Postfix: Blocking mails from a top-level domain
Hello,
Perhaps someone can help me. I use Postfix 2.2.5-5 on SUSE 10.0.
I want to reject all emails where the (envelope) sender is from the
top-level domain .biz.
Well, I thought, no problem, and added:
.biz REJECT
to the access map. The access map is used with
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/access, permit
in main.cf.
Well, it doesn't work and I'm wondering why. E.g., an email with the
sender
Joachim Schrod wrote:
Hello,
Perhaps someone can help me. I use Postfix 2.2.5-5 on SUSE 10.0. I want to reject all emails where the (envelope) sender is from the top-level domain .biz.
Well, I thought, no problem, and added:
.biz REJECT
to the access map. The access map is used with
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, permit
in main.cf.
Well, it doesn't work and I'm wondering why. E.g., an email with the sender
is still delivered. When I use plain domain names in access, rejection works, but the TLD ".biz" does not work. According to the documentation, check_sender_access should "Search the specified access(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action." But it doesn't search for the parent domain.
Can anybody help me and shed light on that problem?
If your version of Postfix supports pcre maps (it should), then the easy way out is here: main.cf: smtpd_sender_restrictions = permit_mynetworks, check_sender_access pcre:/etc/postfix/sender_access_pcre pcre:/etc/postfix/sender_access_pcre: /\.biz$/ 554 domain .biz not accepted as sender address test with postmap: postmap -q sender@example.biz pcre:/etc/postfix/sender_access_pcre To test pcre capability of your Postfix version: # postconf -m btree cidr environ hash ldap mysql nis pcre <= proxy regexp static tcp unix Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Sandy Drobic wrote: Hello, I summarized my actual solution in another post, thanks for the pointer to pcre. But then I noted a tidbit here which I want to follow up. You write:
main.cf: smtpd_sender_restrictions = permit_mynetworks, check_sender_access pcre:/etc/postfix/sender_access_pcre
Is there any advantage to have permit_mynetworks in the sender restrictions? I have that clause in the recipient restrictions (after a whitelisting of SASL-authenticated connections, for our "road warriors"). Is this just a matter of taste, or is one of those two choices better? Curious, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
Joachim Schrod wrote:
Sandy Drobic wrote:
Hello,
I summarized my actual solution in another post, thanks for the pointer to pcre. But then I noted a tidbit here which I want to follow up. You write:
main.cf: smtpd_sender_restrictions = permit_mynetworks, check_sender_access pcre:/etc/postfix/sender_access_pcre
Is there any advantage to have permit_mynetworks in the sender restrictions? I have that clause in the recipient restrictions (after a whitelisting of SASL-authenticated connections, for our "road warriors"). Is this just a matter of taste, or is one of those two choices better?
What happens if one your your paying customers is using a sender address .biz? If he is in $mynetworks, then your restriction will not kill him off. If you have sasl authentication in use, I would set permit_sasl_authenticated as well. This is just a safety measure. In one year, you might have another job at another company, and your successor might not know what exactly you have all configured hidden in some little config file, since he is busy solving other problems. Then, your company is adding a .biz domain to their network and they can't send mails. As I said, just a safety measure to protect yourself from whatever restriction you are setting in to fight off spam. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Joachim Schrod wrote:
Sandy Drobic wrote:
Hello,
I summarized my actual solution in another post, thanks for the pointer to pcre. But then I noted a tidbit here which I want to follow up. You write:
main.cf: smtpd_sender_restrictions = permit_mynetworks, check_sender_access pcre:/etc/postfix/sender_access_pcre
Is there any advantage to have permit_mynetworks in the sender restrictions? I have that clause in the recipient restrictions (after a whitelisting of SASL-authenticated connections, for our "road warriors"). Is this just a matter of taste, or is one of those two choices better?
