Stuart Matthews a écrit :
> Hi everyone,
>
> I am the systems administrator for the Electronic Frontier Foundation. I
> have been having a problem with getting spam that has a from of, for
> example, t...@eff.org (which is a valid email address). I would like my
> mail server to not accept mail that says it is from @eff.org unless it
> is sent via an authenticated end user, or unless it is mail generated by
> the mail server itself. Essentially, in pseudo-code, what I want is:
>
> if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or
> (sent using SMTP auth))) then REJECT
>
> I have already tried editing /usr/local/etc/postfix/access, adding:
> eff.org REJECT you can't send mail as me!
you call this file "access", yet your restrictions use "accesslist".
BTW, avoid sharing maps. instead of "access" and "accesslist", use
something like: access_sender, access_helo, ... (one per type of check).
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_sender_access hash:/etc/postfix/access_sender
check_helo_access hash:/etc/postfix/access_helo
...
== access_sender
eff.org REJECT blah blah
.eff.org REJECT blah blah
== access_helo
eff.org REJECT blah blah
.eff.org REJECT blah blah
> And of course I ran postmap after this. I have also tried using the
> setting that rejects mail that says HELO eff.org.
>
> Neither worked.
>
> I should also point out that, at least for now, this is the ONLY type of
> mail that I want to explicitly block. At this time I am not able to do a
> spam assassin install or reject via black lists due to our current spam
> policy.
>
> Here is my postconf -n output:
> address_verify_negative_expire_time = 1d
> alias_database = hash:$config_directory/aliases,
> hash:$config_directory/aliases.mailman
> alias_maps = hash:$config_directory/aliases,
> hash:$config_directory/aliases.mailman
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = no
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> mydestination = $myhostname, localhost, $myhostname.$mydomain,
> $mydomain, email.$mydomain
> myhostname = mail1.eff.org
> mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32,
> 127.0.0.0/8
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = no
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_restrictions = permit_mynetworks reject_unknown_client
> check_client_access hash:$config_directory/accesslist permit
> smtpd_data_restrictions = reject_unauth_pipelining permit
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks check_helo_access
> hash:$config_directory/restrict_helo check_helo_access
> hash:$config_directory/accesslist reject_invalid_hostname permit
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject_non_fqdn_recipient
> reject_multi_recipient_bounce reject_unknown_recipient_domain
> reject_unauth_destination reject_unlisted_recipient permit_mx_backup
> permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks check_sender_access
> hash:$config_directory/accesslist reject_non_fqdn_sender
> reject_unknown_sender_domain reject_unlisted_sender
> hash:$config_directory/sender_access permit
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt
> smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> unknown_address_reject_code = 550
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 450
> unverified_sender_reject_code = 550
> virtual_alias_domains = $virtual_alias_maps
> virtual_alias_maps = hash:$config_directory/virtual.dearaol.com,
> hash:$config_directory/virtual.ourvotelive.org,
> hash:$config_directory/virtual.stopthespying.org,
> hash:$config_directory/virtual.soundcopyright.eu
>
>
>
> Thanks for any help you might be able to provide.
>
> - Stu
