In message <CAKf3qpgwQUHAyj=sdyrfem+3-btp18h2+pe2ok87wpxwcqa...@mail.gmail.com>
John Baker writes:
> We've gone a long time without specifically needing this but suddenly
> we are getting bombarded with spam pretending to be from one of our
> addresses but originating from outside. So I need to block mail with a
> @marlboro.edu sender unless it helos from local servers or specific
> external IP ranges.
>
> I have a few ideas on how to do this but but wondered if anybody could
> quickly point me in the direction of best practices for this. Is there
> a simple way or is it best to use smtpd_restriction_classes?
>
> thanks
>
> --
> John Baker
> Network Administrator
> Marlboro College
> Phone: 451-7551 Cell: 490-0066
John,
Ideally you should not relay at all for mail accepted on port 25,
except any relay needed from MX to MDA. The MDA should be locked down
(accept nothing at all on port 25 except from your own MX).
You should have internal users forward to port 587 rather than port
25. You can then only accept connections from your internal network
on port 587. That may be hard to do if it means changing a lot of
client configurations. If you can do this then just block mail on
port 25 with sender from your domain:
master.cf:
submission ... smtpd \
-o { smtpd_sender_restrictions =
reject_unlisted_sender
check_sender_a_access cidr:$cf/myip }
myip:
209.198.70/24 DUNNO
0/0 REJECT
::/0 REJECT
Above is assuming you have only the 209.198.70/24 address space. If
you have other address blocks, add them. btw- "submission" in
/etc/services is the name for port 587.
With postfix cidr, first match wins. (Maybe postfix cidr should be
longest prefix first like IETF CIDR and routing tables, rather than
first match, but its not).
If using port 587 is not possible due to difficulty changing clients,
then try changing the MX to a different IP than the internal hosts
point to for mail submission. If they are using private space (10/8,
192.168/16, etc), then have the the submission agent (in net 10 or
whatever) relay to port 587 on one of your machines.
If that is also not possble, then ... I'd have to think about that.
As long as submit can be separated from MX for your domain (different
ports or different IPs), then its easy. Its fairly easy to change MX
if the alternative is changing lots of client machines.
Best practice (IMO, at least) would be to use TLS and authentication
on port 587 rather than use IP ranges. That way staff and students
could send email from off campus regardless of where they were.
You can phase this in using permit_sasl_authenticated before the
check_sender_a_access and using smtpd_tls_auth_only if you want to use
auth only with TLS (good practice). If you manage to get rid of the
IP range based trust model, then add "reject" to the end of the
smtpd_sender_restrictions line for port 587.
Curtis
btw- Great location over there at Marlboro College.