It's getting late, I just saw, that you are using sasl auth indeed. The problem is, that each main smtpd_*_restriction is evaluated for every mail until it is permitted or rejected in each category. So if you are using smtpd_sender_restrictions in addition to smtpd_recipient_restriction, then you should exclude your trusted clients from these restrictions. Otherwise use the check_sender_access in your smtpd_recipient_restrictions. If "smtpd_delay_reject = yes" is not explicitely set otherwise, it won't make much difference. Either set: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl-xbl.spamhaus.org smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access pcre:/etc/postfix/sender_access_pcre smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, Or use: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access pcre:/etc/postfix/sender_access_pcre reject_rbl_client sbl-xbl.spamhaus.org The result will be the same, though the latter one is easier to understand and expand. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Sandy Drobic wrote:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access pcre:/etc/postfix/sender_access_pcre reject_rbl_client sbl-xbl.spamhaus.org
Hey, that's much better, the whole policy in one place. I didn't realize that one can specify sender restrictions in smtpd_recipient_restrictions, that was a bit counter-intuitive. (I added a respective comment to my main.cf, for the sake of the folks who come after me. ;-) Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
Joachim Schrod wrote:
Well, I thought, no problem, and added:
.biz REJECT
to the access map. The access map is used with
That is not a supported format - only user@domain, domain.tld or user@ will work in an access table. Sandy Drobics solution with PCRE is what I would use. Per Jessen, Zurich -- http://www.spamchek.com/ - managed email security. Starting at SFr5/month/user.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-10-18 at 17:22 +0200, Per Jessen wrote:
Joachim Schrod wrote:
Well, I thought, no problem, and added:
.biz REJECT
to the access map. The access map is used with
That is not a supported format - only user@domain, domain.tld or user@ will work in an access table.
Sandy Drobics solution with PCRE is what I would use.
What about: biz REJECT would it work? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFNlU+tTMYHG2NR9URAjAuAJwMONBHCn1ufT4s0ZDcecn7RbLLUwCeIuNB lLBkEIjhmhMzCruqghyO2pg= =/pQR -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2006-10-18 at 17:22 +0200, Per Jessen wrote:
Joachim Schrod wrote:
Well, I thought, no problem, and added:
.biz REJECT
to the access map. The access map is used with That is not a supported format - only user@domain, domain.tld or user@ will work in an access table.
Sandy Drobics solution with PCRE is what I would use.
What about:
biz REJECT
would it work?
Would that be the local part or the domain part that should match this? In any case, it doesn't work for either case: sender_access: biz 554 domain .biz not accepted as sender address # postmap -q sender@example.biz hash:sender_access # # postmap -q biz@example.com hash:sender_access # IMHO the pcre version with the $ at the end of the expression is the only one that really works. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Hello, Thanks for your help; got it worked out; I'll try to answer to several posts at once here. ;-)
The Wednesday 2006-10-18 at 17:22 +0200, Per Jessen wrote:
Well, I thought, no problem, and added: .biz REJECT to the access map. The access map is used with
That is not a supported format - only user@domain, domain.tld or user@ will work in an access table.
Well, the man page access(5) documents that .domain.tld (with an initial dot) is used to specify that all subdomains match as well. Therefore I thought that .tld matches all subdomains as well; but I was wrong.
Sandy Drobics solution with PCRE is what I would use.
Yes, this works; thanks to Sandy for pointing that out, I can put it to good use for another case. But actually, Carlos hit the nail:
What about: biz REJECT would it work?
Yes, it does. I should have tried that myself, but was misguided by the "match all subdomain" remark in access(5). But when I reread the man page, I stumbled upon the remark that no parent domain lookup is done for regexp or pcre tables, and I remembered that check_sender_access defines that a lookup is done for the parent domain as well. I.e., for domain.tld, tld is looked up in access. Tested and worked; bingo. Thanks again for your input, folks. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
participants (4)
-
Carlos E. R.
-
Joachim Schrod
-
Per Jessen
-
Sandy Drobic