block backscatter with 'smtpd_sasl_authenticated_header'?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

block backscatter with 'smtpd_sasl_authenticated_header'?

Zhang Huangbin
Hi, all.

I found 'smtpd_sasl_authenticated_header' option in postconf.5.html.
Is it possible to block backscatter with it?

With 'smtpd_sasl_authenticated_header' enabled in Postfix(2.3.14), it
will write mail header like this:

----8<----
Received: from host1.b.cn (unknown [192.168.122.1])
    (Authenticated sender: [hidden email])                # <- This line.
    by rh52.bibby.org (Postfix) with ESMTP id 85556804A1
    for <[hidden email]>; Tue, 10 Jun 2008 16:13:49 +0000 (UTC)
----8<----

How can i block backscatter with it? Is this ok:
----8<----
/^Return-Path: \<(.*@a\.cn)\>$/ && !/.*\(Authenticated sender: $1\)$/ REJECT
----8<----


--
Best Regards.

Zhang Huangbin

- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
  http://rhms.googlecode.com/


Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Noel Jones-2
Zhang Huangbin wrote:

> Hi, all.
>
> I found 'smtpd_sasl_authenticated_header' option in postconf.5.html.
> Is it possible to block backscatter with it?
>
> With 'smtpd_sasl_authenticated_header' enabled in Postfix(2.3.14), it
> will write mail header like this:
>
> ----8<----
> Received: from host1.b.cn (unknown [192.168.122.1])
>    (Authenticated sender: [hidden email])                # <- This line.
>    by rh52.bibby.org (Postfix) with ESMTP id 85556804A1
>    for <[hidden email]>; Tue, 10 Jun 2008 16:13:49 +0000 (UTC)
> ----8<----

Right.

>
> How can i block backscatter with it? Is this ok:
> ----8<----
> /^Return-Path: \<(.*@a\.cn)\>$/ && !/.*\(Authenticated sender: $1\)$/
> REJECT
> ----8<----
>
>

No, you can't compare multiple headers in a header_check rule.

Suggestions on blocking backscatter with postfix are listed in
http://www.postfix.org/BACKSCATTER_README.html

If you use SpamAssassin, there are things that can be done
there also.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Zhang Huangbin
Thanks Noel.

Noel Jones wrote:

>> How can i block backscatter with it? Is this ok:
>> ----8<----
>> /^Return-Path: \<(.*@a\.cn)\>$/ && !/.*\(Authenticated sender: $1\)$/
>> REJECT
>> ----8<----
>>
>>
>
>
> No, you can't compare multiple headers in a header_check rule.
>
> Suggestions on blocking backscatter with postfix are listed in
> http://www.postfix.org/BACKSCATTER_README.html
>
> If you use SpamAssassin, there are things that can be done there also.
I rewrote my rules:

----8<----
if /^Received:/
if /^(From|Return-Path):.*\b<(.*@.*)>\b/
# ----
# Enable this rule if you always has DKIM support.
!/^DKIM-Signature:.*/ REJECT no dkim signature
# ----
# Enable this rule if you has this parameter enabled in Postfix:
#   smtpd_sasl_authenticated_header = yes
!/.*\(Authenticated sender: $1\)/ REJECT no sasl auth
# ----
endif
endif
----8<----

Thanks again. :)

--
Best Regards.

Zhang Huangbin

- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
  http://rhms.googlecode.com/

Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Wietse Venema
Zhang Huangbin:
> I rewrote my rules:
>
> ----8<----
> if /^Received:/
> if /^(From|Return-Path):.*\b<(.*@.*)>\b/

As documented in header_checks(5), this does not work. See all
upper case text below.

        Wietse

       if /pattern/flags

       endif  Match  the  input  string  against  the  patterns between if and
              endif, IF AND ONLY IF THE SAME INPUT STRING also  matches  /pat-
              tern/. The if..endif can nest.

Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Noel Jones-2
In reply to this post by Zhang Huangbin
Zhang Huangbin wrote:

> Thanks Noel.
>
> Noel Jones wrote:
>>> How can i block backscatter with it? Is this ok:
>>> ----8<----
>>> /^Return-Path: \<(.*@a\.cn)\>$/ && !/.*\(Authenticated sender: $1\)$/
>>> REJECT
>>> ----8<----
>>>
>>>
>>
>>
>> No, you can't compare multiple headers in a header_check rule.
>>
>> Suggestions on blocking backscatter with postfix are listed in
>> http://www.postfix.org/BACKSCATTER_README.html
>>
>> If you use SpamAssassin, there are things that can be done there also.
> I rewrote my rules:
>
> ----8<----
> if /^Received:/
> if /^(From|Return-Path):.*\b<(.*@.*)>\b/
> # ----
> # Enable this rule if you always has DKIM support.
> !/^DKIM-Signature:.*/ REJECT no dkim signature
> # ----
> # Enable this rule if you has this parameter enabled in Postfix:
> #   smtpd_sasl_authenticated_header = yes
> !/.*\(Authenticated sender: $1\)/ REJECT no sasl auth
> # ----
> endif
> endif
> ----8<----
>
> Thanks again. :)
>

