I believe today is my day on the pedantry schedule, so here I go, picking nits.
On Thu, Aug 11, 2016 at 12:25:22PM +0200, Richard Klingler wrote: > Is there an easy way to block a list of prefixes from accessing > postfix? I think by "prefix" (according to $Subject) you meant "top-level domain." Prefix is not an appropriate term for TLD; "suffix" (appended text) fits better, but still, is bad terminology. > Right now I use ipfilter on FreeBSD to block certain > ranges/countries as only spam is originating from there... USA is usually in the Spamhaus top-ten list of spamming countries. One thing you seem to be missing is this: on the Internet, what's a "country"? And how do you determine a sender or client is in that country? I host/run a small server with users all across the globe: USA (including Yours Truly here in Dixieland), numerous countries in Europe, Brazil, Asia and Oceania (whatever that means.) By IP address, my server would appear to be in Birmingham, Alabama CSA, err, USA I mean. That's true, it is. But many of the aforementioned users are not. By PTR and EHLO hostname it's .org, which says nothing about anyone's location unless you look up the whois on the domain. And not much, even then (although in my case it's another Alabama address.) Oh, also, look up there ^^ at my sender address: gmx.co.uk, does that mean I'm a Brit? Apparently not. Free mail services like GMX have users all over the world. > Preferably I would like to combine prefix and domain filtering Another thing you have missed is the context at which you wanted to apply your filtering. Domain names are seen in different parts of the SMTP dialogue, as alluded in the previous section: client and EHLO hostname and sender domain. > as plain helo_checks won't allow regular expression for hostnames. [Refuted upthread already, won't repeat that] > Best way for me would be to hook up an external script which See http://www.postfix.org/SMTPD_POLICY_README.html if you choose to go that route. > filters based on the from/to/ip triplet and allow/denies > connection regardless of SMTP AUTH settings. What? You mean if one of your users is on a business trip to China, you're going to refuse her AUTH credentials? Let's get back to the ACTUAL goal rather than your ideas how to reach it: the actual goal is to reduce spam in the inbox, and possibly also to limit abuse from compromised AUTH credentials being used by global botnets. Is that a correct summary of the goal? To reduce incoming spam, postscreen and well-chosen smtpd restrictions are very effective. See: http://www.postfix.org/POSTSCREEN_README.html http://www.postfix.org/SMTPD_ACCESS_README.html ... and these two unofficial HOWTO documents: http://rob0.nodns4.us/postscreen.html http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt To limit abuse from compromised AUTH credentials is a bit more involved; at a high level you'd want rate limiting of senders (using a policy service like postfwd or cbpolicyd) as well as URIBL content filtering applied to user-submitted mail. If that's the goal I suggest that you take it to a new thread, because it has nothing to do with your $Subject. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
