spam control

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

spam control

ramesh srinivas
Dear All,

I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
configuration. everything working fine, but i have few problems so i
need suggestions from you.
here my configuration..

smtpd_banner = ESMTP
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
hash:/etc/postfix/access, check_recipient_access
hash:/etc/postfix/client_access, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_non_fqdn_sender,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_restriction_classes = restriction
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_sender_access hash:/etc/postfix/access,
reject_non_fqdn_sender , reject_unknown_sender_domain
strict_rfc821_envelopes = yes

1)
rbl lookup blocking users when they connect with using broad band from
 out side. this is b'coz rbl data base blocks entire subnet. to
overcome this problem im planning to configure SMTP+Auth.

2) we are receiving spoofed mails as our emplyoees mail, Is there
anyway to block this mails.

Please suggest me to fix my queries and anything i need to change in
the order of the configuration.

Thanx&Regrds,
Ramesh.


Reply | Threaded
Open this post in threaded view
|

Re: spam control

Brian Evans - Postfix List
itsramesh_s wrote:
> Dear All,
>
> I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
> configuration. everything working fine, but i have few problems so i
> need suggestions from you.
> here my configuration..
>  
Please post 'postconf -n' instead of main.cf snippets.
> smtpd_banner = ESMTP
>  
Do not change this.  The default is fine, they already know who you are.

> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
> reject_non_fqdn_hostname, reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> hash:/etc/postfix/access, check_recipient_access
> hash:/etc/postfix/client_access, permit_sasl_authenticated,
> reject_non_fqdn_recipient, reject_non_fqdn_sender,
> reject_unknown_recipient_domain, reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
>  
What is in /etc/postfix/access?
What is in /etc/postfix/client_access?
I hope there are no wildcard OKs.
Move reject_unauth_destination as close to the 2 permits as possible.

> smtpd_restriction_classes = restriction
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks, check_sender_access hash:/etc/postfix/access,
> reject_non_fqdn_sender , reject_unknown_sender_domain
> strict_rfc821_envelopes = yes
>
> 1)
> rbl lookup blocking users when they connect with using broad band from
>  out side. this is b'coz rbl data base blocks entire subnet. to
> overcome this problem im planning to configure SMTP+Auth.  
This is what you should do.  There is no other way to tell who is who.
http://www.postfix.org/SASL_README.html
>  
>
> 2) we are receiving spoofed mails as our emplyoees mail, Is there
> anyway to block this mails.
See comments above.

>    
>
> Please suggest me to fix my queries and anything i need to change in
> the order of the configuration.
>
> Thanx&Regrds,
> Ramesh.
>
>
>  

Brian
Reply | Threaded
Open this post in threaded view
|

Re: spam control

Lars Heide
itsramesh_s schrieb:
 > Dear All,
 >
 > I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
 > configuration. everything working fine, but i have few problems so i
 > need suggestions from you.
 > here my configuration..
 >
 > smtpd_banner = ESMTP
 > smtpd_delay_reject = yes
 > smtpd_helo_required = yes
 > smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
 > reject_non_fqdn_hostname, reject_invalid_hostname

What's the "warn_if_reject" doing there all by itself (note the ",")?

 >
 > 2) we are receiving spoofed mails as our emplyoees mail, Is there
 > anyway to block this mails.
 >

If you can not block mails from the outside that carry your domain as
sender address and use a whitelist, you could configure, as a quick fix,
an access map for sender adresses, that checks against your own domain:

your.own.domain.name reject_unverified_sender

(if the system is not only a gateway, you might try having a look at
smtpd_reject_unlisted_sender for this)

this could at least eliminate trashy sender adresses with guessed
localparts that carry your domain (be careful if you configured sender
adresses somewhere outside, that do not correspond to any real
e-mailaddresses). Don't use on other domains unless you know what you
are doing.

In the long run explicit authentication is better of course.

 > Please suggest me to fix my queries and anything i need to change in
 > the order of the configuration.
 >
 > Thanx&Regrds,
 > Ramesh.

Lars
Reply | Threaded
Open this post in threaded view
|

Re: spam control

Noel Jones-2
Lars Heide wrote:

> itsramesh_s schrieb:
>  > Dear All,
>  >
>  > I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
>  > configuration. everything working fine, but i have few problems so i
>  > need suggestions from you.
>  > here my configuration..
>  >
>  > smtpd_banner = ESMTP
>  > smtpd_delay_reject = yes
>  > smtpd_helo_required = yes
>  > smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
>  > reject_non_fqdn_hostname, reject_invalid_hostname
>
> What's the "warn_if_reject" doing there all by itself (note the ",")?

