check_sender_access doesn't appear to be working.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

check_sender_access doesn't appear to be working.

D. Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is what I have configured.

____________________________________________________________

FILE: main.cf
smtpd_recipient_restrictions =
        check_sender_access hash:/etc/postfix/sender_rejects,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_sender rhsbl.sorbs.net,
        reject_rhsbl_sender bogusmx.rfc-ignorant.org,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client dnsbl.ahbl.org,
        reject_rbl_client multi.surbl.org,
        reject_rhsbl_sender postmaster.rfc-ignorant.org,
        reject_rbl_client zen.spamhaus.org,
        permit

____________________________________________________________

FILE: sender_rejects
#######################################################
# PREMISE:
# This file is used to add domains and e-mail addresses you wish to
# permanently blacklist (refuse) e-mail from.
#
# Add the following to /etc/postfix/main.cf at the beginning of
# the 'smtpd_recipient_restrictions':
# check_sender_access hash:/etc/postfix/sender_rejects,
#
# After adding or removing entries,issue the following
# command as root user:
# postmap /etc/postfix/sender_rejects
#######################################################

# DOMAIN/E-MAIL ADDRESS ACTION

# [hidden email] is a spammer.
# you could block the domain since it is unlikely that the
# school's server would be sending mail to your users.
[hidden email] REJECT

# yahoo.com.tw is bad for sending spam.
yahoo.com.tw REJECT
xserve3-641.oakes.k12.nd.us REJECT
oakes.k12.nd.us REJECT

____________________________________________________________


I'm still receiving mail from the "xserve3-641.oakes.k12.nd.us"  
server as well as from "[hidden email]", mail was accepted and  
passed to amavisd which finally caught one of the e-mails but only  
because the content was obviously spam.

mail.log:
May 25 08:18:19 daleenterprise postfix/smtpd[22042]: connect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:18:20 daleenterprise postfix/smtpd[22042]: BA6AF84CFDE:  
client=xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:18:20 daleenterprise postfix/cleanup[22043]: BA6AF84CFDE:  
message-id=<01c8be72$1224a600$277c7b4d@bureauxx>
May 25 08:18:20 daleenterprise postfix/smtpd[22042]: disconnect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:18:20 daleenterprise postfix/qmgr[21453]: BA6AF84CFDE:  
from=<[hidden email]>, size=2421, nrcpt=1 (queue active)
May 25 08:18:32 daleenterprise postfix/smtp[22044]: BA6AF84CFDE:  
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=13,  
status=sent (250 2.7.1 Ok, discarded, UBE, id=20833-20)
May 25 08:18:32 daleenterprise postfix/qmgr[21453]: BA6AF84CFDE: removed

____________________________________________________________


I'm looking for a easy to implement solution to block  domains and  
specific addresses and I thought that "check_sender_access" was the  
way to go but it's not working.

- -- Dale
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFIOWRGgKKwRgpESgMRArUOAKCPzT00KljUeX+RYipCPZ9JcivSxgCeMFTF
wHj3HXZe6GRJ+NATiWBZYEk=
=Lt/g
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

Ralf Hildebrandt
* D. Walsh <[hidden email]>:

> This is what I have configured.
>
> ____________________________________________________________
>
> FILE: main.cf
> smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/sender_rejects,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org,
Once

> reject_rhsbl_sender rhsbl.sorbs.net,
> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
> reject_rhsbl_sender dsn.rfc-ignorant.org,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client dnsbl.ahbl.org,
> reject_rbl_client multi.surbl.org,
> reject_rhsbl_sender postmaster.rfc-ignorant.org,
> reject_rbl_client zen.spamhaus.org,
Twice


--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
PowerPoint & Windows. Office and NT - I might like'em more after my lobotomy
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

D. Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 25, 2008, at 09:07 AM, Ralf Hildebrandt wrote:

> * D. Walsh <[hidden email]>:
>> This is what I have configured.
>>
>> ____________________________________________________________
>>
>> FILE: main.cf
>> smtpd_recipient_restrictions =
>> check_sender_access hash:/etc/postfix/sender_rejects,
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_invalid_hostname,
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> reject_unknown_sender_domain,
>> reject_unknown_recipient_domain,
>> reject_unauth_destination,
>> reject_rbl_client zen.spamhaus.org,
> Once
>
>> reject_rhsbl_sender rhsbl.sorbs.net,
>> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
>> reject_rhsbl_sender dsn.rfc-ignorant.org,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client dnsbl.ahbl.org,
>> reject_rbl_client multi.surbl.org,
>> reject_rhsbl_sender postmaster.rfc-ignorant.org,
>> reject_rbl_client zen.spamhaus.org,
> Twice

OK, so I have an entry twice but that shouldn't prevent the  
"check_sender_access" from working should it?

