Hi all, (Chris Covington, thanks for the tool! Please read a few notes about getadsmtp.pl below)
I've made some deep research after I've written that e-mail to this debian-isp list asking how could I stop bouncing all those fake messages to "innocent" other servers. With the help of google and the community, I've found at least two possible solutions, and I'd like to share it with you, as others could be interested. First, the problem could be resolved if the mail gateway, in this case a Postfix server, were aware of the accounts available in the domains whose final server it is relaying to. I could happily make that possible in cases where Exchange is the final MTA, with a dumb NAV in-between, using a nice tool I've read about in the postfix user list. It is developed by Chris Covington, and uses LDAP queries to generate a database of available accounts, and then use that as relay_recipient_maps. You can find it at: http://www.plusone.com/gaptuning/postfix/ For sharing my experience, I should say that, to ease your life, when specifying the $user value in the script, you could use $user="[EMAIL PROTECTED]"; # notice the escaped @ instead of the complicated full object name in AD. (for example, "cn=user,cn=Users,dc=example,dc=com"). In this case, example.com is the Active Directory domain we are querying (not necessarily the domain we are relaying to!). Another information that I think it is interesting to share, since it's not avaliable in the source, is to use a filter for the LDAP query that ignore disabled accounts. I used: filter => "(&(sAMAccountName=*)(mail=*) (!(msExchUserAccountControl=2)))", control => [ $page ], attrs => "proxyAddresses"); as my filter. getadsmtp is a really clever and useful software. Thanks Cris. The second technique is a bit drastic, and has some obvious drawbacks. Also, it doesn't need to be used when the first technique - or a similar - is used. I've followed the instructions specified in http://mail.teamdelsol.com/popauth3/#Installpopauth3 (look for "freemail"). The idea is to block all mails whose sender e-mail is @freemail.com and IP of the client does not resolve back to *.freemail.com. "freemail" should be substitued for list of big servers, of free mail hosts, like yahoo, hotmail, etc. See popauth3 page for a suggestion of a few. It is clear that you could loose e-mail here, but it's up to the admin decide that. I've seen at least three big threads about rejecting valid mails here and at bugtraq this weekend, but I don't want to start another war. popauth3 presents a solution for postfix, but I'm sure people already use it in other MTA's. popauth3 is a very powerful tool. I invite other readers to take a look at it, specially those looking for a way to block automatically insistent abusers in the firewall. (RFC guardians: I don't like this either, but some really need it). Compared to most people here, I am a mail server newbie, so please forgive me if I said something stupid. Also please notice that I've not tested the "freemail" check technique, so I am not sure if one would black too many valid mails. For my personal experience, reading my logs, I think most blocked ones would be spam. Despite my excessive talk, the bad english and lack of deeper experience, I hope this could be of use to somebody. Anybody has any notes about it? - Yves Junqueira
