LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to configure postfix to reject mails having invalid return path (http://www.linuxquestions.org/questions/linux-server-73/how-to-configure-postfix-to-reject-mails-having-invalid-return-path-655018/)

badboynick21 07-11-2008 01:42 AM

How to configure postfix to reject mails having invalid return path
 
Hello Frnds

I am having spam mails in my inbox and spamassesion can't do any thing about it because mail are coming from my own mail id but the return path and massage-id are different.

So how can tell postfix drop the mail not having from id and return path same.


Here is the header .......


From: Clarissa Fischer <jeebesh@sarai.net>

Date: 9 July 2008 1:08:09 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: RE: Dear jeebesh@sarai.net 79% Savings ...3 Days Only

Return-Path: <telg@cspaysbleuets.qc.ca>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id 4DC952C48011; Wed, 9 Jul 2008 13:08:14 +0530 (IST)

Received: from kassa-1 (unknown [195.177.116.170]) by mail.sarai.net (Postfix) with SMTP id F10C02C48003 for <jeebesh@sarai.net>; Wed, 9 Jul 2008 13:08:09 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-63.8 required=4.7 tests=DIGEST_MULTIPLE, HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY, PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080709123810.3101.qmail@kassa-1>

X-Antivirus: avast! (VPS 080708-0, 08.07.2008), Outbound message

X-Antivirus-Status: Clean

X-Sanitizer: Advosys mail filter

Mime-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

Mr. C. 07-11-2008 01:59 AM

There are header or body check rules you can apply, but these can easily reject mail inadvertently, so you have to use them very carefully.

What is curious is why that mail score a -63 ! Are you doing some sort of white-listing and reducing the score ? Surely no amount of spam scoring will be effective with scoring like this.

Show the output of postconf -n if you would like some advice about your smtpd_*_restrictions that may help reduce your spam.

badboynick21 07-23-2008 02:57 AM

Quote:

Originally Posted by Mr. C. (Post 3210833)
There are header or body check rules you can apply, but these can easily reject mail inadvertently, so you have to use them very carefully.

What is curious is why that mail score a -63 ! Are you doing some sort of white-listing and reducing the score ? Surely no amount of spam scoring will be effective with scoring like this.

Show the output of postconf -n if you some advice about your smtpd_*_restrictions that may help reduce your spam.


Here is the output of postconf -n .............

relocated_maps = mysql:/etc/postfix/virtual_relocated_maps.cf
smtp_destination_concurrency_limit = 5
smtp_destination_recipient_limit = 10
smtp_host_lookup = native
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, permit
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access hash:/etc/postfix/access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining


what i am trying to do is stop the mail coming like this.......

......................................................................
From: Diane Glass <jeebesh@sarai.net>

Date: 11 July 2008 6:47:48 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: Dear jeebesh@sarai.net July 83% 0FF

Return-Path: <jeebeshpanda@hotmail.com>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id DFE862C48004; Fri, 11 Jul 2008 18:47:56 +0530 (IST)

Received: from kevin-bmvhpyeu8 (unknown [213.207.221.250]) by mail.sarai.net (Postfix) with SMTP id 0A8B4109402C for <jeebesh@sarai.net>; Fri, 11 Jul 2008 18:47:48 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-69.6 required=4.7 tests=DIGEST_MULTIPLE,HTML_MESSAGE, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080711084755.16336.qmail@kevin-bmvhpyeu8>

.......................................................................


If any suggestion please reply.

Mr. C. 07-23-2008 03:12 AM

See my post here regarding some notes on various smtpd_*_restrictions.

We still have not accounted for that large negative (-69.6) score. We can only help if you answers questions asked to gain more incite into your setup. If you don't respond, help will be... less helpful.

Unless you've modified the standard SpamAssassin tests, this score must be coming from your USER_IN_WHITELIST. There is little point to using SpamAssassin if you are going to whitelist based on a header field that is easily forged (which it is in this case). This message most likely would have score above your spam threshold had you not whitelisted the (forged) user.

Do you know how to run a mail message through spamassassin manually? You should remove your whitelisting from local.cf, and re-run the message to see how it scores.

badboynick21 07-23-2008 04:19 AM

Quote:

Originally Posted by badboynick21 (Post 3223420)
Here is the output of postconf -n .............

relocated_maps = mysql:/etc/postfix/virtual_relocated_maps.cf
smtp_destination_concurrency_limit = 5
smtp_destination_recipient_limit = 10
smtp_host_lookup = native
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, permit
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access hash:/etc/postfix/access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining


what i am trying to do is stop the mail coming like this.......

