LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   how to Blacklist specific email in postfix (http://www.linuxquestions.org/questions/linux-server-73/how-to-blacklist-specific-email-in-postfix-656019/)

nhansense 07-15-2008 09:10 PM

how to Blacklist specific email in postfix
 
Hi all,

I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...

http://www.cyberciti.biz/faq/howto-b...email-address/

same within this forum....
http://www.linuxquestions.org/questi...cklist-501851/

but the two seems not working.. anyone please help.. Thank you!

regards,

uncle_philip 07-15-2008 10:52 PM

I did it under file client_access.pcre,
/^ip-addr/ DISCARD

nhansense 07-16-2008 01:09 AM

could you please elaborate on how did you do it?

uncle_philip 07-16-2008 01:34 AM

under postfix, main.cf,
under smtpd_client_restrictions =
add line, check_client_access pcre:/....dir/client_access.pcre,

create file client_access.pcre,
add line, /^ip-addr\./ DISCARD

it will drop any email from this ip-addr.

nhansense 07-16-2008 02:20 AM

Thanks for the reply, if i change the ip-addr to specific email address will it work? I tried it but its not working....Im trying to block specific email address not the domain itself.. :)

Mr. C. 07-16-2008 03:46 AM

Show the output of postconf -n.

You will create a sender_restriction, but I need to see your default postfix setup to advise.

nhansense 07-16-2008 04:10 AM

tried IP address as well... still not working... :(

Mr. C. 07-16-2008 04:12 AM

If you are trying to blacklist an email address, why are you trying an IP address ? Show you postconf -n and I'll show you what lines to add.

nhansense 07-16-2008 04:16 AM

here it is...

main.cf

smtpd_sender_restriction = check_client_access pcre:/etc/postfix/client_access.pcre, permit_sasl_authenticated, permit_mynetworks,re
ject_non_fqdn_sender, reject_unknown_sender_domain,reject_unauth_pipelining,check_client_access, permit

Mr. C. 07-16-2008 04:17 AM

That is not postconf -n, and some of those checks dont make sense in that given stage.

nhansense 07-16-2008 04:39 AM

sent you the results

Mr. C. 07-16-2008 11:15 AM

There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.

I'm summarizing here for others to learn as well:

Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.

Code:

$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = 127.0.0.1
home_mailbox = Mailbox/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination =

# mydestination is worth setting, even if to the default:
mydestination = $myhostname, localhost.$mydomain $mydomain

myhostname = <hostname>
mynetworks = <ip addresses>
myorigin = $mydomain
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

# There's no need to announce you're on an Ubuntu platform.
smtpd_banner = $myhostname ESMTP $mail_name

smtpd_data_restrictions = reject_unauth_pipelining
# This is the correct stage for reject_unauth_pipelining. 
# It is useless in other stages; comments below.

smtpd_recipient_restrictions =
  reject_non_fqdn_recipient
  reject_non_fqdn_sender

# consider the cheap checks above for additional anti-spam. 
# They are safe, and effective.

  reject_unlisted_recipient
# you should reject all unknown recipients, otherwise you will be
# inundated with hundreds of spam / day to jibberish @ yourdomain.com

  permit_sasl_authenticated,
# consider enabling and placing SASL authenticated users on the
# submission port (587) instead.  This avoids ISPs blocking port 25.
# You can also enforce mandatory TLS there, which you cannot here.

  permit_mynetworks,
  reject_unauth_destination,

  reject_unknown_sender_domain
# If the sender domain does not exist, how can you bounce the mail?
  reject_unknown_recipient_domain
# This is pretty obvious

    check_helo_access pcre:/etc/postfix/helo_checks.pcre
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.

  reject_invalid_helo_hostname
# this rejects helo/ehlo names that violate RFC standards

  check_client_access hash:/etc/postfix/client_checks
# This is where you can block by client IP or hostname
  check_sender_access hash:/etc/postfix/sender_checks
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map.  Obviously, you have to make these map files.

  reject_unauth_pipelining,
# This is useless in this stage. It only make sense in data restrictions.

  reject_non_fqdn_recipient,
# I moved this to the top - all your recipients should have
# fully qualified names.  Even root should have fully qualified email.

  reject_rbl_client zen.spamhaus.org
# The best rbl blocking service available. It will cut down
# spam by 30-40%

  reject_rbl_client bl.spamcop.net,
# spamcop isn't really a blacklisting service, its better used for
# scoring systems, such as SpamAssassin.

