LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-11-2008, 12:42 AM   #1
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Rep: Reputation: 0
Post How to configure postfix to reject mails having invalid return path


Hello Frnds

I am having spam mails in my inbox and spamassesion can't do any thing about it because mail are coming from my own mail id but the return path and massage-id are different.

So how can tell postfix drop the mail not having from id and return path same.


Here is the header .......


From: Clarissa Fischer <jeebesh@sarai.net>

Date: 9 July 2008 1:08:09 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: RE: Dear jeebesh@sarai.net 79% Savings ...3 Days Only

Return-Path: <telg@cspaysbleuets.qc.ca>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id 4DC952C48011; Wed, 9 Jul 2008 13:08:14 +0530 (IST)

Received: from kassa-1 (unknown [195.177.116.170]) by mail.sarai.net (Postfix) with SMTP id F10C02C48003 for <jeebesh@sarai.net>; Wed, 9 Jul 2008 13:08:09 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-63.8 required=4.7 tests=DIGEST_MULTIPLE, HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY, PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080709123810.3101.qmail@kassa-1>

X-Antivirus: avast! (VPS 080708-0, 08.07.2008), Outbound message

X-Antivirus-Status: Clean

X-Sanitizer: Advosys mail filter

Mime-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit
 
Old 07-11-2008, 12:59 AM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
There are header or body check rules you can apply, but these can easily reject mail inadvertently, so you have to use them very carefully.

What is curious is why that mail score a -63 ! Are you doing some sort of white-listing and reducing the score ? Surely no amount of spam scoring will be effective with scoring like this.

Show the output of postconf -n if you would like some advice about your smtpd_*_restrictions that may help reduce your spam.

Last edited by Mr. C.; 07-23-2008 at 01:58 AM.
 
Old 07-23-2008, 01:57 AM   #3
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Mr. C. View Post
There are header or body check rules you can apply, but these can easily reject mail inadvertently, so you have to use them very carefully.

What is curious is why that mail score a -63 ! Are you doing some sort of white-listing and reducing the score ? Surely no amount of spam scoring will be effective with scoring like this.

Show the output of postconf -n if you some advice about your smtpd_*_restrictions that may help reduce your spam.

Here is the output of postconf -n .............

relocated_maps = mysql:/etc/postfix/virtual_relocated_maps.cf
smtp_destination_concurrency_limit = 5
smtp_destination_recipient_limit = 10
smtp_host_lookup = native
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, permit
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access hash:/etc/postfix/access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining


what i am trying to do is stop the mail coming like this.......

......................................................................
From: Diane Glass <jeebesh@sarai.net>

Date: 11 July 2008 6:47:48 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: Dear jeebesh@sarai.net July 83% 0FF

Return-Path: <jeebeshpanda@hotmail.com>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id DFE862C48004; Fri, 11 Jul 2008 18:47:56 +0530 (IST)

Received: from kevin-bmvhpyeu8 (unknown [213.207.221.250]) by mail.sarai.net (Postfix) with SMTP id 0A8B4109402C for <jeebesh@sarai.net>; Fri, 11 Jul 2008 18:47:48 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-69.6 required=4.7 tests=DIGEST_MULTIPLE,HTML_MESSAGE, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080711084755.16336.qmail@kevin-bmvhpyeu8>

.......................................................................


If any suggestion please reply.
 
Old 07-23-2008, 02:12 AM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
See my post here regarding some notes on various smtpd_*_restrictions.

We still have not accounted for that large negative (-69.6) score. We can only help if you answers questions asked to gain more incite into your setup. If you don't respond, help will be... less helpful.

Unless you've modified the standard SpamAssassin tests, this score must be coming from your USER_IN_WHITELIST. There is little point to using SpamAssassin if you are going to whitelist based on a header field that is easily forged (which it is in this case). This message most likely would have score above your spam threshold had you not whitelisted the (forged) user.

Do you know how to run a mail message through spamassassin manually? You should remove your whitelisting from local.cf, and re-run the message to see how it scores.
 
Old 07-23-2008, 03:19 AM   #5
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by badboynick21 View Post
Here is the output of postconf -n .............

relocated_maps = mysql:/etc/postfix/virtual_relocated_maps.cf
smtp_destination_concurrency_limit = 5
smtp_destination_recipient_limit = 10
smtp_host_lookup = native
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, permit
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access hash:/etc/postfix/access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining


what i am trying to do is stop the mail coming like this.......

......................................................................
From: Diane Glass <jeebesh@sarai.net>

Date: 11 July 2008 6:47:48 PM GMT+05:30

To: <jeebesh@sarai.net>

Subject: Dear jeebesh@sarai.net July 83% 0FF

Return-Path: <jeebeshpanda@hotmail.com>

X-Original-To: jeebesh@sarai.net

Delivered-To: jeebesh@sarai.net

Received: by mail.sarai.net (Postfix, from userid 1006) id DFE862C48004; Fri, 11 Jul 2008 18:47:56 +0530 (IST)

Received: from kevin-bmvhpyeu8 (unknown [213.207.221.250]) by mail.sarai.net (Postfix) with SMTP id 0A8B4109402C for <jeebesh@sarai.net>; Fri, 11 Jul 2008 18:47:48 +0530 (IST)

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.sarai.net

X-Spam-Status: No, score=-69.6 required=4.7 tests=DIGEST_MULTIPLE,HTML_MESSAGE, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.2.4

X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <20080711084755.16336.qmail@kevin-bmvhpyeu8>

.......................................................................


