LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-15-2008, 08:10 PM   #1
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Rep: Reputation: 0
how to Blacklist specific email in postfix


Hi all,

I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...

http://www.cyberciti.biz/faq/howto-b...email-address/

same within this forum....
http://www.linuxquestions.org/questi...cklist-501851/

but the two seems not working.. anyone please help.. Thank you!

regards,

Last edited by nhansense; 07-15-2008 at 08:12 PM.
 
Old 07-15-2008, 09:52 PM   #2
uncle_philip
Member
 
Registered: Apr 2008
Location: sydney
Distribution: centos5.2
Posts: 50

Rep: Reputation: 15
I did it under file client_access.pcre,
/^ip-addr/ DISCARD
 
Old 07-16-2008, 12:09 AM   #3
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
could you please elaborate on how did you do it?
 
Old 07-16-2008, 12:34 AM   #4
uncle_philip
Member
 
Registered: Apr 2008
Location: sydney
Distribution: centos5.2
Posts: 50

Rep: Reputation: 15
under postfix, main.cf,
under smtpd_client_restrictions =
add line, check_client_access pcre:/....dir/client_access.pcre,

create file client_access.pcre,
add line, /^ip-addr\./ DISCARD

it will drop any email from this ip-addr.
 
Old 07-16-2008, 01:20 AM   #5
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for the reply, if i change the ip-addr to specific email address will it work? I tried it but its not working....Im trying to block specific email address not the domain itself..

Last edited by nhansense; 07-16-2008 at 01:28 AM.
 
Old 07-16-2008, 02:46 AM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Show the output of postconf -n.

You will create a sender_restriction, but I need to see your default postfix setup to advise.
 
Old 07-16-2008, 03:10 AM   #7
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
tried IP address as well... still not working...
 
Old 07-16-2008, 03:12 AM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
If you are trying to blacklist an email address, why are you trying an IP address ? Show you postconf -n and I'll show you what lines to add.
 
Old 07-16-2008, 03:16 AM   #9
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
here it is...

main.cf

smtpd_sender_restriction = check_client_access pcre:/etc/postfix/client_access.pcre, permit_sasl_authenticated, permit_mynetworks,re
ject_non_fqdn_sender, reject_unknown_sender_domain,reject_unauth_pipelining,check_client_access, permit
 
Old 07-16-2008, 03:17 AM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
That is not postconf -n, and some of those checks dont make sense in that given stage.
 
Old 07-16-2008, 03:39 AM   #11
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
sent you the results

Last edited by nhansense; 07-16-2008 at 03:43 AM.
 
Old 07-16-2008, 10:15 AM   #12
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.

I'm summarizing here for others to learn as well:

Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.

Code:
$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = 127.0.0.1
home_mailbox = Mailbox/
inet_interfaces = all
inet_protocols = all
mailbox_command = 
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = 

# mydestination is worth setting, even if to the default:
mydestination = $myhostname, localhost.$mydomain $mydomain

myhostname = <hostname>
mynetworks = <ip addresses>
myorigin = $mydomain
recipient_delimiter = +
relayhost = 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

# There's no need to announce you're on an Ubuntu platform.
smtpd_banner = $myhostname ESMTP $mail_name

smtpd_data_restrictions = reject_unauth_pipelining
# This is the correct stage for reject_unauth_pipelining.  
# It is useless in other stages; comments below. 

smtpd_recipient_restrictions = 
   reject_non_fqdn_recipient
   reject_non_fqdn_sender
# consider the cheap checks above for additional anti-spam.  
# They are safe, and effective.

   reject_unlisted_recipient
# you should reject all unknown recipients, otherwise you will be 
# inundated with hundreds of spam / day to jibberish @ yourdomain.com

   permit_sasl_authenticated,
# consider enabling and placing SASL authenticated users on the
# submission port (587) instead.  This avoids ISPs blocking port 25.
# You can also enforce mandatory TLS there, which you cannot here.

   permit_mynetworks,
   reject_unauth_destination,

   reject_unknown_sender_domain
# If the sender domain does not exist, how can you bounce the mail?
   reject_unknown_recipient_domain
# This is pretty obvious

    check_helo_access pcre:/etc/postfix/helo_checks.pcre
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.

   reject_invalid_helo_hostname
# this rejects helo/ehlo names that violate RFC standards

   check_client_access hash:/etc/postfix/client_checks
# This is where you can block by client IP or hostname
   check_sender_access hash:/etc/postfix/sender_checks
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map.  Obviously, you have to make these map files.

   reject_unauth_pipelining,
# This is useless in this stage. It only make sense in data restrictions.

   reject_non_fqdn_recipient,
# I moved this to the top - all your recipients should have
# fully qualified names.  Even root should have fully qualified email.

   reject_rbl_client zen.spamhaus.org
# The best rbl blocking service available. It will cut down
# spam by 30-40%

   reject_rbl_client bl.spamcop.net,
# spamcop isn't really a blacklisting service, its better used for
# scoring systems, such as SpamAssassin.