  reject_rbl_client cbl.abuseat.org,
# probably will be less useful when using zen above

  check_policy_service inet:127.0.0.1:60000,
  permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_create_maildirsize = yes
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_mailbox_limit.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_overquota_bounce = yes
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf

Ok, now for some client access and sender access maps:

Code:

/etc/postfix/client_checks
  # Restricts which clients this system accepts SMTP connections from.

  example.com              REJECT we don't tolerate example.com spam
  .example.com              REJECT we don't want your subdomains either
  ##.##.##.##              REJECT we don't accept your IP address
  ##.##.##.0/24            REJECT we don't accept your IP range
  ##                        REJECT we don't accept this IP block

/etc/postfix/sender_checks
  # Restricts sender addresses this system accepts in MAIL FROM commands.

  example.com              REJECT env. from addr any@example.com rejected
  .example.com            REJECT env. from addr any@sub.example.com rejected
  user@example.net        REJECT We don't want your email

So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)
Code:

postmap sender_checks
postmap client_checks
postfix reload  # if you want immediate update, otherwise postfix will notice

Here is an example helo_checks. This time I use pcre maps:
Code:

/etc/postfix/helo_checks.pcre:
  /^mydomain\.com$/                      REJECT Hijacked my domain "example.com"

  # Somebody HELO'ing with our IP address?
  /^##\.##\.##\.##$/                      REJECT Hijacked IP "##.##.##.##"

  # Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"
  /^localhost$/                          REJECT Unacceptable: "localhost"
  /^localhost\.localdomain$/              REJECT Unacceptable: "localhost.localdomain"

  # Other usual suspects
  /^friend$/                              REJECT Unacceptable: "friend"
  /^computer$/                            REJECT Unacceptable: "computer"

  !/[[:alpha:]]/                          REJECT Unacceptable: Non-alphabetic hostname
  !/\./                                  REJECT Unacceptable: Unqualified hostname

Now, if you want to see how effective those checks are, try postfix_logwatch.

nhansense 07-16-2008 11:47 PM

Thanks so much for the great tutorial Mr. C! I really do appreciate your help....I will implement these changes and will give you feedback!

Mr. C. 07-17-2008 12:48 AM

You're welcome. Hang out on the postfix list. Loads of good info there from the experts.

schmidtedv 08-19-2008 08:42 AM

Quote:

Originally Posted by Mr. C. (Post 3216503)

Code:

/etc/postfix/client_checks
  # Restricts which clients this system accepts SMTP connections from.

  example.com  REJECT we don't tolerate example.com spam

Code:

/etc/postfix/helo_checks.pcre:
  /^mydomain\.com$/  REJECT Hijacked my domain "example.com"

  # Somebody HELO'ing with our IP address?
  /^##\.##\.##\.##$/  REJECT Hijacked IP "##.##.##.##"


Just some questions on this nice howto:

For the line in helo_checks.pcre should I put (in case i got goofy.de)

/^goofy\.de$/ REJECT Hijacked my domain "goofy.de" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....

Another one is client_checks:

Can I just put a list of country-endings I would never expect mail from inside like this:

Code:

.ad REJECT I don't expect mail from you!
.ru REJECT I don't expect mail from you!

...

And last question in my case for main.cf:

Code:

mime_header_checks = pcre:/etc/postfix/mime-header-checks

qmgr_fudge_factor = 70

queue_minfree = 102400000

bounce_size_limit = 30720
bounce_template_file = /etc/postfix/bounce.cf

delay_warning_time = 30m
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

default_recipient_limit = 300
default_destination_recipient_limit = 30
default_destination_concurrency_limit = 10

smtpd_helo_required = yes
smtpd_delay_reject = yes

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

smtpd_data_restrictions =
 reject_unauth_pipelining

smtpd_client_restrictions =

smtpd_helo_restrictions =

smtpd_sender_restrictions =

smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_non_fqdn_sender,
 reject_unlisted_recipient,
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 check_helo_access pcre:/etc/postfix/helo_checks.pcre,
 reject_invalid_helo_hostname,
 check_client_access hash:/etc/postfix/client_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 reject_rbl_client zen.spamhaus.org,
 check_policy_service inet:127.0.0.1:60000,
 permit

Is this config a working example :-) ?
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

too?


All times are GMT -5. The time now is 05:29 PM.