>
>
> --
> Ralf Hildebrandt ([hidden email])          
> [hidden email]
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450  
> 570-155
> http://www.arschkrebs.de
> PowerPoint & Windows. Office and NT - I might like'em more after my  
> lobotomy
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFIOYTogKKwRgpESgMRAiU8AJsEGn+7VFLDxZLhHzwFdqAIPd0LPwCfekcI
T2EO9dN74YsDNLcMhZVwOBo=
=Mati
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

Ralf Hildebrandt
* D. Walsh <[hidden email]>:

> OK, so I have an entry twice but that shouldn't prevent the  
> "check_sender_access" from working should it?

Of course not

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
I'm locked in a maze of little projects, all of which suck.
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

Henrik K
In reply to this post by D. Walsh
On Sun, May 25, 2008 at 09:06:14AM -0400, D. Walsh wrote:

> FILE: sender_rejects
> [hidden email] REJECT

...

> I'm still receiving mail from the "xserve3-641.oakes.k12.nd.us" server as
> well as from "[hidden email]", mail was accepted and passed to

...

>
> mail.log:
> from=<[hidden email]>, size=2421, nrcpt=1 (queue active)

... get a cup of coffee and decide what you want to block. Obviously this
last one is what you want to put in sender_rejects.

> I'm looking for a easy to implement solution to block  domains and  
> specific addresses and I thought that "check_sender_access" was the way
> to go but it's not working.

If you had read any documentation, you would see that sender_access is for
email addresses only. client_access is for hosts.

Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

D. Walsh
In reply to this post by Ralf Hildebrandt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 25, 2008, at 11:26 AM, Ralf Hildebrandt wrote:

> * D. Walsh <[hidden email]>:
>
>> OK, so I have an entry twice but that shouldn't prevent the
>> "check_sender_access" from working should it?
>
> Of course not

It's not working, postfix is still letting it in and passing it off  
to amavisd.


May 25 08:55:44 daleenterprise postfix/smtpd[22235]: connect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:55:46 daleenterprise postfix/smtpd[22235]: 89EE584D104:  
client=xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:55:46 daleenterprise postfix/cleanup[22266]: 89EE584D104:  
message-id=<10182.clothesman@maturate>
May 25 08:55:46 daleenterprise postfix/smtpd[22235]: disconnect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 08:55:46 daleenterprise postfix/qmgr[22169]: 89EE584D104:  
from=<[hidden email]>, size=4092, nrcpt=1 (queue active)
May 25 08:55:49 daleenterprise postfix/smtp[22267]: 89EE584D104:  
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=4,  
status=sent (250 2.7.1 Ok, discarded, UBE, id=21949-03)
May 25 08:55:49 daleenterprise postfix/qmgr[22169]: 89EE584D104: removed

May 25 09:07:51 daleenterprise postfix/smtpd[22345]: connect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 09:07:52 daleenterprise postfix/smtpd[22345]: AB5D884D1E9:  
client=xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 09:07:52 daleenterprise postfix/cleanup[22340]: AB5D884D1E9:  
message-id=<01c8be4e$eba14380$f5c152bd@afy>
May 25 09:07:52 daleenterprise postfix/smtpd[22345]: disconnect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 09:07:52 daleenterprise postfix/qmgr[22169]: AB5D884D1E9:  
from=<[hidden email]>, size=2544, nrcpt=1 (queue active)
May 25 09:07:54 daleenterprise postfix/smtp[22341]: AB5D884D1E9:  
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1], delay=2,  
status=sent (250 2.6.0 Ok, id=22046-06, from MTA([127.0.0.1]:10025):  
250 Ok: queued as 3ABDA84D1F0)
May 25 09:07:54 daleenterprise postfix/qmgr[22169]: AB5D884D1E9: removed
May 25 09:07:54 daleenterprise postfix/pipe[22348]: 3ABDA84D1F0:  
to=<[hidden email]>, relay=cyrus, delay=0, status=sent  
(daleenterprise.com)
May 25 09:07:54 daleenterprise postfix/qmgr[22169]: 3ABDA84D1F0: removed

