On Tue, Nov 24, 2009 at 06:10:53PM +0200, K bharathan wrote:
> On Tue, Nov 24, 2009 at 12:14 AM, Michael Orlitzky
> <mich...@orlitzky.com>wrote:
> > Noel Jones wrote:
> >> On 11/23/2009 3:25 PM, K bharathan wrote:
> >>> On Mon, Nov 23, 2009 at 8:02 PM, /dev/rob0 <r...@gmx.co.uk
> >>> <mailto:r...@gmx.co.uk>> wrote:
> >>> Indeed, if you relay backscatter, you can expect to be listed as a
> >>> backscatterer! That's pretty simple. Don't do it. Get the clients to
> >>> fix their problems. In the meantime a check_sender_access lookup
> >>> will stop the abuse:
> >>> <> HOLD
> >>> and you can check mailq(1) periodically; release any that look like
> >>> legitimate bounces, and deal with the others as may be appropriate.
> >>> "man postsuper" for information.
> >>> i tried putting <> HOLD in allowed domains (mydomain map) but it
> >>> doesn't work and result in 'relay access denied'; how can i put this and
> >>> check ?
> >>>
> >>>
> >> That needs to go in a check_sender_access map. Something like:
> >> # main.cf
> >> smtpd_sender_restrictions =
> >> check_sender_access hash:/etc/postfix/hold_bounce
> >>
> >> # /etc/postfix/hold_bounce
> >> <> HOLD
> >>
> >> I expect there will be thousands of these. You don't (usually) get on a
> >> backscatter blacklist for sending just a few bounces.
> >>
> >> The real solution is to get the incoming gateways to stop accepting stuff
> >> that will be bounced. If the incoming gateways are not under your control,
> >> stop accepting mail from them.
> > That's where his 'mydomains' maps are, but I'm still very confused.
> >
> > > smtpd_sender_restrictions =
> >
> > > check_sender_access hash:/etc/postfix/mydomains
> > > check_recipient_access hash:/etc/postfix/allowed_forwards
> > > reject_unauth_destination
> >
> > Did you include both,
> >
> > example.com OK
> > <> HOLD
> >
> > in the access map? The first is necessary to avoid that
> > reject_unauth_destination.
This part is not true, and check_sender_access should never be used
for whitelisting of any kind anyway, unless you have taken steps to
ensure the address is valid (enforced AUTH, sender in a domain you
control.)
Note, if sender is "<>", a sender lookup of "example.com" wouldn't
match.
What *is* true is that the reject_unauth_destination is blocking
this. It could be bypassed, preceded by "permit_sasl_authenticated,
permit_mynetworks", or just as well, it could be omitted altogether.
The reject_unauth_destination that counts is already included in
smtpd_recipient_restrictions.
Offer void where taxed or prohibited by law, or if some other
restriction has been added without our knowledge.
> yes i put this into the map and i'm getting the log for <> like this:
>
> Nov 24 17:59:32 smtp postfix/smtpd[22914]: NOQUEUE: hold: RCPT from
> example.com[192.168.20.1]: <>: Sender address trigger
> s HOLD action; from=<> to=<es...@marcusevanssa.com> proto=ESMTP helo=<
> example.com>
> Nov 24 17:59:32 smtp postfix/smtpd[22914]: NOQUEUE: reject: RCPT from
> example.com[192.168.20.1]: 554 5.7.1 <es...@marcuse
> vanssa.com>: Relay access denied; from=<> to=<es...@marcusevanssa.com>
> proto=ESMTP helo=<example.com>
>
> it's not queuing in HOLD; how can see the hold queue
> i tried postqueue -p but no avail
NOQUEUE means what it says: it is not assigned a queue ID. This one
being a "reject:" means there will not be a queue ID. It has gone
back to the backscatterer, possibly handled as a double bounce at
that MTA (example.com[192.168.20.1]).
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
