Mailinglist Archive: opensuse (2831 mails)

< Previous Next >
Re: [SLE] Postfix UCE, rbl, cidr and ehlo
  • From: Sandy Drobic <suse-linux-e@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 13 Jul 2006 19:57:26 +0200
  • Message-id: <44B68986.9020101@xxxxxxxxxxxxxxxxxxxxxxx>
jfweber@xxxxxxxxxxxx wrote:
On July Thursday 13 2006 1:05 pm, david rankin wrote in an electronic and somewhat quixotic manner:

The smtpd_client_restrictions = check_client_access
hash:/etc/postfix/client_check parameter is a very good tool for
blocking the ranges of IPs that produce most of the spam and the
restriction can be controlled to allow acces from within the excluded
block.

Take Per's example:
217.0.0.0/8 REJECT You are unwelcome here...
"You won't be getting much email from me then - we're on
217.8.216.8/29."

In /etc/postfix/client_check, that can be addressed by:

[root@bonza postfix]# cat client_check
217.8.216.0/24 OK
217.0.0.0/8 REJECT You are unwelcome here...

So Per's part of the IP range would get through, but the rest
would not. I'm still working on this. I'll conduct a test without the

This will catch too many false positives on a production system and will require too much whitelist care to be effective unless your priority is on spam reduction.

hash:/etc/postfix/client_check just using the reject_rbl_client
relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org, reject_unknown_client and see how it
works. Theoretically, the rbl lists should catch much of what I have
rejected with the hash of client_check anyway.

That is the idea, though the blacklists are much more selective and thus better tuned for the task.


Thanks for your thoughts and advise. I'll keep you posted....

Just curious why not drop the message instead of reject it????Once you do that the presence of your box is confirmed at that address, then w/ a bit more work <shrug> it winds up on someone's "todo" list when they may make a series of attacks to see if they can get any more info.. I would think that might be something you most especially wouldn't want to do w/ a box w/ a ( more or less) permanent address

You are mistaking "reject" with "bounce". With a reject during the initial smtp dialogue you only announce that you will reject the client. That does in no way say if the recipient address is valid or not. Most rejections happen because of bad helo/ehlo and the client address.

There are more considerations for rejecting emails:

- what will happen if you discard an email to a mistyped address? The sending server has logged that your server has accepted the mail, so you are the one who is responsible for losing the mail.

- if you reject the mail the sending server has to notify the sender that the email could not be delivered.

- Rejecting during smtp will greatly reduce the transfer traffic, since you don't accept the main body. In the worst case the cost is a few kB for a negotiated TLS connection.

Definitely, mails you do not want to accept have to be rejected, mails you accept must be delivered, with the possible exception of virii. Everything else will lead to a lot of pain.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx


< Previous Next >