Sahil Tandon a écrit : > On Sun, 13 Sep 2009, mouss wrote: > >>> What I mean by this is, if a malicious attacker send an email from >>> dam...@hotmail.com is there anyway to check that the email came from >>> hotmail.com via a DNS lookup? >> the simplest thing you can do is something like this: >> >> smtpd_sender_restrictions = >> ... >> check_client_access hash:/etc/postfix/forged_sender_wl >> check_sender_access hash:/etc/postfix/forged_sender_bl >> >> >> == forged_sender_wl >> hotmail.com OK >> .hotmail.com OK >> yahoo.com OK >> .yahoo.com OK >> ... >> >> == forged_sender_bl >> hotmail.com REJECT blah blah >> yahoo.com REJECT blah blah blah >> ... > > Mouss, a thought: what if there is a temporary DNS lookup problem so > that Postfix believes the client hostname is 'unknown' instead of > 'foo.bar.yahoo.com'?
well, that should be temporary, so it should be ok. if you can't resolve yahoo for more than 4 days, you really have a problem. That said, you should not try to do anything if the sending host is ok. so use DNSWL and a local WL to skip checks. also, if you block based on name, have a script to detect "anomalies". All that said, I don't use any of that. I don't care for the sender, except in few cases: - detecting snowshoe that uses specific sender formats. in which case I run the mail through "aggressive" checks - blocking an overly abused sender (i...@h5 for instance). > Unless reject_unknown_client_hostname is specified > before these checks (with the default unknown_client_reject_code of > 450), the sending server would incorrectly be turned away with a 5xx. > This is because the hostname passed to the check_client_access query > would not contain the expected domain.tld. Or am I totally off with my > reasoning? > you're right. care is needed. > Based on the above understanding, in my policy server, I reject certain > freemail envelopes only if the client hostname != '*.freemail.tld' AND > hostname != 'unknown'. This does have the unfortunate consequence of > allowing spammers with bad DNS to spoof freemail envelopes, if you use a policy server, then you should re-do dns queries (caching will make this a no op from a perf viewpoint). don't use the "unknown" convention. it dates back to the tcp wrappers days. postfix has since added a PTR check, which gives more flexibility. > but at least > it won't 5xx mail that is really coming from a freemail server. FWIW, I > do not use the reject_unknown_client_hostname restriction. >
