Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...
Thanks for the reply, if i change the ip-addr to specific email address will it work? I tried it but its not working....Im trying to block specific email address not the domain itself..
There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.
I'm summarizing here for others to learn as well:
Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.
Code:
$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = 127.0.0.1
home_mailbox = Mailbox/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination =
# mydestination is worth setting, even if to the default:
mydestination = $myhostname, localhost.$mydomain $mydomain
myhostname = <hostname>
mynetworks = <ip addresses>
myorigin = $mydomain
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
# There's no need to announce you're on an Ubuntu platform.
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
# This is the correct stage for reject_unauth_pipelining.
# It is useless in other stages; comments below.
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
# consider the cheap checks above for additional anti-spam.
# They are safe, and effective.
reject_unlisted_recipient
# you should reject all unknown recipients, otherwise you will be
# inundated with hundreds of spam / day to jibberish @ yourdomain.com
permit_sasl_authenticated,
# consider enabling and placing SASL authenticated users on the
# submission port (587) instead. This avoids ISPs blocking port 25.
# You can also enforce mandatory TLS there, which you cannot here.
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain
# If the sender domain does not exist, how can you bounce the mail?
reject_unknown_recipient_domain
# This is pretty obvious
check_helo_access pcre:/etc/postfix/helo_checks.pcre
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.
reject_invalid_helo_hostname
# this rejects helo/ehlo names that violate RFC standards
check_client_access hash:/etc/postfix/client_checks
# This is where you can block by client IP or hostname
check_sender_access hash:/etc/postfix/sender_checks
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map. Obviously, you have to make these map files.
reject_unauth_pipelining,
# This is useless in this stage. It only make sense in data restrictions.
reject_non_fqdn_recipient,
# I moved this to the top - all your recipients should have
# fully qualified names. Even root should have fully qualified email.
reject_rbl_client zen.spamhaus.org
# The best rbl blocking service available. It will cut down
# spam by 30-40%
reject_rbl_client bl.spamcop.net,
# spamcop isn't really a blacklisting service, its better used for
# scoring systems, such as SpamAssassin.
reject_rbl_client cbl.abuseat.org,
# probably will be less useful when using zen above
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_create_maildirsize = yes
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_mailbox_limit.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_overquota_bounce = yes
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
Ok, now for some client access and sender access maps:
Code:
/etc/postfix/client_checks
# Restricts which clients this system accepts SMTP connections from.
example.com REJECT we don't tolerate example.com spam
.example.com REJECT we don't want your subdomains either
##.##.##.## REJECT we don't accept your IP address
##.##.##.0/24 REJECT we don't accept your IP range
## REJECT we don't accept this IP block
/etc/postfix/sender_checks
# Restricts sender addresses this system accepts in MAIL FROM commands.
example.com REJECT env. from addr any@example.com rejected
.example.com REJECT env. from addr any@sub.example.com rejected
user@example.net REJECT We don't want your email
So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)
Code:
postmap sender_checks
postmap client_checks
postfix reload # if you want immediate update, otherwise postfix will notice
Here is an example helo_checks. This time I use pcre maps:
Code:
/etc/postfix/helo_checks.pcre:
/^mydomain\.com$/ REJECT Hijacked my domain "example.com"
# Somebody HELO'ing with our IP address?
/^##\.##\.##\.##$/ REJECT Hijacked IP "##.##.##.##"
# Somebody HELO'ing as "localhost?" Impossible, we're "localhost"
/^localhost$/ REJECT Unacceptable: "localhost"
/^localhost\.localdomain$/ REJECT Unacceptable: "localhost.localdomain"
# Other usual suspects
/^friend$/ REJECT Unacceptable: "friend"
/^computer$/ REJECT Unacceptable: "computer"
!/[[:alpha:]]/ REJECT Unacceptable: Non-alphabetic hostname
!/\./ REJECT Unacceptable: Unqualified hostname
Now, if you want to see how effective those checks are, try postfix_logwatch.
/etc/postfix/client_checks
# Restricts which clients this system accepts SMTP connections from.
example.com REJECT we don't tolerate example.com spam
Code:
/etc/postfix/helo_checks.pcre:
/^mydomain\.com$/ REJECT Hijacked my domain "example.com"
# Somebody HELO'ing with our IP address?
/^##\.##\.##\.##$/ REJECT Hijacked IP "##.##.##.##"
Just some questions on this nice howto:
For the line in helo_checks.pcre should I put (in case i got goofy.de)
/^goofy\.de$/ REJECT Hijacked my domain "goofy.de" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....
Another one is client_checks:
Can I just put a list of country-endings I would never expect mail from inside like this:
Code:
.ad REJECT I don't expect mail from you!
.ru REJECT I don't expect mail from you!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