......................................................................
From: Diane Glass <jeebesh@sarai.net>

Date: 11 July 2008 6:47:48 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: Dear jeebesh@sarai.net July 83% 0FF

Return-Path: <jeebeshpanda@hotmail.com>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id DFE862C48004; Fri, 11 Jul 2008 18:47:56 +0530 (IST)

Received: from kevin-bmvhpyeu8 (unknown [213.207.221.250]) by mail.sarai.net (Postfix) with SMTP id 0A8B4109402C for <jeebesh@sarai.net>; Fri, 11 Jul 2008 18:47:48 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-69.6 required=4.7 tests=DIGEST_MULTIPLE,HTML_MESSAGE, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080711084755.16336.qmail@kevin-bmvhpyeu8>

.......................................................................


If any suggestion please reply.




dose this wiil do my job.......

smtpd_sender_restrictions =
reject_non_fqdn_sender (reject email address not in user@domain.com format)
reject_uknown_sender_domain (reject mail domain.com if domain.com does not exist)

badboynick21 07-23-2008 04:39 AM

Quote:

Originally Posted by Mr. C. (Post 3223431)
See my post here regarding some notes on various smtpd_*_restrictions.

We still have not accounted for that large negative (-69.6) score. We can only help if you answers questions asked to gain more incite into your setup. If you don't respond, help will be... less helpful.

Unless you've modified the standard SpamAssassin tests, this score must be coming from your USER_IN_WHITELIST. There is little point to using SpamAssassin if you are going to whitelist based on a header field that is easily forged (which it is in this case). This message most likely would have score above your spam threshold had you not whitelisted the (forged) user.

Do you know how to run a mail message through spamassassin manually? You should remove your whitelisting from local.cf, and re-run the message to see how it scores.


sorry for reply so late

Yes this is why my domain is in whitelist but i can't remove it from whitelist ..........

badboynick21 07-23-2008 05:05 AM

can u please tell me how to run a mail message through spamassassin manually?

Mr. C. 07-23-2008 01:40 PM

Quote:

Originally Posted by badboynick21 (Post 3223481)
dose this wiil do my job.......

smtpd_sender_restrictions =
reject_non_fqdn_sender (reject email address not in user@domain.com format)
reject_uknown_sender_domain (reject mail domain.com if domain.com does not exist)

It can't tell if it will solve the problem you are trying to solve. These restrictions act on the ENVELOPE sender; this isn't present in the email headers and body you've shown. You can see envelope sender and recipient in your logs.

You can place of the restrictions above in smtpd_recipient_restrictions instead (they will just be evaluated later, when the recipient address comes in from the SMTP dialog).

There are many anti-spam measures you can take. But you have to try each out one at a time to see how they will affect your incoming mail. It is a learning experience and will take some time. Your expectations need to be reset; you will not get this done overnight. Rather, it will be something you continually tune until the system works correctly for your needs.

Quote:

Originally Posted by badboynick21 (Post 3223481)
sorry for reply so late

Yes this is why my domain is in whitelist but i can't remove it from whitelist ..........

Well, you will have to live with others forging your address (which is trivial by the way, and COMMON) and sending you spam. You simply can't have it both ways.

There are BETTER ways of allowing your mail to come through, while rejecting others. Why do you think you need that whitelist ?

Quote:

Originally Posted by badboynick21 (Post 3223506)
can u please tell me how to run a mail message through spamassassin manually?

spamassassin -t < yourmessagefile

badboynick21 07-24-2008 06:23 AM

Thanks Mr. C.

Thanks for the help i have remove that whitelisting from the spamassassin and now it's good my spams are reduced.


can u tell me the BETTER ways of allowing your mail to come through please.....

Mr. C. 07-24-2008 02:33 PM

Excellent.

So the question isn't so much how to allow mail to come through - that is the normal mode. The question is why are certain mails being blocked? And for this, it requires an analysis of the headers of the mail and postfix logs.

I want to make a strong point - if you are not willing to dedicate a fair amount of time and energy into learning about how mail systems work, you'll be in for a lot of troubles and surprises when trying to run your own mail server.

Something you need to get clear in your own mind. You're talking about mail as if it all fits one Good pattern, and if mail doesn't fit that pattern, then the mail is Bad. It doesn't work that way. There are an infinite number of variations of Good email, and infinite permutations of Bad. So when you say "allowing your mail to come through", or "stop the mail coming like this", I have no idea specifically what you mean by "your mail" or "like this", or what parts of the mail message should not be allowed.

