I have a check to reject 'fancy TLDs' as below
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access pcre:/etc/postfix/sender_pcre, check_sender_access pcre:/etc/postfix/reject_domains cat /etc/postfix/reject_domains /\.bid$/ REJECT We reject all .bid domains /\.biz$/ REJECT We reject all .biz domains ... that works well, but, now have a user who gets a valid inbound rejected Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554 5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP helo=<AUS01-SY4-obe.outbound.protection.outlook.com> is there an easy way, and how, to exempt a specified domain like 'abcd.biz' from my sender restriction ? thanks, V |
On 16/12/2020 11:07, [hidden email] wrote:
> I have a check to reject 'fancy TLDs' as below > > smtpd_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_sender_access pcre:/etc/postfix/sender_pcre, > check_sender_access pcre:/etc/postfix/reject_domains > > cat /etc/postfix/reject_domains > /\.bid$/ REJECT We reject all .bid domains > /\.biz$/ REJECT We reject all .biz domains > ... > > that works well, but, now have a user who gets a valid inbound rejected > > Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from > mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554 > 5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz > domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP > helo=<AUS01-SY4-obe.outbound.protection.outlook.com> > > is there an easy way, and how, to exempt a specified domain like > 'abcd.biz' from my sender restriction ? /etc/postfix/reject_domains: /@abcd\.biz$/ DUNNO /\.bid$/ REJECT We reject all .bid domains /\.biz$/ REJECT We reject all .biz domains |
On 16 Dec 2020, at 04:14, Dominic Raferd <[hidden email]> wrote:
> /etc/postfix/reject_domains: > > /@abcd\.biz$/ DUNNO > /\.bid$/ REJECT We reject all .bid domains > /\.biz$/ REJECT We reject all .biz domains I do this: /.*automators\.fm$/ DUNNO /.*counter\.social/ DUNNO /.*ometria.email/ DUNNO /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO /.*\.*$/ 550 Mail to or from this TLD is not allowed Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why. This means I do not need to keep track of the new TLDs that are being created every day to firehose more spam, they simply get dropped almost immediately. -- IT'S POTATO, NOT POTATOE Bart chalkboard Ep. 7F01 |
Dnia 18.12.2020 o godz. 06:38:32 @lbutlr pisze:
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO > /.*\.*$/ 550 Mail to or from this TLD is not allowed Should I feel offended that Poland does not exist for you? ;) -- Regards, Jaroslaw Rafa [hidden email] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." |
In reply to this post by lists-3
On Wed, Dec 16, 2020 at 10:07:39PM +1100, [hidden email] wrote:
> that works well, but, now have a user who gets a valid inbound rejected > > Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from > mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554 > 5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz > domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP > helo=<AUS01-SY4-obe.outbound.protection.outlook.com> > > is there an easy way, and how, to exempt a specified domain like > 'abcd.biz' from my sender restriction ? Exceptions via "DUNNO", as noted by others, are of course an option, but far better to not impose such crude measures, and not block entire TLDs. The ".biz" TLD is now well established, and not dramatically more prone to abuse than the others. Best to rely on a couple of decent RBLs and a spam-classifying content filter or milter. -- Viktor. |
In reply to this post by Jaroslaw Rafa
On 18 Dec 2020, at 07:54, Jaroslaw Rafa <[hidden email]> wrote:
> Dnia 18.12.2020 o godz. 06:38:32 @lbutlr pisze: >> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO >> /.*\.*$/ 550 Mail to or from this TLD is not allowed > > Should I feel offended that Poland does not exist for you? ;) It has nothing to do with exists or not, it has to do with the mail my server receives. -- Ninety percent of true love is acute, ear-burning embarrassment. --Wyrd Sisters |
In reply to this post by @lbutlr
On 12/18/20 8:38 AM, @lbutlr wrote:
> On 16 Dec 2020, at 04:14, Dominic Raferd <[hidden email]> wrote: >> /etc/postfix/reject_domains: >> >> /@abcd\.biz$/ DUNNO >> /\.bid$/ REJECT We reject all .bid domains >> /\.biz$/ REJECT We reject all .biz domains > > I do this: > > /.*automators\.fm$/ DUNNO > /.*counter\.social/ DUNNO > /.*ometria.email/ DUNNO > /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO > /.*\.*$/ 550 Mail to or from this TLD is not allowed > > Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why. Revisiting this ... where exactly do you apply this ruleset? I'm looking at implementing a rule to discard all four-letter-and-above TLDs except whitelisted ones, because I'm tired of playing whack-a-mole. Are you using header_checks rule, or something else? -- Phil Stracchino Babylon Communications [hidden email] [hidden email] Landline: +1.603.293.8485 Mobile: +1.603.998.6958 |