No, this won't work.  The header_checks feature processes one
header at a time; you can't compare multiple headers, nor can
you check for the absence of a required header.
Please see http://www.postfix.org/header_checks.5.html

As I already mentioned, see the BACKSCATTER_README for
suggestions on how to block backscatter within postfix.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Zhang Huangbin
In reply to this post by Wietse Venema
Wietse Venema wrote:

> Zhang Huangbin:
>  
>> I rewrote my rules:
>>
>> ----8<----
>> if /^Received:/
>> if /^(From|Return-Path):.*\b<(.*@.*)>\b/
>>    
>
> As documented in header_checks(5), this does not work. See all
> upper case text below.
>
> Wietse
>
>        if /pattern/flags
>
>        endif  Match  the  input  string  against  the  patterns between if and
>               endif, IF AND ONLY IF THE SAME INPUT STRING also  matches  /pat-
>               tern/. The if..endif can nest.
>  
Is the rule below correct? I'm a little confused now. :(

----8<--------

if /^Received:/
if /^(?!From|Return-Path):.*\b<(.*@.*)>\b/

--
Best Regards.

Zhang Huangbin

- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
  http://rhms.googlecode.com/

Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Zhang Huangbin
In reply to this post by Noel Jones-2
Noel Jones wrote:

> Zhang Huangbin wrote:
>> Thanks Noel.
>>
>> Noel Jones wrote:
>>>> How can i block backscatter with it? Is this ok:
>>>> ----8<----
>>>> /^Return-Path: \<(.*@a\.cn)\>$/ && !/.*\(Authenticated sender:
>>>> $1\)$/ REJECT
>>>> ----8<----
>>>>
>>>>
>>>
>>>
>>> No, you can't compare multiple headers in a header_check rule.
>>>
>>> Suggestions on blocking backscatter with postfix are listed in
>>> http://www.postfix.org/BACKSCATTER_README.html
>>>
>>> If you use SpamAssassin, there are things that can be done there also.
>> I rewrote my rules:
>>
>> ----8<----
>> if /^Received:/
>> if /^(From|Return-Path):.*\b<(.*@.*)>\b/
>> # ----
>> # Enable this rule if you always has DKIM support.
>> !/^DKIM-Signature:.*/ REJECT no dkim signature
>> # ----
>> # Enable this rule if you has this parameter enabled in Postfix:
>> #   smtpd_sasl_authenticated_header = yes
>> !/.*\(Authenticated sender: $1\)/ REJECT no sasl auth
>> # ----
>> endif
>> endif
>> ----8<----
>>
>> Thanks again. :)
>>
>
> No, this won't work.  The header_checks feature processes one header
> at a time; you can't compare multiple headers, nor can you check for
> the absence of a required header.
> Please see http://www.postfix.org/header_checks.5.html
>
> As I already mentioned, see the BACKSCATTER_README for suggestions on
> how to block backscatter within postfix.
>
Thanks Noel. :)

Example in BACKSCATTER_README.html:

----8<--------
/etc/postfix/header_checks:

    if /^Received:/
    /^Received: +from +(porcupine\.org) +/
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
    /^Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
----8<--------


So i can modify it to fit my need:

----8<----------
if /^Received:/
/^Received: +from +(bibby\.org) +/       # <- myhostname='rh52.bibby.org'
    reject forged client name in Received: header: $1
endif
----------------

if i split my rewroted rules, does it work? such as:
----8<----------
if /^Received:/
!/^DKIM-Signature:.*/ REJECT no dkim signature
endif

if /^Received:/
!/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
endif
----8<--------

And does the rule below work? header_checks(5) says
'The if..endif can nest.'
----8<--------
if /^Received:/                             # Line 1
if /^(From|Return-Path):.*\b<(.*@.*)>\b/    # Line 2
!/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
endif
endif
----8<--------
And Wietse said Line 1 and Line 2 won't work. :(  

--
Best Regards.

Zhang Huangbin

- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
  http://rhms.googlecode.com/

Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

mouss-2
Zhang Huangbin wrote:

> [snip]
> Example in BACKSCATTER_README.html:
>
> ----8<--------
> /etc/postfix/header_checks:
>
>    if /^Received:/
>    /^Received: +from +(porcupine\.org) +/
>        reject forged client name in Received: header: $1
>    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo
> +)(porcupine\.org)\)/
>        reject forged client name in Received: header: $2
>    /^Received:.* +by +(porcupine\.org)\b/
>        reject forged mail server name in Received: header: $1
>    endif
> ----8<--------
>
>
> So i can modify it to fit my need:
>
> ----8<----------
> if /^Received:/
> /^Received: +from +(bibby\.org) +/       # <- myhostname='rh52.bibby.org'
>    reject forged client name in Received: header: $1
> endif
> ----------------

This works because it's the same header (Received)

>
> if i split my rewroted rules, does it work? such as:
> ----8<----------
> if /^Received:/
> !/^DKIM-Signature:.*/ REJECT no dkim signature
> endif

This does not work because you are trying to check two different headers.

