On 9/13/2009 10:45 AM, Sahil Tandon wrote:
On Sun, 13 Sep 2009, mouss wrote:
What I mean by this is, if a malicious attacker send an email from
dam...@hotmail.com is there anyway to check that the email came from
hotmail.com via a DNS lookup?
the simplest thing you can do is something like this:
smtpd_sender_restrictions =
...
check_client_access hash:/etc/postfix/forged_sender_wl
check_sender_access hash:/etc/postfix/forged_sender_bl
== forged_sender_wl
hotmail.com OK
.hotmail.com OK
yahoo.com OK
.yahoo.com OK
...
== forged_sender_bl
hotmail.com REJECT blah blah
yahoo.com REJECT blah blah blah
...
Mouss, a thought: what if there is a temporary DNS lookup problem so
that Postfix believes the client hostname is 'unknown' instead of
'foo.bar.yahoo.com'? Unless reject_unknown_client_hostname is specified
before these checks (with the default unknown_client_reject_code of
450), the sending server would incorrectly be turned away with a 5xx.
This is because the hostname passed to the check_client_access query
would not contain the expected domain.tld. Or am I totally off with my
reasoning?
I use "reject_unknown_client_hostname" as part of the freemail
restriction class. That way temporary DNS errors result in a
temporary reject, and impostors without proper DNS are simply
rejected.
-- Noel Jones
Based on the above understanding, in my policy server, I reject certain
freemail envelopes only if the client hostname != '*.freemail.tld' AND
hostname != 'unknown'. This does have the unfortunate consequence of
allowing spammers with bad DNS to spoof freemail envelopes, but at least
it won't 5xx mail that is really coming from a freemail server. FWIW, I
do not use the reject_unknown_client_hostname restriction.
