On Aug 24, 2009, at 17:58, mouss wrote:
LuKreme a écrit :
On 24-Aug-2009, at 08:28, Daniel L'Hommedieu wrote:
The one bit of spam I'd like to stop, and I seem to remember seeing
talk of it at some point (but I've been unable to find it again) is
the spam appears to be "from me to me." That is, the spammers who
use
my email address as the from address. Those emails get past the
relay
and auth checks because the mail is not being relayed. If I could
stop that spam, it would probably kill 100% of my spam.
The best way to deal with 'from me to me spam' in my opinion is to
implement SPF, then you can either reject SPF-fail, or hand mail to
Spam
Assassin and score SPF fail up. That is, unless you are REALLY sure
that
no one on your domain will ever send mail to themselves.
If you ever want to block this, there is absolutely no reason to check
dns. you know what domains are yours so you can simply use an access
list:
check_sender_access hash:/etc/postfix/mydomain
== mydomain
example.com REJECT you cannot send on behalf of example.com
.example.com REJECT you cannot send on behalf of example.com
please do not advocate SPF on this list. check the archives and you'll
see that it is taboo here.
Well, it looks like the combination of blocking mail "from me to me"
using check_sender_access (I used the PCRE method described earlier)
in combination with the ZEN spamhaus list is getting practically all
of my spam. Those of you who were concerned about me blocking half
the world can now rest easy - that blocking is gone.
For those who are curious, here is my smtpd_recipient_restrictions:
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_sender_access pcre:/etc/postfix/reject_my_domain,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org
/etc/postfix/reject_my_domain contains:
/@foo\.net/ 554 You are not from foo.net.
/@bar\.com/ 554 You are not from bar.com.
/@oof\.com/ 554 You are not from oof.com.
If you guys don't mind looking, would you tell me if there's anything
else I need to change? Here's the output of postconf -n:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain, foo.bar.com, www.bar.com, mail.bar.com, bar.com,
foo2.bar.com, foo3.bar.com, foo4.bar.com, foo5.bar.com,
foo.dyndns.org, foo.gotdns.com, foo6.bar.com, foo.is-a-geek.com,
bar2.com
mynetworks = 10.0.1.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relayhost = smtprelay.isp.net
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_sender_access pcre:/etc/pos
tfix/reject_my_domain, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non
_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_unauth_destination, reject_rbl_client
zen.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual
Most of the domains in mydestination are virtual alias domains, so I'm
guessing that those should be moved to virtual_alias_domains, and that
mydestination should be "$myhostname, localhost.$mydomain, localhost,
$mydomain" only. The others are FQDNs that point to my hostname but
are not used in email addresses.
In my config, you'll notice that I'm using SSL; these are self-signed
certificates that I pretty much only use for my personal mail delivery
(my MacBook Pro has the cert loaded, so I can send SSL email from my
laptop to my server); I don't think remote SMTP servers like those
certs, but mail always gets through so I'm not very concerned about it
just now. Also, you'll note that I'm using my ISP's mail server as a
relay; this is because my server runs in a dynamic pool, and I don't
want my legitimate outbound mail blocked because I'm running a server
on a dynamic range. Using this relay requires an ISP username &
password, which is in /etc/postfix/sasl_password.
The only thing that isn't working the way I need it to work is some
combination of canonical & virtual maps. I have a GroupWise account
at work, with that email forwarded to my Postfix server. It appears
that GroupWise mail forwarding is broken, because GroupWise changes
the recipient to be the address on my Postfix server, instead of
leaving it to be the GroupWise address and simply forwarding the
email. I have the following mappings set, but they don't correct that
email address:
canonical:
f...@bar.net daniel_lhommed...@bar.edu
generic:
foo daniel_lhommed...@bar.edu
virtual:
daniel_lhommed...@bar.edu f...@bar.net
dclho...@bar.edu f...@bar.net
dclho...@gw.bar.edu f...@bar.net
dclho...@abc.bar.edu f...@bar.net
Email addressed to dclho...@bar.edu and dclho...@abc.bar.edu works
fine, but the two GroupWise addresses (the first one and the
gw.bar.edu one) do not properly corrected. Any pointers on what I
might be doing wrong here?
Daniel
