Re: Blocking a domain and user

Thu, 05 Mar 2009 14:56:38 -0800 


Noel Jones wrote:

Jim McIver wrote:

I am using vexira for virus/content filtering and it has an area to 
put in blacklisted domains. I'll check if I can change to quarantine.

ie
[mailfrom-blacklist]
*.ro
*.nz
*yourtopbrands.com
*server.rwbtec.com
*.co.jp
etc...



If you can't change it to quarantine or tag+deliver, you might check 
if it can be used as an smtpd_proxy_filter.
If it's intended to be used as a proxy it will probably work just fine 
as a postfix smtpd_proxy_filter.



Would I be ahead to remove the domains from vexira and put them in 
the access_client file, or is there a better place in postfix to list 
domains I want to block?



Yes, postfix will use far less resources rejecting the mail than 
passing it to vexira for analysis.  Your vexira domain blacklist 
appears to be a sender domain, not a client domain, so these would go 
in your sender_access map.  Or maybe it's all three, client, sender, 
helo access maps.



Note the syntax difference with postfix; use "example.com" not 
"*.example.com".




access_client listing:
co.jp                   REJECT
atripema.com            REJECT
atropema.com            REJECT
co.nz                   REJECT
co.uk                   REJECT
com.au                  REJECT

snippet from main.cf:
smtpd_recipient_restrictions =
       permit_mynetworks
       reject_unauth_destination
       reject_invalid_hostname
       warn_if_reject reject_unknown_hostname
       reject_unauth_pipelining



reject_unauth_pipelining doesn't do much good here as pipelining of 
recipients is allowed.  Move this to smtpd_data_restrictions.



       reject_non_fqdn_sender
       reject_unknown_sender_domain
       reject_non_fqdn_recipient
       reject_unknown_recipient_domain



Since you've already rejected unauth destinations, there should be no 
non-fqdn recipients, and the only time there will be unknown domains 
will be yours if your DNS hiccups.  Best to remove these two.



       warn_if_reject reject_unknown_client
       reject_non_fqdn_hostname
       check_client_access hash:/usr/local/etc/postfix/access_client
       check_helo_access hash:/usr/local/etc/postfix/helo_access
       check_sender_access hash:/usr/local/etc/postfix/sender_access

       check_recipient_access 
hash:/usr/local/etc/postfix/recipient_access


Here is a good place to add
  reject_rbl_client zen.spamhaus.org
and maybe some other RBLs.  Season to taste.



-Jim McIver


  -- Noel Jones

So in postfix to block:
*.ru
*.ro
*.bg
I would just put:
ru
ro
bg

thx,
-jm






















					Reply via email to