>
> --
> Ralf Hildebrandt ([hidden email])          
> [hidden email]
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450  
> 570-155
> http://www.arschkrebs.de
> I'm locked in a maze of little projects, all of which suck.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFIOYlQgKKwRgpESgMRAvvjAKCZeFl6Pl11N8rzvN/IPPWpEeDr0gCdFpyj
3oYec74MP+2/LYaJw+btLpk=
=qFot
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

D. Walsh
In reply to this post by Henrik K
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 25, 2008, at 11:44 AM, Henrik K wrote:

> On Sun, May 25, 2008 at 09:06:14AM -0400, D. Walsh wrote:
>
>> FILE: sender_rejects
>> [hidden email] REJECT
>
> ...
>
>> I'm still receiving mail from the "xserve3-641.oakes.k12.nd.us"  
>> server as
>> well as from "[hidden email]", mail was accepted and passed to
>
> ...
>
>>
>> mail.log:
>> from=<[hidden email]>, size=2421, nrcpt=1 (queue active)
>
> ... get a cup of coffee and decide what you want to block.  
> Obviously this
> last one is what you want to put in sender_rejects.
>
>> I'm looking for a easy to implement solution to block  domains and
>> specific addresses and I thought that "check_sender_access" was  
>> the way
>> to go but it's not working.
>
> If you had read any documentation, you would see that sender_access  
> is for
> email addresses only. client_access is for hosts.

I did read the documentation, I must have gotten them confused and  
switched them or had a brain-fart, I changed it to  
"check_client_access", I'll wait and see if it blocks them now.

>
>

- -- Dale
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFIOYsdgKKwRgpESgMRArp8AJ9A0k5XBL08QzDnyDvpy1J2SaN1QACgrT13
cITGZxOM+1z2fejqsj2ppjk=
=OjDg
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

mouss-2
D. Walsh wrote:

> [snip]
> >>
> >> mail.log:
> >> from=<[hidden email]>, size=2421, nrcpt=1 (queue active)
>
> > ... get a cup of coffee and decide what you want to block. Obviously
> this
> > last one is what you want to put in sender_rejects.
>
> >> I'm looking for a easy to implement solution to block  domains and
> >> specific addresses and I thought that "check_sender_access" was the way
> >> to go but it's not working.
>
> > If you had read any documentation, you would see that sender_access
> is for
> > email addresses only. client_access is for hosts.
>
> I did read the documentation, I must have gotten them confused and
> switched them or had a brain-fart, I changed it to
> "check_client_access", I'll wait and see if it blocks them now.

- client is the host the sends you mail (IP or reverse dns)
- sender is the email address used as the (envelope) sender.

if you use reject_client_access, then use a specific map, not one that
mixes clients and senders. remove the check_sender_access from your
smtpd_restrictions and use

smtpd_sender_restrictions =
    check_client_access hash:/etc/postfix/client_access
    check_sender_access hash:/etc/postfix/sender_access

then put clients you want to block in client_access, and senders you
want to block in sender_access.

the reason to use smtpd_sender_access is to avoid becoming an open relay
in case you put an OK in these maps.



Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

Ralf Hildebrandt
In reply to this post by D. Walsh
* D. Walsh <[hidden email]>:

>>> OK, so I have an entry twice but that shouldn't prevent the
>>> "check_sender_access" from working should it?
>>
>> Of course not
>
> It's not working, postfix is still letting it in and passing it off to
> amavisd.
>
>
> May 25 08:55:46 daleenterprise postfix/qmgr[22169]: 89EE584D104:  
> from=<[hidden email]>, size=4092, nrcpt=1 (queue active)

[hidden email] or
linuxmail.org
is in the map used by
check_sender_access?

