Rob Tanner wrote:
On 11/10/08 12:32 PM, Noel Jones wrote:
Rob Tanner wrote:
Hi,
Most of our group mailing lists (which are defined via an LDAP entry
directly accessed by Postfix) are restricted so that you must have or
be spoofing a local email address -- checked via check_sender_access
and rejecting anything not from our own domain. Each list entry in
LDAP for which this restriction applies contains an attribute that
defines the restriction class which contains a check_sender_access
parameter that points to a hash that has just one item, our domain
name. And it works well and cuts down on SPAM and UCE, rejecting the
email before it ever hits the content filter.
Now we are having a problem with SPAM being sent to the lists and
claiming it comes from the list (the From address is the list
address). People get offended and they get angry and they reply to
the email which means it goes to the list and you can see what the
intention is. I would like to be able to use the same mechanism of
an attribute in the LDAP entry for each group email list that we want
to restrict from mailing to itself. Basically, I want to create a
restriction class that only rejects the email when to "to" and "from"
addresses are the same. I've gotten nowhere so far. Can anyone
offer me a few pointers.
Thanks,
Rob Tanner
Linfield College
To do this with postfix restriction classes you would need a separate
restriction class for each list. This will quickly get cumbersome if
you have more than a couple lists.
For a more scalable solution, you need an external policy server.
Looks as if postfwd should be able to do this if you tell it the lists
you want to protect.
http://www.postfix.org/addon.html#policy
Noel,
I haven't played with policy servers yet and it looks very interesting.
I also went to the Postfix README on access policy delegation and it
looks very easy to roll your own. I would rather keep the information
on which lists to protect in the LDAP entry for that list rather than
writing numerous rules and making sure they are consistent across both
edge servers, I'm very tempted to roll my own. Is it possible use
check_policy_service command inside a restriction class rather than
check_sender_access. That way Postfix would only access the policy
server when the destination is one of the lists I wish to protect.
Thanks,
Rob
Sure, you just use "check_policy_service servername" anywhere
you would use another postfix restriction.
--
Noel Jones
