LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-08-2006, 06:35 PM   #1
CRCool75
Member
 
Registered: Jul 2004
Location: Alabama, USA
Distribution: OpenSuse 12.1
Posts: 64

Rep: Reputation: 15
Rejecting domains with Postfix...


Hello,

Can anybody steer me in the right direction to blocking email addresses/domains with Postfix? I have read over the Postfix site and it appears to have something to do with the access file. I do the directions, but Postfix then rejects all mail nor does it send any sort of rejection reply back to the host.

Thanks
 
Old 03-08-2006, 06:39 PM   #2
CRCool75
Member
 
Registered: Jul 2004
Location: Alabama, USA
Distribution: OpenSuse 12.1
Posts: 64

Original Poster
Rep: Reputation: 15
Oh, I mean be blocking incoming mail. I am trying to add domains or addresses one by one to our access file to reject spammer addresses.
 
Old 03-08-2006, 08:02 PM   #3
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Quote:
Originally Posted by CRCool75
Oh, I mean be blocking incoming mail. I am trying to add domains or addresses one by one to our access file to reject spammer addresses.
I think you will find out that fighting spam by rejecting a sender address (envelope sender -or- header sender) will be useless. Spammers always change the from address on each run.

FWIW: I use a combination of RBL checks, client checks and spamassassin to fight spam with postfix. The difference being the checks are done against the connecting IP address of the sending MTA -and- the content of the message body. It's not 100%, but it works pretty well. I do reject against sender addresses, but only when I'm dealing with newsletter subscriptions that always have a fixed sender address.

To answer your queston, below are some examples of my access list entries. I don't have many entries, most of my spam checks are done using other UCE features of postfix.

Code:
# Reject e-mail claiming to be from aol.com etc... but actually connects
# from an unknown host.
compuserve.com          reject_unknown_client
msn.com                 reject_unknown_client
aol.com                 reject_unknown_client
hotmail.com             reject_unknown_client
yahoo.com               reject_unknown_client

# Reject jerks claiming to be from the hosted domains of this MTA
example1.com          REJECT  You are NOT from example1.com
example2.com          REJECT  You are NOT from example2.com
example3.com          REJECT  You are NOT from example3.com
Some other postfix UCE type checks that address your question are:

reject_rbl_client
check_client_access
check_helo_access
check_sender_access
check_recipient_access

The reject_rbl_client (using SORBS) catches the most spam at my end. With the check_helo_access coming in second.

BTW: Did you compile the access file after you made changes?
Good Luck!
 
Old 03-08-2006, 08:18 PM   #4
CRCool75
Member
 
Registered: Jul 2004
Location: Alabama, USA
Distribution: OpenSuse 12.1
Posts: 64

Original Poster
Rep: Reputation: 15
Thanks scowles, and yes, I did compile it.

I understand the access file, but how are you getting Postfix to look at that? All these different tags like smtpd_client_check and all the others are confusing the hell outa me.
 
Old 03-09-2006, 07:42 AM   #5
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
It sounds like you may be confusing the sendmail access file with how an access file is used and specifed in postfix.

The postfix access file is more of a specification on how to specify checks within postfix that can be performed at different stages of the smtp transaction. So the file /etc/postfix/access is not read by postfix by default, it must be specifed in one of the check_*_access tags in main.cf. Like what I mentioned in my post.

Example:
Code:
smtpd_etrn_restrictions =
  check_client_access hash:/etc/postfix/etrn_access
  reject

# Checks performed after connect from MTA
smtpd_client_restrictions =
  permit_mynetworks
  reject_unauth_pipelining
  check_client_access hash:/etc/postfix/whitelist_client
  reject_rbl_client dnsbl.sorbs.net
  check_client_access hash:/etc/postfix/reject_clients
  check_client_access pcre:/etc/postfix/reject_clients.pcre

# Checks performed during HELO handshake
smtpd_helo_restrictions =
  permit_mynetworks
  reject_invalid_hostname
  reject_non_fqdn_hostname
  check_helo_access hash:/etc/postfix/helo_access

# Checks performed after MAIL FROM
smtpd_sender_restrictions =
  permit_mynetworks
  reject_non_fqdn_sender
  check_sender_access hash:/etc/postfix/reject_sender
  check_sender_access regexp:/etc/postfix/reject_sender.regexp
  reject_rhsbl_sender dsn.rfc-ignorant.org

# Checks performed after RCPT TO, but prior to DATA
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  reject_invalid_hostname
  reject_non_fqdn_hostname
  reject_non_fqdn_recipient
  reject_unlisted_recipient
  check_sender_access hash:/etc/postfix/whitelist_sender
  check_recipient_access hash:/etc/postfix/filtered_domains
  permit
Notes:

1) Each check_*_access listed specifes a different file. The contents of each file conform to the postfix access file specification mentioned in the top of /etc/postfix/access. So in your case, you would need to specify your access file in one of the check_*_access entries.

2) In my case, each check is specifed at different stages of the smtp transaction, but most can be combined under the smtpd_recipient_restrictions= stage. In fact, its actually more effeciant to combine all checks under smtpd_recipient_restrictions. I chose not to - to help battle dictionary attacks that were clogging my logfiles and skewing my daily stats.

Finally, once you feel comfortable in using the postfix access file and how to apply them to checks_*_access, take a look at adding regexp and pcre to the mix. Regular expression syntax (especially the perl based ones, pcre) are incredibly powerful in combating spam and viruses. I use them to help block MTA's from residential (dhcp assigned) IP addresses that SORBS does not catch.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix and virtual domains nvargas Linux - Software 6 03-12-2004 02:35 PM
managing different domains with postfix jules_fraser Linux - Networking 1 12-22-2003 11:07 PM
Postfix cannot find domains pnh73 Linux - Networking 3 09-23-2003 02:04 PM
Postfix and multiple domains MasterC Linux - Networking 4 07-16-2003 01:19 PM
run multi-domains in Postfix importboy03 Linux - Networking 0 05-21-2003 05:38 PM


All times are GMT -5. The time now is 04:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration