Rejecting domains with Postfix...

CRCool75 · 03-08-2006, 06:35 PM

Hello,

Can anybody steer me in the right direction to blocking email addresses/domains with Postfix? I have read over the Postfix site and it appears to have something to do with the access file. I do the directions, but Postfix then rejects all mail nor does it send any sort of rejection reply back to the host.

Thanks

CRCool75 · 03-08-2006, 06:39 PM

Oh, I mean be blocking incoming mail. I am trying to add domains or addresses one by one to our access file to reject spammer addresses.

scowles · 03-08-2006, 08:02 PM

Quote:

Originally Posted by CRCool75

Oh, I mean be blocking incoming mail. I am trying to add domains or addresses one by one to our access file to reject spammer addresses.

I think you will find out that fighting spam by rejecting a sender address (envelope sender -or- header sender) will be useless. Spammers always change the from address on each run.

FWIW: I use a combination of RBL checks, client checks and spamassassin to fight spam with postfix. The difference being the checks are done against the connecting IP address of the sending MTA -and- the content of the message body. It's not 100%, but it works pretty well. I do reject against sender addresses, but only when I'm dealing with newsletter subscriptions that always have a fixed sender address.

To answer your queston, below are some examples of my access list entries. I don't have many entries, most of my spam checks are done using other UCE features of postfix.

Code:

# Reject e-mail claiming to be from aol.com etc... but actually connects
# from an unknown host.
compuserve.com          reject_unknown_client
msn.com                 reject_unknown_client
aol.com                 reject_unknown_client
hotmail.com             reject_unknown_client
yahoo.com               reject_unknown_client

# Reject jerks claiming to be from the hosted domains of this MTA
example1.com          REJECT  You are NOT from example1.com
example2.com          REJECT  You are NOT from example2.com
example3.com          REJECT  You are NOT from example3.com

Some other postfix UCE type checks that address your question are:

reject_rbl_client
check_client_access
check_helo_access
check_sender_access
check_recipient_access

The reject_rbl_client (using SORBS) catches the most spam at my end. With the check_helo_access coming in second.

BTW: Did you compile the access file after you made changes?
Good Luck!

CRCool75 · 03-08-2006, 08:18 PM

Thanks scowles, and yes, I did compile it.

I understand the access file, but how are you getting Postfix to look at that? All these different tags like smtpd_client_check and all the others are confusing the hell outa me.

scowles · 03-09-2006, 07:42 AM

It sounds like you may be confusing the sendmail access file with how an access file is used and specifed in postfix.

The postfix access file is more of a specification on how to specify checks within postfix that can be performed at different stages of the smtp transaction. So the file /etc/postfix/access is not read by postfix by default, it must be specifed in one of the check_*_access tags in main.cf. Like what I mentioned in my post.

Example:

Code:

smtpd_etrn_restrictions =
  check_client_access hash:/etc/postfix/etrn_access
  reject

# Checks performed after connect from MTA
smtpd_client_restrictions =
  permit_mynetworks
  reject_unauth_pipelining
  check_client_access hash:/etc/postfix/whitelist_client
  reject_rbl_client dnsbl.sorbs.net
  check_client_access hash:/etc/postfix/reject_clients
  check_client_access pcre:/etc/postfix/reject_clients.pcre

# Checks performed during HELO handshake
smtpd_helo_restrictions =
  permit_mynetworks
  reject_invalid_hostname
  reject_non_fqdn_hostname
  check_helo_access hash:/etc/postfix/helo_access

# Checks performed after MAIL FROM
smtpd_sender_restrictions =
  permit_mynetworks
  reject_non_fqdn_sender
  check_sender_access hash:/etc/postfix/reject_sender
  check_sender_access regexp:/etc/postfix/reject_sender.regexp
  reject_rhsbl_sender dsn.rfc-ignorant.org

# Checks performed after RCPT TO, but prior to DATA
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  reject_invalid_hostname
  reject_non_fqdn_hostname
  reject_non_fqdn_recipient
  reject_unlisted_recipient
  check_sender_access hash:/etc/postfix/whitelist_sender
  check_recipient_access hash:/etc/postfix/filtered_domains
  permit

Notes:

1) Each check_*_access listed specifes a different file. The contents of each file conform to the postfix access file specification mentioned in the top of /etc/postfix/access. So in your case, you would need to specify your access file in one of the check_*_access entries.

2) In my case, each check is specifed at different stages of the smtp transaction, but most can be combined under the smtpd_recipient_restrictions= stage. In fact, its actually more effeciant to combine all checks under smtpd_recipient_restrictions. I chose not to - to help battle dictionary attacks that were clogging my logfiles and skewing my daily stats.

Finally, once you feel comfortable in using the postfix access file and how to apply them to checks_*_access, take a look at adding regexp and pcre to the mix. Regular expression syntax (especially the perl based ones, pcre) are incredibly powerful in combating spam and viruses. I use them to help block MTA's from residential (dhcp assigned) IP addresses that SORBS does not catch.