I won't build your mail system for you (unless you want to hire me); but I will give you free pointers and tips along the way. You have to do the bulk of the work.

Start be reading the documents here:
http://www.postfix.org/documentation.html

especially:

http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html

and all the relevant Content inspection documentation on the main documentation page.

You should also consider integrating an anti-virus checker in your content inspection; this alone will add a substantial amount of additional protection.

There are plenty of HowTos that people seem to like, so search the forums here for advice on which ones are best for your needs. HowTos are almost universally not how to, but are cookbook-like step-by-step recipes for putting pieces together. These are good to get you started, but I strongly believe it is important to learn HOW the system works.

Eduardo Nunes 08-29-2010 04:38 PM

simple content_filter for postfix
 
Hello!

Been long since I had been looking for something similar, checking if the mail from: smtp command (Return-Path) and the mail header From: does match, because most of the spam, virus and pishing nowadays identify themselves as one email but fake the From: header on their emails.

So, as Postfix only checks one line at a time, there is no way on checking two lines if they match. Neither SpamAssassin seems to do that (as far as I had read the rules writing documentation, it can check two or more headers for a content, but it does not check if they do have the same content).

I developed a simple content-filter script that does the trick, it checks if the From: header matches the Return-Path (the email specified at mail from: smtp command). If both headers match the message is delivered, if not the message is discarded.

Installation is fast, usage is easy and the concept is simple! Hope you all enjoy as much as I do! :D

You can check it out at my blog, http://blog.eduardo.nunes.net.br/128..._from_check-sh

Best Regards,

Eduardo Nunes

Mr. C. 08-29-2010 05:11 PM

This will create problems for mailing lists that routinely use different return paths vs. From headers.

Eduardo Nunes 08-29-2010 05:25 PM

Quote:

Originally Posted by Mr. C. (Post 4081688)
This will create problems for mailing lists that routinely use different return paths vs. From headers.

I guess its easy for anyone to place an extra check on the content_filter script if message-id or return-path is from the maillist and also deliver the message ;)

I'm not subscribed on any so I would not know...

Mr. C. 08-29-2010 05:43 PM

You're subscribed to one here - that's how you got notification of my response. In this case, the Return Path and From are almost identical, but you'll have to do RFC email address parsing, a non-trivial task.

Return-Path: <forum @ linuxquestions.org>
From: "LinuxQuestions.org" <forum @ linuxquestions.org>

But it is standard and common practice for these two to be different, for example:

Return-Path: <apache @ mozillazine.org>
From: <forums @ mozillazine.org>

There are loads of extra checks that would be required to ensure reliable delivery. Better to use a scoring system, rather than flat out reject or quarantining. Besides, there are plenty of other indicators typically in an email that will decide its spaminess or reject-worthness (such as sending IP, RBLs, etc.).

Eduardo Nunes 08-30-2010 09:27 AM

Quote:

Originally Posted by Mr. C. (Post 4081715)
You're subscribed to one here - that's how you got notification of my response.

lol, I am not! You answered too quick for me to check it in time :)

Quote:

Originally Posted by Mr. C. (Post 4081715)
In this case, the Return Path and From are almost identical, but you'll have to do RFC email address parsing, a non-trivial task.

Return-Path: <forum @ linuxquestions.org>
From: "LinuxQuestions.org" <forum @ linuxquestions.org>

But it is standard and common practice for these two to be different, for example:

Return-Path: <apache @ mozillazine.org>
From: <forums @ mozillazine.org>

There are loads of extra checks that would be required to ensure reliable delivery. Better to use a scoring system, rather than flat out reject or quarantining. Besides, there are plenty of other indicators typically in an email that will decide its spaminess or reject-worthness (such as sending IP, RBLs, etc.).

I can consider adding a domain only check. The way it works now suits my system perfectly, dropping all that wow/aion/etc pishing emails that come from hotmail.

Due to your previous post, I tought you were talking about maillists like maillist@domain.org that would have the mail list return path, but the header From of whoever sent the email. Because of that I added a Whitelist for the Return-Path.

You are welcome to check out my blog, I hope google translation helps :) There are plenty of postfix rules that may help exterminating spam and reducing the usage of rbl lists...

Best Regards!


All times are GMT -5. The time now is 06:35 PM.