If any suggestion please reply.



dose this wiil do my job.......

smtpd_sender_restrictions =
reject_non_fqdn_sender (reject email address not in user@domain.com format)
reject_uknown_sender_domain (reject mail domain.com if domain.com does not exist)
 
Old 07-23-2008, 03:39 AM   #6
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Mr. C. View Post
See my post here regarding some notes on various smtpd_*_restrictions.

We still have not accounted for that large negative (-69.6) score. We can only help if you answers questions asked to gain more incite into your setup. If you don't respond, help will be... less helpful.

Unless you've modified the standard SpamAssassin tests, this score must be coming from your USER_IN_WHITELIST. There is little point to using SpamAssassin if you are going to whitelist based on a header field that is easily forged (which it is in this case). This message most likely would have score above your spam threshold had you not whitelisted the (forged) user.

Do you know how to run a mail message through spamassassin manually? You should remove your whitelisting from local.cf, and re-run the message to see how it scores.

sorry for reply so late

Yes this is why my domain is in whitelist but i can't remove it from whitelist ..........
 
Old 07-23-2008, 04:05 AM   #7
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
can u please tell me how to run a mail message through spamassassin manually?
 
Old 07-23-2008, 12:40 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by badboynick21 View Post
dose this wiil do my job.......

smtpd_sender_restrictions =
reject_non_fqdn_sender (reject email address not in user@domain.com format)
reject_uknown_sender_domain (reject mail domain.com if domain.com does not exist)
It can't tell if it will solve the problem you are trying to solve. These restrictions act on the ENVELOPE sender; this isn't present in the email headers and body you've shown. You can see envelope sender and recipient in your logs.

You can place of the restrictions above in smtpd_recipient_restrictions instead (they will just be evaluated later, when the recipient address comes in from the SMTP dialog).

There are many anti-spam measures you can take. But you have to try each out one at a time to see how they will affect your incoming mail. It is a learning experience and will take some time. Your expectations need to be reset; you will not get this done overnight. Rather, it will be something you continually tune until the system works correctly for your needs.

Quote:
Originally Posted by badboynick21 View Post
sorry for reply so late

Yes this is why my domain is in whitelist but i can't remove it from whitelist ..........
Well, you will have to live with others forging your address (which is trivial by the way, and COMMON) and sending you spam. You simply can't have it both ways.

There are BETTER ways of allowing your mail to come through, while rejecting others. Why do you think you need that whitelist ?

Quote:
Originally Posted by badboynick21 View Post
can u please tell me how to run a mail message through spamassassin manually?
spamassassin -t < yourmessagefile

Last edited by Mr. C.; 07-23-2008 at 12:42 PM.
 
Old 07-24-2008, 05:23 AM   #9
badboynick21
LQ Newbie
 
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks Mr. C.

Thanks for the help i have remove that whitelisting from the spamassassin and now it's good my spams are reduced.


can u tell me the BETTER ways of allowing your mail to come through please.....
 
Old 07-24-2008, 01:33 PM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Excellent.

So the question isn't so much how to allow mail to come through - that is the normal mode. The question is why are certain mails being blocked? And for this, it requires an analysis of the headers of the mail and postfix logs.

I want to make a strong point - if you are not willing to dedicate a fair amount of time and energy into learning about how mail systems work, you'll be in for a lot of troubles and surprises when trying to run your own mail server.

Something you need to get clear in your own mind. You're talking about mail as if it all fits one Good pattern, and if mail doesn't fit that pattern, then the mail is Bad. It doesn't work that way. There are an infinite number of variations of Good email, and infinite permutations of Bad. So when you say "allowing your mail to come through", or "stop the mail coming like this", I have no idea specifically what you mean by "your mail" or "like this", or what parts of the mail message should not be allowed.

I won't build your mail system for you (unless you want to hire me); but I will give you free pointers and tips along the way. You have to do the bulk of the work.

Start be reading the documents here:
http://www.postfix.org/documentation.html

especially:

http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html

and all the relevant Content inspection documentation on the main documentation page.

You should also consider integrating an anti-virus checker in your content inspection; this alone will add a substantial amount of additional protection.

There are plenty of HowTos that people seem to like, so search the forums here for advice on which ones are best for your needs. HowTos are almost universally not how to, but are cookbook-like step-by-step recipes for putting pieces together. These are good to get you started, but I strongly believe it is important to learn HOW the system works.
 