> May 25 09:07:52 daleenterprise postfix/qmgr[22169]: AB5D884D1E9:  
> from=<[hidden email]>, size=2544, nrcpt=1 (queue active)

[hidden email] or
bleu-provence.com
is in the map used by
check_sender_access?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
DUL helps enforce policy.  If your toaster spoke TCP/IP would you
want it sending e-mail to random third parties?  If your answer is "yes"
then I don't want any e-mail from any of your toasters -- Greg Woods
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

D. Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 25, 2008, at 13:50 PM, Ralf Hildebrandt wrote:

> * D. Walsh <[hidden email]>:
>
>>>> OK, so I have an entry twice but that shouldn't prevent the
>>>> "check_sender_access" from working should it?
>>>
>>> Of course not
>>
>> It's not working, postfix is still letting it in and passing it  
>> off to
>> amavisd.
>>
>>
>> May 25 08:55:46 daleenterprise postfix/qmgr[22169]: 89EE584D104:
>> from=<[hidden email]>, size=4092, nrcpt=1 (queue  
>> active)
>
> [hidden email] or
> linuxmail.org
> is in the map used by
> check_sender_access?
>
>> May 25 09:07:52 daleenterprise postfix/qmgr[22169]: AB5D884D1E9:
>> from=<[hidden email]>, size=2544, nrcpt=1 (queue active)
>
> [hidden email] or
> bleu-provence.com
> is in the map used by
> check_sender_access?

changed "check_sender_access" to "check_client_access", now it  
appears to block the mail from the server.

May 25 12:22:47 daleenterprise postfix/smtpd[23625]: connect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]
May 25 12:22:47 daleenterprise postfix/smtpd[23625]: NOQUEUE: reject:  
RCPT from xserve3-641.oakes.k12.nd.us[165.234.182.97]: 554  
<xserve3-641.oakes.k12.nd.us[165.234.182.97]>: Client host rejected:  
Access denied; from=<[hidden email]>  
to=<[hidden email]> proto=ESMTP  
helo=<xserve3-641.oakes.k12.nd.us>
May 25 12:22:47 daleenterprise postfix/smtpd[23625]: disconnect from  
xserve3-641.oakes.k12.nd.us[165.234.182.97]


As reported by "mous", I added both "check_client_access hash:/etc/
postfix/client_rejects" and "check_sender_access hash:/etc/postfix/
sender_rejects" to "smtpd_recipient_restrictions" and populated  
accordingly.

>
> --
> Ralf Hildebrandt ([hidden email])          
> [hidden email]
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450  
> 570-155
> http://www.arschkrebs.de
> DUL helps enforce policy.  If your toaster spoke TCP/IP would you
> want it sending e-mail to random third parties?  If your answer is  
> "yes"
> then I don't want any e-mail from any of your toasters -- Greg Woods
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFIObr8gKKwRgpESgMRAgINAKCIOa78KCtOe/D2YctH1HZ9Tq1KHQCgrj2a
CdB33k1DGBD8M8q8WJurX+Y=
=4nNo
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access doesn't appear to be working.

/dev/rob0
In reply to this post by mouss-2
On Sun May 25 2008 11:55:09 mouss wrote:

> > > If you had read any documentation, you would see that
> > > sender_access is for email addresses only. client_access
> > > is for hosts.
> >
> > I did read the documentation, I must have gotten them confused
> > and switched them or had a brain-fart, I changed it to
> > "check_client_access", I'll wait and see if it blocks them now.
>
> - client is the host the sends you mail (IP or reverse dns)
> - sender is the email address used as the (envelope) sender.

Mouss had a few typos in there, but I'll let those pass. :) I just
wanted to point out the problems with reliance on check_sender_access
as a spam control strategy, because the OP did not seem to understand
this.

Sender addresses are easily and routinely forged. In fact the vast
majority of Internet SMTP traffic, being abuse, uses forged sender
addresses.

Sometimes it's fine to block sender addresses. For example, when a
spammer gets a Hotmail account, you will see spam from Hotmail/MSN
servers with a Hotmail envelope sender address. It's safe to assume
that nothing but spam will come from that account. There's a list of
these at joewein.de.

Safe, yes, but is it effective? Usually not. Even Hotmail terminates
spammer accounts. A slightly more effective use of check_sender_access
is to check a list of known spammer domains (likewise, joewein.de
maintains a good list of these). But that too is a losing battle,
because wholesale domains are expendable, and spammers just as easily
can (and do) use real domains (yours, mine and others.)

Another thing to consider is the "joe job", where a spammer uses real
sender addresses, possibly in a deliberate attempt to interfere with
the victim's email (because postmasters who haven't thought it through
or who don't understand will do check_sender_access or the like to
prevent the spam.)

Basically, if a spammer controls a given IP address or netblock, you  
can be sure that you'll get nothing but spam from that host or
netblock. That's why check_client_access lookups and reject_rbl_client
are the most reliable and effective means of blocking spam.

Of course check_helo_access is also safe and effective in dealing with
zombie spew, but that's beside the point here.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header