On 02/07/2013 05:28 PM, Robert Schetterer wrote:
Am 07.02.2013 09:18, schrieb Simon Walter:
On 02/07/2013 04:51 PM, Robert Schetterer wrote:
Am 07.02.2013 07:20, schrieb (HT) Simon Walter:
Hi all,
I have the situation where a spammer knows the username and password of
an account and is sending spam via that account. I can change the
password, however, this account is shared amongst many users and I'd
rather not ask all the users to change their password. (Computer
literacy is becoming a rare quality these days ;))
Our postfix server is behind a firewall. So the spammer always connects
via the gateway.
so you have to reject it on the gateway, if no need for anyone else
to use the account from outside
sender_restrictions via access table may enough
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
somewhere before sasl permit etc
and/or use smtpd_restriction_classes to combine
if no external mail from outside is wanted for this account
i.e delete it from relay_recipients, so mail will always bounce from
outside
for better help show the gateway main.cf
rejecting via ip may not very usefull, cause ips may change
The LAN gateway (NAT) - nothing to do with email. So in this case, the
IP address (10.1.1.1) will not change.
so you do smtp forward etc ?
Of course mail is wanted for this account and it is not received by this
server. That's another server all together. However, this user need not
send mail from outside the LAN.
Does that make sense?
not very much , prime is solving the security leak
investing time in workaround this ,is more or less loose
Company policies make this kind of security leak easy to happen
(social/culture issues). Will I get lectured on how the company is
wrong? Perhaps. Shall I get another job? Perhaps. Not only is It of
academic value to me to know if this is possible, I think being able to
apply two or more criteria to for a single restriction could also be
useful. For example:
sender_restrictions = (criteria_a AND criteria_b)_reject, criteria_c_reject,
criteria_d_accept, reject
Though judging by the responses, it looks like this concept is not possible.
for better advice show postfix config and logs,
for future problems like this , install a real postfix gateway outside
nat i.e in your dmz or at some isp etc
That's how it's set up. It seems either it cannot be done or no one here
knows if it can be done. In any case, thank you for your time.
Good day,
Simon
--
htholidays.com
