD
endif

This is a "lose" check because RFC[2]822 syntax is far from trivial.

Instead of HOLD, you can use FILTER to pass such mail to a dedicated
smtpd or whatever. do not REJECT because at some point, this will cause
a bounce, which is undersirable in your case.



> There has been a rash of phishing emails at many Universities, resulting
> in spammers abusing webmail interfaces through automated browser tools
> to deliver spam.  I'd imagine I'm not alone in looking for these types
> of sender/from/reply-to restriction controls for dedicated webmail
> outbound SMTP.
>  

such restrictions may help, but they are not enough. attackers can use
"valid" sender/from/... etc.

> The other main config we have to defeat the spam we deliver from
> compromised webmail accounts is:
>
> smtpd_recipient_limit = 10
>  



You can use (Cami's) policyd. it has a throttling feature.
You can also parse the logs to detect broken/owned/abused accounts and
either restrict them to the minimum (they can email the admin!) or
throttle them even more.

of course, do use a content filter... (and here, throttling will help
keeping the filter load to acceptable levels).




Reply | Threaded
Open this post in threaded view
|

Re: Restrict 'sender' and 'from' to one domain on outbound smtp

D G Teed-2

On Sat, May 17, 2008 at 9:21 AM, mouss <[hidden email]> wrote:
D G Teed wrote:
On Wed, May 7, 2008 at 4:41 PM, D G Teed <[hidden email]> wrote:

 
I'm having a little trouble finding the option I need in postfix.

I have a little smtp service for outbound which will only serve
a web mail service.  I want to enforce that the from, reply-to
and sender in the envelope are all from @mydomain.com
and reject if from some other domain.

What is the best path for this?  header_checks perhaps?

--Donald

   


I've found part of a solution in an older reply from mouss on the list for
controlling the sender in MAIL FROM:

I was close before, but the extra feature I found useful was
"reject_unlisted_sender"
combined with "check_sender_access".

Sometimes the granularity of the documentation doesn't make it obvious how
to
make necessary recipes with the many options.  Maybe someone
wise could assemble a "Postfix Cookbook" of commonly
needed solutions with applicable solutions - it would cut down
on questions to the list.  O'Reilly could jump on this opportunity.

In main.cf I now have:

smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_unlisted_sender
, check_sender_access hash:/etc/postfix-internal/localdomain, reject

while in /etc/postfix-internal/localdomain:

mydomain.ca     OK

We use a
virtual_alias_map = hash:/etc/postfix-internal/virtual

Which lists all of our accounts and email aliases, so this kicks in
with reject_unlisted_sender.

Again, this is purely outbound SMTP, and it is designed to combat
a webmail weakness, so it is very useful.  Hmmm, maybe now the
reject_unknown_sender_domain I had from before isn't needed, but
anyway, this works.

The other restriction which might be useful would be restricting
Reply-To and From domains in the headers.
 

you can use header_checks. something along these lines (pcre):

if /^(From|Reply\-to):/
/@(example\.com|example\.org)/      DUNNO
/./                              HOLD
endif

This is a "lose" check because RFC[2]822 syntax is far from trivial.

Instead of HOLD, you can use FILTER to pass such mail to a dedicated smtpd or whatever. do not REJECT because at some point, this will cause a bounce, which is undersirable in your case.
 
Thanks for the formula above.

In Horde webmail, when I tested what happened when recipients exceeded 10,
there was an immediate error in the web interface.

I just tested from my pine to send from an unauthorized
domain (check_sender_access kicking in) and the reject then
was an access denied message within the client, not
a bounce email.  But I read header_checks happens
too late in the sequence (after the email is accepted), so then
reject would trigger a bounce and it should be avoided as you say.

Regards,

--Donald

Reply | Threaded
Open this post in threaded view
|

Re: Restrict 'sender' and 'from' to one domain on outbound smtp

mouss-2
D G Teed wrote:

> On Sat, May 17, 2008 at 9:21 AM, mouss <[hidden email]> wrote:
>
>  
>> [snip]
>
> Thanks for the formula above.
>
> In Horde webmail, when I tested what happened when recipients exceeded 10,
> there was an immediate error in the web interface.
>
> I just tested from my pine to send from an unauthorized
> domain (check_sender_access kicking in) and the reject then
> was an access denied message within the client, not
> a bounce email.  But I read header_checks happens
> too late in the sequence (after the email is accepted), so then
> reject would trigger a bounce and it should be avoided as you say.
>  

header_checks are performed during the smtp transaction, so should be ok
if the webmail connects directly to the postfix server that performs the
checks. (I had the impression that it was using another server, which is
why I warned against reject).

but reject may be too risky if it catches "good" mail. so start using
WARN (or HOLD...) and see if it's ok to use REJECT.