   reject_rbl_client cbl.abuseat.org,
# probably will be less useful when using zen above

   check_policy_service inet:127.0.0.1:60000,
   permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_create_maildirsize = yes
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_mailbox_limit.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_overquota_bounce = yes
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
Ok, now for some client access and sender access maps:

Code:
/etc/postfix/client_checks
  # Restricts which clients this system accepts SMTP connections from.

  example.com               REJECT we don't tolerate example.com spam
  .example.com              REJECT we don't want your subdomains either
  ##.##.##.##               REJECT we don't accept your IP address
  ##.##.##.0/24             REJECT we don't accept your IP range
  ##                        REJECT we don't accept this IP block

/etc/postfix/sender_checks
   # Restricts sender addresses this system accepts in MAIL FROM commands.

   example.com              REJECT env. from addr any@example.com rejected
   .example.com             REJECT env. from addr any@sub.example.com rejected
   user@example.net         REJECT We don't want your email
So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)
Code:
postmap sender_checks
postmap client_checks
postfix reload  # if you want immediate update, otherwise postfix will notice
Here is an example helo_checks. This time I use pcre maps:
Code:
/etc/postfix/helo_checks.pcre:
   /^mydomain\.com$/                       REJECT Hijacked my domain "example.com"

   # Somebody HELO'ing with our IP address?
   /^##\.##\.##\.##$/                      REJECT Hijacked IP "##.##.##.##"

   # Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"
   /^localhost$/                           REJECT Unacceptable: "localhost"
   /^localhost\.localdomain$/              REJECT Unacceptable: "localhost.localdomain"

   # Other usual suspects
   /^friend$/                              REJECT Unacceptable: "friend"
   /^computer$/                            REJECT Unacceptable: "computer"

   !/[[:alpha:]]/                          REJECT Unacceptable: Non-alphabetic hostname
   !/\./                                   REJECT Unacceptable: Unqualified hostname
Now, if you want to see how effective those checks are, try postfix_logwatch.

Last edited by Mr. C.; 07-16-2008 at 10:24 AM.
 
Old 07-16-2008, 10:47 PM   #13
nhansense
LQ Newbie
 
Registered: Oct 2006
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks so much for the great tutorial Mr. C! I really do appreciate your help....I will implement these changes and will give you feedback!
 
Old 07-16-2008, 11:48 PM   #14
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
You're welcome. Hang out on the postfix list. Loads of good info there from the experts.
 
Old 08-19-2008, 07:42 AM   #15
schmidtedv
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by Mr. C. View Post

Code:
/etc/postfix/client_checks
  # Restricts which clients this system accepts SMTP connections from.

  example.com   REJECT we don't tolerate example.com spam
Code:
/etc/postfix/helo_checks.pcre:
   /^mydomain\.com$/   REJECT Hijacked my domain "example.com"

   # Somebody HELO'ing with our IP address?
   /^##\.##\.##\.##$/   REJECT Hijacked IP "##.##.##.##"
Just some questions on this nice howto:

For the line in helo_checks.pcre should I put (in case i got goofy.de)

/^goofy\.de$/ REJECT Hijacked my domain "goofy.de" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....

Another one is client_checks:

Can I just put a list of country-endings I would never expect mail from inside like this:

Code:
.ad REJECT I don't expect mail from you!
.ru REJECT I don't expect mail from you!
...

And last question in my case for main.cf:

Code:
mime_header_checks = pcre:/etc/postfix/mime-header-checks

qmgr_fudge_factor = 70

queue_minfree = 102400000

bounce_size_limit = 30720
bounce_template_file = /etc/postfix/bounce.cf

delay_warning_time = 30m
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

default_recipient_limit = 300
default_destination_recipient_limit = 30
default_destination_concurrency_limit = 10

smtpd_helo_required = yes
smtpd_delay_reject = yes

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

smtpd_data_restrictions =
 reject_unauth_pipelining

smtpd_client_restrictions = 

smtpd_helo_restrictions = 

smtpd_sender_restrictions = 

smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_non_fqdn_sender,
 reject_unlisted_recipient,
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 check_helo_access pcre:/etc/postfix/helo_checks.pcre,
 reject_invalid_helo_hostname,
 check_client_access hash:/etc/postfix/client_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 reject_rbl_client zen.spamhaus.org,
 check_policy_service inet:127.0.0.1:60000,
 permit
Is this config a working example :-) ?
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

too?

Last edited by schmidtedv; 08-19-2008 at 07:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blacklist Email Sending on Postfix carlosinfl Linux - Server 1 04-15-2010 04:14 PM
Postfix blacklist crxssi Linux - Server 7 09-23-2009 02:34 PM
Blocking mails from specific email addresses/domains in postfix jomy Linux - Networking 1 07-15-2008 08:32 PM
LXer: Postfix mail server block Malware with blacklist LXer Syndicated Linux News 0 06-27-2007 08:31 AM
How do I configure postfix master to forward all email to an email server ? hello321_1999 Linux - Software 1 11-18-2004 04:43 AM


All times are GMT -5. The time now is 03:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration