postfix - blocking internet mail to root@domain.com
List, (Sandy): I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar? -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --
david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
Yes, just put in the check after local mail from your network has already
been accepted. This example assumes that you have set rankin-bertin.com as
$myorigin (your default domain).
main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauch_destination,
check_recipient_access hash:/etc/postfix/recipients_internal_only
/etc/postfix/recipients_internal_only:
root@rankin-bertin.com REJECT
Don't forget to "postmap /etc/postfix/recipients_internal_only and also
issue "reload postfix".
Then check it when you send a mail from the internet. You should get a
reject entry in you log like:
Jan 17 00:04:17 katgar postfix/smtpd[15224]: NOQUEUE: reject: RCPT from
mail-in0.tiscali.nl[195.241.79.164]: 554 5.7.1
Sandy Drobic wrote:
david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).
and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth. Sigh, it's a bit late for coherent writings, apparently...
main.cf: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauch_destination, check_recipient_access hash:/etc/postfix/recipients_internal_only
/etc/postfix/recipients_internal_only: root@rankin-bertin.com REJECT
Don't forget to "postmap /etc/postfix/recipients_internal_only and also issue "reload postfix".
Then check it when you send a mail from the internet. You should get a reject entry in you log like:
Jan 17 00:04:17 katgar postfix/smtpd[15224]: NOQUEUE: reject: RCPT from mail-in0.tiscali.nl[195.241.79.164]: 554 5.7.1
: Recipient address rejected: Access denied; from=<> to= proto=SMTP helo= Sandy
-- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
From: "Sandy Drobic"
Sandy Drobic wrote:
david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).
and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.
Sigh, it's a bit late for coherent writings, apparently...
You just keep sending the incoherent thoughts! They work every time. Thanks again, and again Sandy! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --
From: "Sandy Drobic"
Sandy Drobic wrote:
david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).
and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only: /etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently, mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble? Thanks again......... -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --
david rankin wrote:
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:
/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT
As long as you are using fully qualified domain names I do not expext you to run into any problems. Problems might arise if you do NOT use FQDN and then block users for ALL domains without realising it.
Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently,
mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet
Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble?
Only when you use just the local part and later detect that the restriction should have been made only for two of the three domains. If you want to restrict access to some recipients more fine-grained you need restriction classes. I use them to restrict access to my list addresses to the listservers only. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
david rankin wrote:
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:
/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT
I'm assuming you've got those other domain names set up as virtual hosts, in which case the above will work just fine. /Per Jessen, Zürich (-0.19 °C) -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.
Per Jessen wrote:
david rankin wrote:
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:
/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT
I'm assuming you've got those other domain names set up as virtual hosts, in which case the above will work just fine.
Actually, the check does not care in what kind of address class the domain
is, the check will will only compare the key "recipient address" against
the database and then return the result.
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/recipients_rejected,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
....
/etc/postfix/recipients_rejected:
bumblebee@smurf.invalid REJECT
suse-linux-e-owner@suse.de REJECT
smurf.invalid is not (and will never be) in my domain classes.
suse-linux-e-owner is valid (for suse.de) but will be rejected by this
test as well.
Jan 17 10:57:32 katgar postfix/smtpd[18187]: NOQUEUE: reject: RCPT from
grobi.washu.lab[192.168.0.4]: 554 5.7.1
On Tue, 2006-01-17 at 00:04 -0600, david rankin wrote:
From: "Sandy Drobic"
Sandy Drobic wrote:
david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).
and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:
/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT
Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently,
mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet
Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble?
I'm using something similar in postfix as follows: in main.cf: smtpd_recipient_restrictions =hash:/etc/postfix/incoming_access,permit_mynetworks,reject_unauth_destination in /etc/postfix/incoming_access I have entries like: incoming_access:root@ permit_mynetworks,reject incoming_access:mailer-daemon@ permit_mynetworks,reject incoming_access:virusalert@ permit_mynetworks,reject incoming_access:administrator@ permit_mynetworks,reject incoming_access:daemon@ permit_mynetworks,reject incoming_access:lp@ permit_mynetworks,reject incoming_access:news@ permit_mynetworks,reject incoming_access:uucp@ permit_mynetworks,reject Add as many local addresses as needed. Works well here to block email to local admin accounts. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
On Tue, 2006-01-17 at 07:35 -0500, Ken Schneider wrote:
On Tue, 2006-01-17 at 00:04 -0600, david rankin wrote: <snip> (Further clarification for the file incoming_access)
I'm using something similar in postfix as follows:
in main.cf:
smtpd_recipient_restrictions =hash:/etc/postfix/incoming_access,permit_mynetworks,reject_unauth_destination
in /etc/postfix/incoming_access I have entries like:
root@ permit_mynetworks,reject mailer-daemon@ permit_mynetworks,reject virusalert@ permit_mynetworks,reject administrator@ permit_mynetworks,reject daemon@ permit_mynetworks,reject lp@ permit_mynetworks,reject news@ permit_mynetworks,reject access:uucp@ permit_mynetworks,reject
Add as many local addresses as needed. Works well here to block email to local admin accounts.
-- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
Sandy, Per, Ken: You guys are awesome. I'm going to block out some time today to implement and play with the suggestions. I'll report back on the results. Thanks again! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --
On Monday 16 January 2006 17:08, david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
-- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC
Wow, a lawyer that can't do a little research via google or checking on postfix.org. ;) Yep, don't flame me... just a personal observation. Dana
From: "Dana J. Laude"
On Monday 16 January 2006 17:08, david rankin wrote:
List, (Sandy):
I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?
-- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC
Wow, a lawyer that can't do a little research via google or checking on postfix.org. ;) Yep, don't flame me... just a personal observation.
Dana
Perhaps the years of research has taught me to first expend efforts in the most likely place to yeild concise results; and knowing Sandy may be lurking around tonight; the list was starting point of choice. No flames taken or given. Cold logic is hard to beat.... and it looks like it paid off in spades tonight! Thank you Sandy....Again! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --
participants (5)
-
Dana J. Laude
-
david rankin
-
Ken Schneider
-
Per Jessen
-
Sandy Drobic