>
> if /^Received:/
> !/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
> endif
> ----8<--------
>
> And does the rule below work? header_checks(5) says
> 'The if..endif can nest.'
> ----8<--------
> if /^Received:/                             # Line 1
> if /^(From|Return-Path):.*\b<(.*@.*)>\b/    # Line 2
> !/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
> endif
> endif
> ----8<--------
> And Wietse said Line 1 and Line 2 won't work. :(

You must understand that the construct:

    if /condition/
    /^foo: ../      action
    endif

applies to a single header. In short, this is the same as
if the header matches /condition/ and the _SAME_ header matches /^foo:
.../ then do action.

obviously, ONE SINGLE header cannot match both
        /^Received:/  
and
       /^(From|Return-Path):/
... etc.

let's say it again: you cannot use header_checks to examine the contents
of MULTIPLE headers.


Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Wietse Venema
In reply to this post by Zhang Huangbin
Zhang Huangbin:

> Wietse Venema wrote:
> > Zhang Huangbin:
> >  
> >> I rewrote my rules:
> >>
> >> ----8<----
> >> if /^Received:/
> >> if /^(From|Return-Path):.*\b<(.*@.*)>\b/
> >>    
> >
> > As documented in header_checks(5), this does not work. See all
> > upper case text below.
> >
> > Wietse
> >
> >        if /pattern/flags
> >
> >        endif  Match  the  input  string  against  the  patterns between if and
> >               endif, IF AND ONLY IF THE SAME INPUT STRING also  matches  /pat-
> >               tern/. The if..endif can nest.
> >  
> Is the rule below correct? I'm a little confused now. :(
>
> ----8<--------
>
> if /^Received:/
> if /^(?!From|Return-Path):.*\b<(.*@.*)>\b/

See my comment above.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: block backscatter with 'smtpd_sasl_authenticated_header'?

Zhang Huangbin
In reply to this post by mouss-2
mouss wrote:

> Zhang Huangbin wrote:
>> [snip]
>> Example in BACKSCATTER_README.html:
>>
>> ----8<--------
>> /etc/postfix/header_checks:
>>
>>    if /^Received:/
>>    /^Received: +from +(porcupine\.org) +/
>>        reject forged client name in Received: header: $1
>>    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo
>> +)(porcupine\.org)\)/
>>        reject forged client name in Received: header: $2
>>    /^Received:.* +by +(porcupine\.org)\b/
>>        reject forged mail server name in Received: header: $1
>>    endif
>> ----8<--------
>>
>>
>> So i can modify it to fit my need:
>>
>> ----8<----------
>> if /^Received:/
>> /^Received: +from +(bibby\.org) +/       # <-
>> myhostname='rh52.bibby.org'
>>    reject forged client name in Received: header: $1
>> endif
>> ----------------
>
> This works because it's the same header (Received)
>
>>
>> if i split my rewroted rules, does it work? such as:
>> ----8<----------
>> if /^Received:/
>> !/^DKIM-Signature:.*/ REJECT no dkim signature
>> endif
>
> This does not work because you are trying to check two different headers.
>>
>> if /^Received:/
>> !/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
>> endif
>> ----8<--------
>>
>> And does the rule below work? header_checks(5) says
>> 'The if..endif can nest.'
>> ----8<--------
>> if /^Received:/                             # Line 1
>> if /^(From|Return-Path):.*\b<(.*@.*)>\b/    # Line 2
>> !/.*\(Authenticated sender:.*\)/ REJECT no sasl auth
>> endif
>> endif
>> ----8<--------
>> And Wietse said Line 1 and Line 2 won't work. :(
>
> You must understand that the construct:
>
>    if /condition/
>    /^foo: ../      action
>    endif
>
> applies to a single header. In short, this is the same as
> if the header matches /condition/ and the _SAME_ header matches /^foo:
> .../ then do action.
>
> obviously, ONE SINGLE header cannot match both
>        /^Received:/  and
>       /^(From|Return-Path):/
> ... etc.
>
> let's say it again: you cannot use header_checks to examine the
> contents of MULTIPLE headers.
>
>
>
Hi, Mouss.

Thanks very much. I understand now. :)
And thanks Wietse & Noel too.

BTW, I suggest modify the below line in header_checks(5) man page:
----8<-----------

              endif, if and only if the INPUT STRING also matches pattern

----8<-----------

It's more readable if it is replaced by the below one(upper case text):
----8<-----------

              endif, if and only if the SAME HEADER also matches pattern

----8<-----------


--
Best Regards.

Zhang Huangbin

- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
  http://rhms.googlecode.com/