Re: Blocking a domain and user

Thu, 05 Mar 2009 11:54:13 -0800 

Jim McIver wrote:
I am using vexira for virus/content filtering and it has an area to put in blacklisted domains. I'll check if I can change to quarantine. 
ie
[mailfrom-blacklist]
*.ro
*.nz
*yourtopbrands.com
*server.rwbtec.com
*.co.jp
etc...



If you can't change it to quarantine or tag+deliver, you might 
check if it can be used as an smtpd_proxy_filter.
If it's intended to be used as a proxy it will probably work 
just fine as a postfix smtpd_proxy_filter.



Would I be ahead to remove the domains from vexira and put them in the 
access_client file, or is there a better place in postfix to list 
domains I want to block?



Yes, postfix will use far less resources rejecting the mail 
than passing it to vexira for analysis.  Your vexira domain 
blacklist appears to be a sender domain, not a client domain, 
so these would go in your sender_access map.  Or maybe it's 
all three, client, sender, helo access maps.



Note the syntax difference with postfix; use "example.com" not 
"*.example.com".




access_client listing:
co.jp                   REJECT
atripema.com            REJECT
atropema.com            REJECT
co.nz                   REJECT
co.uk                   REJECT
com.au                  REJECT

snippet from main.cf:
smtpd_recipient_restrictions =
       permit_mynetworks
       reject_unauth_destination
       reject_invalid_hostname
       warn_if_reject reject_unknown_hostname
       reject_unauth_pipelining



reject_unauth_pipelining doesn't do much good here as 
pipelining of recipients is allowed.  Move this to 
smtpd_data_restrictions.



       reject_non_fqdn_sender
       reject_unknown_sender_domain
       reject_non_fqdn_recipient
       reject_unknown_recipient_domain



Since you've already rejected unauth destinations, there 
should be no non-fqdn recipients, and the only time there will 
be unknown domains will be yours if your DNS hiccups.  Best to 
remove these two.



       warn_if_reject reject_unknown_client
       reject_non_fqdn_hostname
       check_client_access hash:/usr/local/etc/postfix/access_client
       check_helo_access hash:/usr/local/etc/postfix/helo_access
       check_sender_access hash:/usr/local/etc/postfix/sender_access
       check_recipient_access hash:/usr/local/etc/postfix/recipient_access


Here is a good place to add
  reject_rbl_client zen.spamhaus.org
and maybe some other RBLs.  Season to taste.



-Jim McIver


  -- Noel Jones






















					Reply via email to