why is smtpd_recipient_restrictions ignored..?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
mj
Reply | Threaded
Open this post in threaded view
|

why is smtpd_recipient_restrictions ignored..?

mj
Hi all,

This postfix 2.9.6 from wheezy. I have added to main.cf:

> smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blacklisted_domains, permit_mynetworks, reject_unauth_destination, permit

and /etc/postfix/blacklisted_domains contains just one line:

> mail.ru REJECT

I postmapped the file and restarted postfix.

Alas... postfix is still happily forwarding emails to [hidden email] to my
smarthost.

How can I make sure that this particular postfix instance will DISALLOW
sending ANY email to @mail.ru?

What am I missing?

Thanks in advance!

MJ

Here is my complete main.cf:

> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
>
> # Debian specific:  Specifying a file name will cause the first
> # line of that file to be used as the name.  The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = no
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # to prevent russian spam
> smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blacklisted_domains, permit_mynetworks, reject_unauth_destination, permit
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> myhostname = www.site1.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = www.site1.com, site2.com, localhost.site2.com, localhost, site3.com
> relayhost = outgoing.smarthost.com
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> sender_canonical_maps = hash:/etc/postfix/sender_canonical

Reply | Threaded
Open this post in threaded view
|

Re: why is smtpd_recipient_restrictions ignored..?

Viktor Dukhovni


> On Mar 22, 2018, at 7:35 PM, mj <[hidden email]> wrote:
>
> This postfix 2.9.6 from wheezy. I have added to main.cf:
>
>> smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blacklisted_domains, permit_mynetworks, reject_unauth_destination, permit
>
> and /etc/postfix/blacklisted_domains contains just one line:
>
>> mail.ru REJECT
>
> I postmapped the file and restarted postfix.
>
> Alas... postfix is still happily forwarding emails to [hidden email] to my smarthost.

Almost certainly bounces, which did not come in via SMTP, they are originated
locally, when inbound mail from mail.ru is undeliverable, and sent outbound
via the smarthost.

> How can I make sure that this particular postfix instance will DISALLOW sending ANY email to @mail.ru?

Seems a rather harsh policy, but if you must:

        transport:
                mail.ru  error:5.1.2 Destination domain blacklisted

--
        Viktor.

mj
Reply | Threaded
Open this post in threaded view
|

Re: why is smtpd_recipient_restrictions ignored..?

mj
Hi Viktor,

On 03/23/2018 12:42 AM, Viktor Dukhovni wrote:
> Almost certainly bounces, which did not come in via SMTP, they are originated
> locally, when inbound mail from mail.ru is undeliverable, and sent outbound
> via the smarthost.
Yes, they are originated locally, yes, using a webform that is currently
being abused.

>> How can I make sure that this particular postfix instance will DISALLOW sending ANY email to @mail.ru?
>
> Seems a rather harsh policy, but if you must:
>
> transport:
> mail.ru  error:5.1.2 Destination domain blacklisted

It's very harsh, but we'll do it just for the time being, until we have
fixed the webform.

Your solution works super, thanks a lot!

Is there perhaps also another error code we can use, that blackholes the
email, instead of politely bouncing it with a "Diagnostic-Code:
X-Postfix; Destination domain blacklisted"?

MJ
Reply | Threaded
Open this post in threaded view
|

Re: why is smtpd_recipient_restrictions ignored..?

Viktor Dukhovni


> On Mar 22, 2018, at 7:58 PM, mj <[hidden email]> wrote:
>
> On 03/23/2018 12:42 AM, Viktor Dukhovni wrote:
>> Almost certainly bounces, which did not come in via SMTP, they are originated
>> locally, when inbound mail from mail.ru is undeliverable, and sent outbound
>> via the smarthost.
> Yes, they are originated locally, yes, using a webform that is currently being abused.
>
>>> How can I make sure that this particular postfix instance will DISALLOW sending ANY email to @mail.ru?
>> Seems a rather harsh policy, but if you must:
>> transport:
>> mail.ru  error:5.1.2 Destination domain blacklisted
>
> It's very harsh, but we'll do it just for the time being, until we have fixed the webform.

If you have a compromised webform, DISABLE it, don't try to put on bandaids, or
assume that all the abuse will go to just one domain.

> Your solution works super, thanks a lot!
>
> Is there perhaps also another error code we can use, that blackholes the email, instead of politely bouncing it with a "Diagnostic-Code: X-Postfix; Destination domain blacklisted"?

Yes, but the right answer is turn off the webform until you can replace it
with something that is not open to abuse.

--
        Viktor.

mj
Reply | Threaded
Open this post in threaded view
|

Re: why is smtpd_recipient_restrictions ignored..?

mj
In reply to this post by mj


On 03/23/2018 12:58 AM, mj wrote:
> Is there perhaps also another error code we can use, that blackholes the
> email, instead of politely bouncing it with a "Diagnostic-Code:
> X-Postfix; Destination domain blacklisted"?

I just found the "discard" option.

Thanks you again, Viktor!

MJ
mj
Reply | Threaded
Open this post in threaded view
|

Re: why is smtpd_recipient_restrictions ignored..?

mj
In reply to this post by Viktor Dukhovni


On 03/23/2018 01:06 AM, Viktor Dukhovni wrote:
> Yes, but the right answer is turn off the webform until you can replace it
> with something that is not open to abuse.

We will install a captcha tomorrow. (it's after midnight now)

It's also not *that* harmful: they s u b s c r i b e to a wordpress
blog, using russian email addresses. Actually: We don't understand
what's in it for them...

The system then sends a c o n f i r m a t i o n email, that 99% of the
time is not clicked. And this all happens to four different .ru domains.

Requiring a captcha to s u b s c r i b e will probably get rid of this.

MJ