On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote:
> I'm looking at implementing a rule to discard all > four-letter-and-above TLDs except whitelisted ones, because I'm tired > of playing whack-a-mole. I'd like to strongly advise against filtering by TLD. This is a very low quality signal. There is no shortage of abuse mail from the traditional gTLDs, and also a non-trivial quantity of legitimate email from new gTLDs. Most of the ".brand" gTLDs are not open for public registration of subdomains, and if say citibank decided to send email from a ".citi" subdomain, that'd be just fine. They should be able to use the gTLD they control. For example, the ".info" and ".name" gTLDs are established sources of legitimate email. Looking at DANE-enabled domains, which junk mail senders are unlikely to bother setting up, I see the following top 30 domain counts by TLD, indicating a population of non-abusive domains. 6389 info 3397 online 1231 shop 941 email 825 amsterdam 784 site 715 cloud 561 tech 531 store 402 world 360 swiss 330 name 283 work 248 space 235 studio 229 club 212 agency 197 blog 190 academy 185 family 164 rocks 158 design 153 link 150 live 144 network 138 media 127 tips 122 company 120 solutions 113 life ... To filter junk mail, deploy better content-based filters. -- Viktor. |
On 30/01/2021 20:22, Viktor Dukhovni wrote: > On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote: > >> I'm looking at implementing a rule to discard all >> four-letter-and-above TLDs except whitelisted ones, because I'm tired >> of playing whack-a-mole. > I'd like to strongly advise against filtering by TLD. This is a very > low quality signal. There is no shortage of abuse mail from the > traditional gTLDs, and also a non-trivial quantity of legitimate > email from new gTLDs. > > Most of the ".brand" gTLDs are not open for public registration of > subdomains, and if say citibank decided to send email from a ".citi" > subdomain, that'd be just fine. They should be able to use the gTLD > they control. > > For example, the ".info" and ".name" gTLDs are established sources of > legitimate email. Looking at DANE-enabled domains, which junk mail > senders are unlikely to bother setting up, I see the following top 30 > domain counts by TLD, indicating a population of non-abusive domains. > > ... Viktor's advice is (as always) sound. My original reply was a non-advisory answer to OP's question. FWIW my approach is a bespoke header test within SpamAssassin (local.cf) against 'EnvelopeFrom' and 'From' which adds a heavy point penalty for TLDs that are - for us - out of the ordinary, with a few special exceptions. My welcome-listed TLDs do not include any of those listed by Viktor except for '.email'. But I am running private mail servers with active quarantine management so I can tweak these settings when FPs occur without significant risk of rejecting ham. |
In reply to this post by Phil Stracchino
On 30 Jan 2021, at 11:20, Phil Stracchino <[hidden email]> wrote:
> On 12/18/20 8:38 AM, @lbutlr wrote: >> I do this: >> >> /.*automators\.fm$/ DUNNO >> /.*counter\.social/ DUNNO >> /.*ometria.email/ DUNNO >> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO >> /.*\.*$/ 550 Mail to or from this TLD is not allowed >> >> Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why. > > > Revisiting this ... where exactly do you apply this ruleset? I'm > looking at implementing a rule to discard all four-letter-and-above TLDs > except whitelisted ones, because I'm tired of playing whack-a-mole. > > Are you using header_checks rule, or something else? I have a file named helo-checks.pcre which I call in main.cf in smtpd_help_restrictions: smtpd_helo_restrictions = reject_invalid_helo_hostname check_helo_access pcre:$config_directory/helo_checks.pcre permit You do need to stay on top of the list of TLDs you allow for example in the last month since that pst I have added info. I still get a lot of spam attempts from shop and email, but there's enough not-spam that I had to add them as well. My main reason for doing this is not spam blocking per se as SpamAssasin will reject the mails, it is more about minimizing the amount of work SA does and the number of lookups I make against the RBLs. -- Hard work pays off in the future. Laziness pays off now. |
Free forum by Nabble | Edit this page |