Quantcast

Sender verification for all domain *excepted* some domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Sender verification for all domain *excepted* some domains

Xavier Beaudouin
Hello,

Seems that some french ISP don't like sender verification because their
anti-spam system is treating that as dictionnary attacks...

I main.cf I have :

smtpd_recipient_restrictions =
         permit_mynetworks,
         reject_unauth_destination,
         reject_multi_recipient_bounce,
         reject_unverified_sender,
         hash:/usr/local/etc/postfix/access,
         check_relay_domains


I'd like to change this like this :

smtpd_recipient_restrictions =
         permit_mynetworks,
         reject_unauth_destination,
         reject_multi_recipient_bounce,
         hash:/usr/local/etc/postfix/vrfy,
         hash:/usr/local/etc/postfix/access,
         check_relay_domains


And in /usr/local/etc/postfix/vrfy (domain1.com and domain2.com are
domain from where I don't want to make sender verification) :

domain1.com DUNNO
domain2.com DUNNO
. reject_unverified_sender


Is this possible ? or is there better way to do that ?

Thanks
/Xavier

--
Xavier Beaudouin - http://oav.net/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sender verification for all domain *excepted* some domains

Charles Marcus
On 4/28/2008, Xavier Beaudouin ([hidden email]) wrote:
> Seems that some french ISP don't like sender verification because
> their anti-spam system is treating that as dictionnary attacks...

Do NOT perform SAV on domains that you don't have an agreement in place
ahead of time to do so.

Blanket SAV WILL get you blacklisted...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sender verification for all domain *excepted* some domains

Xavier Beaudouin
Hello,

Le 28 avr. 08 à 17:43, Charles Marcus a écrit :
> On 4/28/2008, Xavier Beaudouin ([hidden email]) wrote:
>> Seems that some french ISP don't like sender verification because  
>> their anti-spam system is treating that as dictionnary attacks...
>
> Do NOT perform SAV on domains that you don't have an agreement in  
> place ahead of time to do so.
>
> Blanket SAV WILL get you blacklisted...

This is quite new. Now we have to have agreement with all the world ?  
Mail is open system.

But this doesn't reply to my question IMHO.

/Xavier
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sender verification for all domain *excepted* some domains

Wietse Venema
In reply to this post by Charles Marcus
Charles Marcus:
> On 4/28/2008, Xavier Beaudouin ([hidden email]) wrote:
> > Seems that some french ISP don't like sender verification because
> > their anti-spam system is treating that as dictionnary attacks...

It definitely looks like dictionary attacks from their end.

> Do NOT perform SAV on domains that you don't have an agreement in place
> ahead of time to do so.

This depends on whose systems you subject to address verification
probes, and how often you do this. I don't recall being blacklisted
but my domain is very small.

If some site objects, you could try this:

/etc/postfix/main.cf:
    smtpd_mumble_restrictions =  
        ... check_sender_access pcre:/etc/postfix/sender.pcre ...

/etc/postfix/sender.pcre:
    /@example\.com$/    dunno
    /./                 reject_unverified_sender

But obviously, this does not scale very well.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sender verification for all domain *excepted* some domains

mouss-2
In reply to this post by Xavier Beaudouin
Xavier Beaudouin wrote:

> Hello,
>
> Le 28 avr. 08 à 17:43, Charles Marcus a écrit :
>> On 4/28/2008, Xavier Beaudouin ([hidden email]) wrote:
>>> Seems that some french ISP don't like sender verification because
>>> their anti-spam system is treating that as dictionnary attacks...
>>
>> Do NOT perform SAV on domains that you don't have an agreement in
>> place ahead of time to do so.
>>
>> Blanket SAV WILL get you blacklisted...
>
> This is quite new. Now we have to have agreement with all the world ?
> Mail is open system.


new is an ambiguous term. SAV is being decried since some time now. if
you connect to a server to do SAV, you do a transaction without mail,
which looks like a dictionary attack, and it can even be a real
dictionary attack (done by a spammer using your server as a "proxy").

if you want to do SAV, you need a great care:
- you must eliminate as much spam as possible before doing the SAV.
- you must ensure that you won't generate too much SAV calls (both per
target domain and globally). either throttling or a "reactive" log
parser that disables SAV (and/or updates the ACL that triggers SAV).


an alternative is to do SAV for specific domains.

>
> But this doesn't reply to my question IMHO.

here are 5 ways to do what you want.

1) the simplest way is to put your SAV check at the end, so that you can
whitelist some domains:

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination
    #eliminate as much spam as possible
    reject_....
    reject_...
    check_sender_access hash:/etc/postfix/sender_no_sav
    reject_unverified_sender

== sender_no_sav
netoyen.net      OK
...


2) you can use pcre, mysql, ... when you can specify "exceptions".

3) if this is not desirable, you can use restriction classes:

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination
    #eliminate as much spam as possible
    reject_....
    reject_...
    check_sender_access hash:/etc/postfix/sender_no_sav
    reject_unverified_sender
    check_recipient_access static:other_restrictions


other_restrictions =
    #put your "las"t restrictions here
    check_sender_access hash:/etc/postfix/access
    ...


== sender_no_sav:
netoyen.net      other_restrictions

4) you can use a policy service.

5) A convoluted method is to run an smtpd that accepts any address and use
    http://www.postfix.org/postconf.5.html#address_verify_transport_maps
to direct verification to this "dummy" smtpd for the domains you want to
exclude from SAV.



Loading...