That's not a problem.  Commas and whitespace are treated
identically by the parser.


--
Noel Jones

>
>  >
>  > 2) we are receiving spoofed mails as our emplyoees mail, Is there
>  > anyway to block this mails.
>  >
>
> If you can not block mails from the outside that carry your domain as
> sender address and use a whitelist, you could configure, as a quick fix,
> an access map for sender adresses, that checks against your own domain:
>
> your.own.domain.name reject_unverified_sender
>
> (if the system is not only a gateway, you might try having a look at
> smtpd_reject_unlisted_sender for this)
>
> this could at least eliminate trashy sender adresses with guessed
> localparts that carry your domain (be careful if you configured sender
> adresses somewhere outside, that do not correspond to any real
> e-mailaddresses). Don't use on other domains unless you know what you
> are doing.
>
> In the long run explicit authentication is better of course.
>
>  > Please suggest me to fix my queries and anything i need to change in
>  > the order of the configuration.
>  >
>  > Thanx&Regrds,
>  > Ramesh.
>
> Lars

Reply | Threaded
Open this post in threaded view
|

Re: spam control

ramesh srinivas
In reply to this post by Brian Evans - Postfix List
Hi Brian,

I have posted postconf -n output, but only check related.
What is in /etc/postfix/access?
this file contains domains belongs to us with wild card Oks.
@xyz.com OK.
Is this allows spoofing?. this entry made as white list.

What is in /etc/postfix/client_access?
This file contains aliase entries.
[hidden email] restriction

Thanx&Regards,
Ramesh.



 

--- On Tue, 22/7/08, Brian Evans - Postfix List <[hidden email]> wrote:
From: Brian Evans - Postfix List <[hidden email]>
Subject: Re: spam control
To: "Postfix users" <[hidden email]>
Date: Tuesday, 22 July, 2008, 7:18 PM

itsramesh_s wrote:
> Dear All,
>
> I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
> configuration. everything working fine, but i have few problems so i
> need suggestions from you.
> here my configuration..
>
Please post 'postconf -n' instead of main.cf snippets.
> smtpd_banner = ESMTP
>
Do not change this. The default is fine, they already know who you are.

> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
> reject_non_fqdn_hostname, reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> hash:/etc/postfix/access, check_recipient_access
> hash:/etc/postfix/client_access, permit_sasl_authenticated,
> reject_non_fqdn_recipient, reject_non_fqdn_sender,
> reject_unknown_recipient_domain, reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
>
What is in /etc/postfix/access?
What is in /etc/postfix/client_access?
I hope there are no wildcard OKs.
Move reject_unauth_destination as close to the 2 permits as possible.

> smtpd_restriction_classes = restriction
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks, check_sender_access hash:/etc/postfix/access,
> reject_non_fqdn_sender , reject_unknown_sender_domain
> strict_rfc821_envelopes = yes
>
> 1)
> rbl lookup blocking users when they connect with using broad band from
> out side. this is b'coz rbl data base blocks entire subnet. to
> overcome this problem im planning to configure SMTP+Auth.
This is what you should do. There is no other way to tell who is who.
http://www.postfix.org/SASL_README.html
>
>
> 2) we are receiving spoofed mails as our emplyoees mail, Is there
> anyway to block this mails.
See comments above.

>
>
> Please suggest me to fix my queries and anything i need to change in
> the order of the configuration.
>
> Thanx&Regrds,
> Ramesh.
>
>
>

Brian


Explore your hobbies and interests. Click here to begin.
Reply | Threaded
Open this post in threaded view
|

Re: spam control

Brian Evans - Postfix List
ramesh srinivas wrote:
> Hi Brian,
>
> I have posted postconf -n output, but only check related.
> What is in /etc/postfix/access?
> this file contains domains belongs to us with wild card Oks.
> @xyz.com  OK.
> Is this allows spoofing?. this entry made as white list.
>        
>
[Please do not top post to a mailing list. It makes things hard to follow]
Remove the reference to /etc/postfix/access.  reject_unauth_destination
does this for you.
An OK here immediately accepts all mail with one of those domains with
no further checks or validity.
You create Backscatter by listing these here.
> What is in /etc/postfix/client_access?
> This file contains aliase entries.
> [hidden email]  restriction
>        
>
Try this instead:

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access hash:/etc/postfix/client_access,
reject_non_fqdn_recipient, reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net


I left in the reference to client_access because you don't define what
is included in the 'restriction' restriction_class.
If this is not defined in main.cf, then it is worthless and remove the
'check_recipient_access hash:/etc/postfix/client_access"

> Thanx&Regards,
> Ramesh.
>
>
>
>  
>        
>
> --- On *Tue, 22/7/08, Brian Evans - Postfix List
> /<[hidden email]>/* wrote:
>
>     From: Brian Evans - Postfix List <[hidden email]>
>     Subject: Re: spam control
>     To: "Postfix users" <[hidden email]>
>     Date: Tuesday, 22 July, 2008, 7:18 PM
>
>     itsramesh_s wrote:
>     >
>      Dear All,
>     >
>     > I have configured postfix postfix-2.4.5-2 on fc8 with good hardware
>     > configuration. everything working fine, but i have few problems so i
>     > need suggestions from you.
>     > here my configuration..
>     >  
>     Please post 'postconf -n' instead of main.cf snippets.
>     > smtpd_banner = ESMTP
>     >  
>     Do not change this.  The default is fine, they already know who you are.
>     > smtpd_delay_reject = yes
>     > smtpd_helo_required = yes
>     > smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
>     > reject_non_fqdn_hostname, reject_invalid_hostname
>     > smtpd_recipient_restrictions = permit_mynetworks,
>     > hash:/etc/postfix/access, check_recipient_access
>     > hash:/etc/postfix/client_access, permit_sasl_authenticated,
>     > reject_non_fqdn_recipient, reject_non_fqdn_sender,
>     > reject_unknown_recipient_domain, reject_unauth_destination,
>     > reject_rbl_client
>      zen.spamhaus.org, reject_rbl_client bl.spamcop.net
>     >  
>     What is in /etc/postfix/access?
>     What is in /etc/postfix/client_access?
>     I hope there are no wildcard OKs.
>     Move reject_unauth_destination as close to the 2 permits as possible.
>
>     > smtpd_restriction_classes = restriction
>     > smtpd_sender_restrictions = permit_sasl_authenticated,
>     > permit_mynetworks, check_sender_access hash:/etc/postfix/access,
>     > reject_non_fqdn_sender , reject_unknown_sender_domain
>     > strict_rfc821_envelopes = yes
>     >
>     > 1)
>     > rbl lookup blocking users when they connect with using broad band from
>     >  out side. this is b'coz rbl data base blocks entire subnet. to
>     > overcome this problem im planning to configure SMTP+Auth.  
>     This is what you should do.  There is no other way to tell who is who.
>     http://www.postfix.org/SASL_README.html
>     >  
>     >
>     > 2) we are receiving spoofed mails as our
>      emplyoees mail, Is there
>     > anyway to block this mails.
>     See comments above.
>     >    
>     >
>     > Please suggest me to fix my queries and anything i need to change in
>     > the order of the configuration.
>     >
>     > Thanx&Regrds,
>     > Ramesh.
>     >
>     >
>     >  
>
>     Brian
>
>
> ------------------------------------------------------------------------
> Explore your hobbies and interests. Click here to begin.
> <http://in.rd.yahoo.com/tagline_groups_6/*http://in.promos.yahoo.com/groups/>


Reply | Threaded
Open this post in threaded view
|

Re: spam control

mouss-2
In reply to this post by ramesh srinivas
ramesh srinivas wrote:
> Hi Brian,
>
> I have posted postconf -n output, but only check related.


please don't. send the _full_ output of postconf -n. feel free to
replace private information (but do so coherently). while you you have
your opinion on what you should send us, this only makes it hard t help
you.

> What is in /etc/postfix/access?
> this file contains domains belongs to us with wild card Oks.
> @xyz.com  OK.

wrong syntax. there is no '@' in access checks.

> Is this allows spoofing?. this entry made as white list.
>
> What is in /etc/postfix/client_access?
> This file contains aliase entries.
> [hidden email]  restriction

wrong syntax. a client is an IP or a domain, not a mail address.

back to your original post, if you get junk claiming to be from your
domain, then

- first, see if you can block that junk independently of the sender domain.

- if no mail sent from outside should have your domain as sender, then
you can block that. you can either require login-sender match or you can
simply reject mail with your domain as sender unless it comes from
mynetworks or is authenticated. login-sender match is better if you can
enforce authentication.