How to allow mails from some other servers to pass: reject_sender_login_mismatch
Hi, i'm trying to slow down and block backscater mails and i try to use: reject_sender_login_mismatch and smtpd_sender_login_maps. I have some questions about how to pass this restriction for some cases. The situation is this: We have some other servers where we have installed other webapplication that send mail from there using for example i...@ourdomain.com without authentication. These mails are sending to our mail server, but now we filter all these addresses to prevent using our addresses in MAIL FROM to send mails to us. How to allow these servers to pass the rule reject_sender_login_mismatch? We have this configuration for sernder restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, # reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit i have commented out the parameter, temporary until i find out how to solve this problem. I added in access file this kind of entry: serveripaddress OK but this does not help, i got mailer-daemon mail when other server sent mail. Thanks in advanced! Regards, Ali Nebi!
Re: How to allow mails from some other servers to pass: reject_sender_login_mismatch
Hi, yes, you are right using mynetworks is ok. I also though for this way. I just didn't understood from beginning why it didn't work with access file, but now is clear. Thanks! On Wed, 2009-02-11 at 04:35 -0500, Digest of postfix-users list wrote: > your access file is used for check_SENDER_access, not for > check_client_access. > > the easy way is to add the IP to mynetworks. otherwise add > check_client_access cidr:/etc/postfix/access_client > before reject_sender_login_mismatch and put the IP in acces_client: > > 10.1.2.3/32 OK > > do not postmap this, since it is a cidr map.
Question about smptd_sender_logins_map and allow to use only for several domains?
Hi, i have a question about using smtpd_sender_logins_map, reject_sender_login_mismatch and check_client_access. I set smtpd_sender_logins_map and set these rules in sender restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit The file /etc/postfix/access_client contains the ip addresses that i permit to pass reject_sender_login_mismatch rule. But i have a question about this. In this case these ips can use my email address to send messages to me. I don't want this to be possible. I want to permit the ips, but also I want them to be allowed to send mail only if they do so from a specific domain, for examle @igdomain.com. So, I need to filter mail sending not only by IPs, but by domain name at the same time - even if an IP is permitted in /etc/postfix/access_client, it still should not be able to send mail if the sender domain is different from @igdomain.com. This is an example: Lets say that we have permitted this IP in access_client 198.236.125.7 and i have 2 domains that i manage emails for: domain1.com domain2.com Lets say that we have 2 email addresses, one per domain. an...@domain1.com i...@domain2.com The current situation with only permitted ip address is this: This ip connects to my mail server and send to an...@domain1.com or i...@domain2.com, message from i...@domain2.com and/or an...@domain1.com without requiring authentication. It can use both e-mail addresses in MAIL FROM and it can send spam. I want to achieve the following: I permit this ip in access_client file and it connects. And we have 2 conditions: 1. If it try to send email to an...@domain1.com or i...@domain2.com using an...@domain1.com in MAIL FROM field, than it must be rejected, because it is not authenticated and i don't want this ip to use my email address to send message to me or someone else in my system. 2. If it try to send email to an...@domain1.com, or i...@domain2.com using i...@domain2.com in MAIL FROM field, then this should be allowed (permitted) and in this situation it should pass reject_sender_login_mismatch rule and send message successfully. I suppose it is almost clear :) Is it possible this to be realize and how? Thanks in advanced!
Re: Question about smptd_sender_logins_map and allow to use
On Mon, 2009-02-16 at 08:26 -0500, Digest of postfix-users list wrote: > Ali Nebi a écrit : > > [snip] > > > > smtpd_client_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > check_client_access hash:/etc/postfix/access, > you are "sharing" this map (for client, sender, and recipient). better > use "dedicated" maps (access_client, access_sender, access_recipient). Ok, now i got it. this way i can control the maps in different sections. And if i add an entry in one of the maps, then it will be affect only to this map and to this restriction. > > > reject_unauth_pipelining, > > # reject_unknown_client, > > reject_rbl_client sbl-xbl.spamhaus.org, > > consider using zen.spmahaus.org instead (this > > > reject_rbl_client rbl-plus.mail-abuse.org, > > I wouldn't use this one. not onlybecause it's commercial... > > > reject_rbl_client cbl.abuseat.org, > > cbl prefer that you query spamhaus instead. > Thanks for the information about RBL's, these rbls was set long time ago, and we have not updated them. I just checked the information and updated them with new rbls. :) zen.spamhouse spamcop and so on :) > > [snip] > > > > smtpd_recipient_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > check_recipient_access hash:/etc/postfix/access, > > check_sender_access hash:/etc/postfix/access, > > it is still here (up). and this is before reject_unauth_destination. > > > reject_unauth_destination, > > reject_unknown_recipient_domain, > > reject_non_fqdn_recipient, > > at this point, the recipient is in _your_ domain (because > reject_unauth_destination has alreday rejected all other domains). so > this check is useless. > > > reject_unauth_pipelining, > > this too is useless here. put it under smtpd_data_restrictions. > > > permit > > > > ? > > > > consider starting from the "version" below and > > smtpd_helo_required = yes > smtpd_client_restrictions = > smtpd_helo_restrictions = > smtpd_sender_restrictions = > > > smtpd_recipient_restrictions = > reject_non_fqdn_sender > reject_non_fqdn_recipient > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > reject_sender_login_mismatch > reject_invalid_hostname > reject_non_fqdn_hostname > check_recipient_access hash:/etc/postfix/access_recipient > check_client_access cidr:/etc/postfix/access_client > check_helo_access hash:/etc/postfix/access_helo > check_sender_access hash:/etc/postfix/access_sender > reject_unknown_sender_domain > reject_rbl_client zen.spamhaus.org, > > > smtpd_data_restrictions = > reject_unauth_pipelining > > PS. note the access_sender and access_recipient maps. I got it now. I will change my rules now. > (I wonder why your Evolution posts to my From: address instead of the > Reply-To: address. did you do anything special or is this the default > behaviour of Evolution, in which case, it would be a bug). I was copying your address to Cc field, because when i click Reply to All, it does not put your e-mail address in the list. I receive postfix mails like a digit. I will post here my last changes, so we can comment them. I will be glad to get them to work better than now. Thanks for your help and time.
How to tune these rules to be more effective?
Hi again, what is your opinion for this configuration: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, # reject_unauth_pipelining, # reject_unknown_client, # reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, reject_rbl_client combined.njabl.org, # reject_rbl_client rbl-plus.mail-abuse.org, # reject_rbl_client cbl.abuseat.org, # reject_rbl_client list.dsbl.org, # reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname, # reject_unknown_hostname, reject_non_fqdn_hostname, # reject_unauth_pipelining, permit smtpd_sender_restrictions reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_sender, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, # reject_non_fqdn_sender, reject_unknown_sender_domain, # reject_unauth_pipelining, permit smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access_recipient, # check_policy_service unix:private/policy, reject_unknown_recipient_domain, # reject_non_fqdn_recipient, # reject_unauth_pipelining, permit smtpd_data_restrictions = reject_unauth_pipelining I changed the rules this way. Can you help me to tune them better? I would like to have different sections for client, sender and recipient restrictions as above. I need to tune these better.
What is the best value for first retry-window for postgrey ?
Hi, we have a centos 5 server that we use for mail server and i have installed their postgrey. I want to ask what values do you use for retry-window option and what is the best value for this ? I have leave it with the default value 2 days for now, but i don't know if it is too high. What's your opinion? Thanks in advance and best regards!
Problem with spam messages
Hi, in our two mail servers i see last weeks this: non-SMTP command from 250.84.221.62.dyn.idknet.com[62.221.84.250]: From: ? VIAGRA ? Official Site How can i block these accesses? our system is : Centos 5.3 - postfix-2.3.3-2.1.el5_2 - amavisd-maia-2.2.1-2_1.0.2.centos5 - clamd-0.95.2-4.el5.rf - spamassassin-3.2.5-1.el5.rf. this is our configuration: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 200 default_transport = smtp disable_vrfy_command = yes html_directory = no inet_interfaces = all local_recipient_maps = hash:/etc/mailman/aliases, ldap:/etc/postfix/ldap-aliases.cf mail_owner = postfix mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man max_use = 10 message_size_limit = 16777216 mydestination = $myhostname,localhost.$mydomain,localhost, localhost.localdomain mydomain = $myhostname myhostname = myhost.domain.tld mynetworks = 127.0.0.0/8 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = $myhostname,localhost, hash:/etc/postfix/relay_domains relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client combined.njabl.org, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname,reject_unauth_pipelining, permit smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access_recipient, reject_unknown_recipient_domain,reject_unauth_pipelining, permit smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf smtpd_sender_restrictions = reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_sender,check_client_access cidr:/etc/postfix/access_client,reject_sender_login_mismatch, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_tls_CAfile = /etc/pki/tls/certs/gd_intermediate_bundle.crt smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/transport_domains unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/destination_domains virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap-aliases.cf Thanks in advanced!
