Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...
There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.
I'm summarizing here for others to learn as well:
Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.
$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = 127.0.0.1
home_mailbox = Mailbox/
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 20480000
# mydestination is worth setting, even if to the default:
mydestination = $myhostname, localhost.$mydomain $mydomain
myhostname = <hostname>
mynetworks = <ip addresses>
myorigin = $mydomain
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
# There's no need to announce you're on an Ubuntu platform.
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
# This is the correct stage for reject_unauth_pipelining.
# It is useless in other stages; comments below.
# consider the cheap checks above for additional anti-spam.
# They are safe, and effective.
# you should reject all unknown recipients, otherwise you will be
# inundated with hundreds of spam / day to jibberish @ yourdomain.com
# consider enabling and placing SASL authenticated users on the
# submission port (587) instead. This avoids ISPs blocking port 25.
# You can also enforce mandatory TLS there, which you cannot here.
# If the sender domain does not exist, how can you bounce the mail?
# This is pretty obvious
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.
# this rejects helo/ehlo names that violate RFC standards
# This is where you can block by client IP or hostname
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map. Obviously, you have to make these map files.
# This is useless in this stage. It only make sense in data restrictions.
# I moved this to the top - all your recipients should have
# fully qualified names. Even root should have fully qualified email.
# The best rbl blocking service available. It will cut down
# spam by 30-40%
# spamcop isn't really a blacklisting service, its better used for
# scoring systems, such as SpamAssassin.
# probably will be less useful when using zen above
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_create_maildirsize = yes
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_mailbox_limit.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_overquota_bounce = yes
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
Ok, now for some client access and sender access maps:
# Restricts which clients this system accepts SMTP connections from.
example.com REJECT we don't tolerate example.com spam
.example.com REJECT we don't want your subdomains either
##.##.##.## REJECT we don't accept your IP address
##.##.##.0/24 REJECT we don't accept your IP range
## REJECT we don't accept this IP block
# Restricts sender addresses this system accepts in MAIL FROM commands.
example.com REJECT env. from addr email@example.com rejected
.example.com REJECT env. from addr firstname.lastname@example.org rejected
email@example.com REJECT We don't want your email
So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)
postfix reload # if you want immediate update, otherwise postfix will notice
Here is an example helo_checks. This time I use pcre maps:
/^mydomain\.com$/ REJECT Hijacked my domain "example.com"
# Somebody HELO'ing with our IP address?
/^##\.##\.##\.##$/ REJECT Hijacked IP "##.##.##.##"
# Somebody HELO'ing as "localhost?" Impossible, we're "localhost"
/^localhost$/ REJECT Unacceptable: "localhost"
/^localhost\.localdomain$/ REJECT Unacceptable: "localhost.localdomain"
# Other usual suspects
/^friend$/ REJECT Unacceptable: "friend"
/^computer$/ REJECT Unacceptable: "computer"
!/[[:alpha:]]/ REJECT Unacceptable: Non-alphabetic hostname
!/\./ REJECT Unacceptable: Unqualified hostname
Now, if you want to see how effective those checks are, try postfix_logwatch.