LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Block Emails on Postfix (https://www.linuxquestions.org/questions/linux-server-73/block-emails-on-postfix-650144/)

carlosinfl 06-18-2008 02:18 PM
Block Emails on Postfix
 
Can anyone explain how I can place a filter or block list of email accounts I do not wish to be able to communicate with my email server? For example, I do not want anyone to be able to send and or receive email from *@aol.com using my MTA. Is there a way in Postfix I can block all SMTP traffic (in/out) to any or all AOL email accounts?

trickykid 06-18-2008 02:32 PM
You should be able to do this with the smtpd_recipient_restrictions in the main.cf configuration.

Might end up looking something like this in your conf:

Code:
smtpd_recipient_restrictions = permit_mynetworks, check_sender_access regexp:/etc/postfix/unwanted_sender, reject_unauth_destination
Then you just put the domains in the unwanted_sender file. ?

Upon further readings though, this might only reject outgoing email. For incoming, I'd just use SpamAssassin to block unwanted emails.

carlosinfl 06-18-2008 02:37 PM
So w/o SA, there is no way to filter emails from any specific domain? I am testing this now now on my server to see if I can receive from Gmail and just not send and or both...

Right now I have the following in main.cf

Code:
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_client_access dbm:/etc/postfix/client_blacklist,
        check_recipient_access hash:/etc/postfix/access,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client unconfirmed.dsbl.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spam.dnsrbl.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client dun.dnsrbl.net,
        reject_rbl_client vox.schpider.com,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        permit
Do you know exactly where I should place this and also if I need to add it the same in "smtpd_sender_restrictions" in order for it to work both ways?

Mr. C. 06-18-2008 02:43 PM
For inbound email, add a check_sender_access to your smtpd_recipient_restrictions to create a blacklists for senders from domains or addresses you wish to block:

Code:
main.cf:
    smtpd_recipient_restrictions =
        ...
        check_sender_access hash:/etc/postfix/sender_checks
        permit_mynetworks
        reject_unauth_destination
        ...
        permit

sender_checks:
    #
    # WARNING - DO NOT PUT OKs IN HERE!! Creates Open Relay
    #
    aol\.com                    REJECT  We don't allow mail from AOL
    .aol\.com                    REJECT  We don't allow mail from AOL
Chose the map type and syntax that suits you (hash, regexp, pcre, etc.)

For outbound email, you can create an AOL-specific transport that sends to error:

Code:
main.cf:
  transport_maps = hash:/etc/postfix/transport

transport:
    aol.com    error:We do not allow sending to AOL

carlosinfl 06-18-2008 03:07 PM
Mr. C - I have done the following:

Code:
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/access,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        check_sender_access hash:/etc/postfix/sender_checks
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client unconfirmed.dsbl.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spam.dnsrbl.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client dun.dnsrbl.net,
        reject_rbl_client vox.schpider.com,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        permit
Now my question is when I create the file /etc/postfix/sender_checks, what do I need to do to make this a hash file? I don't think I need to postmap it, correct? I am still confused about the different types of files.

Thanks for any assistance!

Mr. C. 06-18-2008 03:16 PM
Since you have the file listed as a hash file:

Code:
check_sender_access hash:/etc/postfix/sender_checks
you must postmap the file.

Postmap translates ASCII text files into a database format. This is required for hash, db, and dbm files, and any other file which is a "database" format. If you specify the files as regexp or pcre, you don't need to postmap, because the files are not database files, but are read directly.

If you are unsure of a table type, do a man on the table type, as in:

Code:
man cidr_table
man pcre_table
man regexp_table

carlosinfl 06-18-2008 04:44 PM
OK - Thanks for clearing that up for me. I was not sure when to use Postmap and when it is not needed...

So if I have a file called foo and foo.db and in my main.cf it is being called as regexp or pcre - then I don't need foo.db, correct? Is there a benefit to using one of the mentioned above? Seems like regexp would be preferred so you don't have to postmap anything when you make a change, right?

Mr. C. 06-18-2008 04:50 PM
Right, with pcre/regexp, you just use the text file - no .db file required or used.

The choice of file types you use depends on what you are trying to do, and concerns about performance. Pcre is faster than regexp, so use pcre if you have pcre built in. Use hash's for longer lists, since db lookups are faster than long pcre or regexp lists. If you only have a few entires, the table choice doesn't matter much. Pick one that suits your needs.

carlosinfl 06-19-2008 08:51 AM
Quote:
Originally Posted by Mr. C. (Post 3188501)
For outbound email, you can create an AOL-specific transport that sends to error:

Code:
main.cf:
  transport_maps = hash:/etc/postfix/transport

transport:
    aol.com    error:We do not allow sending to AOL
From above, does it matter where in the main.cf file I place the following?

Code:
transport_maps = hash:/etc/postfix/transport
I don't know if it matters but I sent it to the very last line on my main.cf file. Is that incorrect and does that need to go in a specific section like smtpd_sender_restrictions?

Mr. C. 06-19-2008 11:50 AM
No, it does not matter where in the file you place the settings.


All times are GMT -5. The time now is 04:00 PM.