Old 08-29-2010, 03:38 PM   #11
Eduardo Nunes
LQ Newbie
 
Registered: Aug 2010
Location: /root/SouthAmerica/Brazil/SaoPaulo/SP
Distribution: Slackware
Posts: 24

Rep: Reputation: 2
Post simple content_filter for postfix

Hello!

Been long since I had been looking for something similar, checking if the mail from: smtp command (Return-Path) and the mail header From: does match, because most of the spam, virus and pishing nowadays identify themselves as one email but fake the From: header on their emails.

So, as Postfix only checks one line at a time, there is no way on checking two lines if they match. Neither SpamAssassin seems to do that (as far as I had read the rules writing documentation, it can check two or more headers for a content, but it does not check if they do have the same content).

I developed a simple content-filter script that does the trick, it checks if the From: header matches the Return-Path (the email specified at mail from: smtp command). If both headers match the message is delivered, if not the message is discarded.

Installation is fast, usage is easy and the concept is simple! Hope you all enjoy as much as I do!

You can check it out at my blog, http://blog.eduardo.nunes.net.br/128..._from_check-sh

Best Regards,

Eduardo Nunes

Last edited by Eduardo Nunes; 08-29-2010 at 03:48 PM.
 
Old 08-29-2010, 04:11 PM   #12
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
This will create problems for mailing lists that routinely use different return paths vs. From headers.
 
1 members found this post helpful.
Old 08-29-2010, 04:25 PM   #13
Eduardo Nunes
LQ Newbie
 
Registered: Aug 2010
Location: /root/SouthAmerica/Brazil/SaoPaulo/SP
Distribution: Slackware
Posts: 24

Rep: Reputation: 2
Cool

Quote:
Originally Posted by Mr. C. View Post
This will create problems for mailing lists that routinely use different return paths vs. From headers.
I guess its easy for anyone to place an extra check on the content_filter script if message-id or return-path is from the maillist and also deliver the message

I'm not subscribed on any so I would not know...
 
Old 08-29-2010, 04:43 PM   #14
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
You're subscribed to one here - that's how you got notification of my response. In this case, the Return Path and From are almost identical, but you'll have to do RFC email address parsing, a non-trivial task.

Return-Path: <forum @ linuxquestions.org>
From: "LinuxQuestions.org" <forum @ linuxquestions.org>

But it is standard and common practice for these two to be different, for example:

Return-Path: <apache @ mozillazine.org>
From: <forums @ mozillazine.org>

There are loads of extra checks that would be required to ensure reliable delivery. Better to use a scoring system, rather than flat out reject or quarantining. Besides, there are plenty of other indicators typically in an email that will decide its spaminess or reject-worthness (such as sending IP, RBLs, etc.).

Last edited by Mr. C.; 08-29-2010 at 04:46 PM.
 
1 members found this post helpful.
Old 08-30-2010, 08:27 AM   #15
Eduardo Nunes
LQ Newbie
 
Registered: Aug 2010
Location: /root/SouthAmerica/Brazil/SaoPaulo/SP
Distribution: Slackware
Posts: 24

Rep: Reputation: 2
Cool

Quote:
Originally Posted by Mr. C. View Post
You're subscribed to one here - that's how you got notification of my response.
lol, I am not! You answered too quick for me to check it in time

Quote:
Originally Posted by Mr. C. View Post
In this case, the Return Path and From are almost identical, but you'll have to do RFC email address parsing, a non-trivial task.

Return-Path: <forum @ linuxquestions.org>
From: "LinuxQuestions.org" <forum @ linuxquestions.org>

But it is standard and common practice for these two to be different, for example:

Return-Path: <apache @ mozillazine.org>
From: <forums @ mozillazine.org>

There are loads of extra checks that would be required to ensure reliable delivery. Better to use a scoring system, rather than flat out reject or quarantining. Besides, there are plenty of other indicators typically in an email that will decide its spaminess or reject-worthness (such as sending IP, RBLs, etc.).
I can consider adding a domain only check. The way it works now suits my system perfectly, dropping all that wow/aion/etc pishing emails that come from hotmail.

Due to your previous post, I tought you were talking about maillists like maillist@domain.org that would have the mail list return path, but the header From of whoever sent the email. Because of that I added a Whitelist for the Return-Path.

You are welcome to check out my blog, I hope google translation helps There are plenty of postfix rules that may help exterminating spam and reducing the usage of rbl lists...

Best Regards!
 
  


Reply

Tags
antispam, postfix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SLES 10 - Postfix mailer config - Return Path overwritten HuffmanT Linux - Enterprise 1 05-26-2008 10:12 PM
Allow only local domain mails reject other mails sikkalgopal Linux - Server 0 04-03-2007 12:51 AM
fetchmail - How to delete mails with sendmail 451 reject MQMan Linux - Networking 4 02-05-2007 10:52 AM
how to configure postfix to reject spams xlh3110 Linux - Server 18 12-19-2006 08:08 AM
Postfix: why is 'Return-Path' of bounce message empty Chowroc Linux - Networking 1 12-28-2005 03:52 AM


All times are GMT -5. The time now is 03:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration