postfix - blocking internet mail to root@domain.com - openSUSE Users

postfix - blocking internet mail to root@domain.com

david rankin

17 Jan 2006 17 Jan '06

00:08

List, (Sandy): I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar? -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --

Show replies by date

Sandy Drobic

17 Jan 17 Jan

00:18

New subject: [SLE] postfix - blocking internet mail to root@domain.com

david rankin wrote:

...

List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain). main.cf: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauch_destination, check_recipient_access hash:/etc/postfix/recipients_internal_only /etc/postfix/recipients_internal_only: root@rankin-bertin.com REJECT Don't forget to "postmap /etc/postfix/recipients_internal_only and also issue "reload postfix". Then check it when you send a mail from the internet. You should get a reject entry in you log like: Jan 17 00:04:17 katgar postfix/smtpd[15224]: NOQUEUE: reject: RCPT from mail-in0.tiscali.nl[195.241.79.164]: 554 5.7.1 : Recipient address rejected: Access denied; from=<> to= proto=SMTP helo= Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

Sandy Drobic

00:21

New subject: [SLE] postfix - blocking internet mail to root@domain.com

Sandy Drobic wrote:

...

david rankin wrote:

...
List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).

and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth. Sigh, it's a bit late for coherent writings, apparently...

...

main.cf: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauch_destination, check_recipient_access hash:/etc/postfix/recipients_internal_only

/etc/postfix/recipients_internal_only: root@rankin-bertin.com REJECT

Don't forget to "postmap /etc/postfix/recipients_internal_only and also issue "reload postfix".

Then check it when you send a mail from the internet. You should get a reject entry in you log like:

Jan 17 00:04:17 katgar postfix/smtpd[15224]: NOQUEUE: reject: RCPT from mail-in0.tiscali.nl[195.241.79.164]: 554 5.7.1 : Recipient address rejected: Access denied; from=<> to= proto=SMTP helo=

Sandy

-- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

david rankin

05:46

New subject: [SLE] postfix - blocking internet mail to root@domain.com

From: "Sandy Drobic"

...

Sandy Drobic wrote:

...
david rankin wrote:

...
List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).

and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.

Sigh, it's a bit late for coherent writings, apparently...

You just keep sending the incoherent thoughts! They work every time. Thanks again, and again Sandy! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --

david rankin

06:04

New subject: [SLE] postfix - blocking internet mail to root@domain.com

From: "Sandy Drobic"

...

Sandy Drobic wrote:

...
david rankin wrote:

...
List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).

and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.

OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only: /etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently, mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble? Thanks again......... -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --

Sandy Drobic

06:16

New subject: [SLE] postfix - blocking internet mail to root@domain.com

david rankin wrote:

...

OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:

/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT

As long as you are using fully qualified domain names I do not expext you to run into any problems. Problems might arise if you do NOT use FQDN and then block users for ALL domains without realising it.

...

Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently,

mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet

Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble?

Only when you use just the local part and later detect that the restriction should have been made only for two of the three domains. If you want to restrict access to some recipients more fine-grained you need restriction classes. I use them to restrict access to my list addresses to the listservers only. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

Per Jessen

07:28

New subject: [SLE] postfix - blocking internet mail to root@domain.com

david rankin wrote:

...

OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:

/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT

I'm assuming you've got those other domain names set up as virtual hosts, in which case the above will work just fine. /Per Jessen, Zürich (-0.19 °C) -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.

Sandy Drobic

10:05

New subject: [SLE] postfix - blocking internet mail to root@domain.com

Per Jessen wrote:

...

david rankin wrote:

...
OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:

/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT

I'm assuming you've got those other domain names set up as virtual hosts, in which case the above will work just fine.

Actually, the check does not care in what kind of address class the domain is, the check will will only compare the key "recipient address" against the database and then return the result. smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipients_rejected, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, .... /etc/postfix/recipients_rejected: bumblebee@smurf.invalid REJECT suse-linux-e-owner@suse.de REJECT smurf.invalid is not (and will never be) in my domain classes. suse-linux-e-owner is valid (for suse.de) but will be rejected by this test as well. Jan 17 10:57:32 katgar postfix/smtpd[18187]: NOQUEUE: reject: RCPT from grobi.washu.lab[192.168.0.4]: 554 5.7.1 : Recipient address rejected: Access denied; from= to= proto=ESMTP helo=<[192.168.0.4]> Jan 17 10:57:51 katgar postfix/smtpd[18187]: NOQUEUE: reject: RCPT from grobi.washu.lab[192.168.0.4]: 554 5.7.1 : Recipient address rejected: Access denied; from= to= proto=ESMTP helo=<[192.168.0.4]> Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

Ken Schneider

12:35

New subject: [SLE] postfix - blocking internet mail to root@domain.com

On Tue, 2006-01-17 at 00:04 -0600, david rankin wrote:

...

From: "Sandy Drobic"

...
Sandy Drobic wrote:

...
david rankin wrote:

...
List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

Yes, just put in the check after local mail from your network has already been accepted. This example assumes that you have set rankin-bertin.com as $myorigin (your default domain).

and that the local server and the local clients who should be able to send mails to root ar in $mynetworks or use sasl auth.

OK, here is another question. How do I handle the situation where $myorgin is rbpllc.com, but rankin-bertin.com, rankinlawfirm.com and guillorylaw.com all resolve to the same IP? Ideally, I would like to have mail to root@anyofthose.com rejected from the internet. First thought is multiple listing in check_recipient_access hash:/etc/postfix/recipients_internal_only:

/etc/postfix/recipients_internal_only: root@rbpllc.com REJECT root@rankin-bertin.com REJECT root@rankinlawfirm.com REJECT

Given your comment above, will I run into trouble with the other domain names? Any thoughts on handling that situation? It looks like local delivery should work regardless. Currently,

mynetworks = 127.0.0.0/8 192.168.7.0/24 [::1]/128 [fe80::20f:eaff:fed1:2627]/64 [::192.168.7.15]/96 [::127.0.0.1]/96 mynetworks_style = subnet

Is there anything that would cause the mutiple domains in recipients_internal_only to cause trouble?

I'm using something similar in postfix as follows: in main.cf: smtpd_recipient_restrictions =hash:/etc/postfix/incoming_access,permit_mynetworks,reject_unauth_destination in /etc/postfix/incoming_access I have entries like: incoming_access:root@ permit_mynetworks,reject incoming_access:mailer-daemon@ permit_mynetworks,reject incoming_access:virusalert@ permit_mynetworks,reject incoming_access:administrator@ permit_mynetworks,reject incoming_access:daemon@ permit_mynetworks,reject incoming_access:lp@ permit_mynetworks,reject incoming_access:news@ permit_mynetworks,reject incoming_access:uucp@ permit_mynetworks,reject Add as many local addresses as needed. Works well here to block email to local admin accounts. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998

Ken Schneider

12:44

New subject: [SLE] postfix - blocking internet mail to root@domain.com

On Tue, 2006-01-17 at 07:35 -0500, Ken Schneider wrote:

...

On Tue, 2006-01-17 at 00:04 -0600, david rankin wrote: <snip> (Further clarification for the file incoming_access)

...

I'm using something similar in postfix as follows:

in main.cf:

smtpd_recipient_restrictions =hash:/etc/postfix/incoming_access,permit_mynetworks,reject_unauth_destination

in /etc/postfix/incoming_access I have entries like:

root@ permit_mynetworks,reject mailer-daemon@ permit_mynetworks,reject virusalert@ permit_mynetworks,reject administrator@ permit_mynetworks,reject daemon@ permit_mynetworks,reject lp@ permit_mynetworks,reject news@ permit_mynetworks,reject access:uucp@ permit_mynetworks,reject

Add as many local addresses as needed. Works well here to block email to local admin accounts.

-- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998

david rankin

16:20

New subject: [SLE] postfix - blocking internet mail to root@domain.com

Sandy, Per, Ken: You guys are awesome. I'm going to block out some time today to implement and play with the suggestions. I'll report back on the results. Thanks again! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --

Dana J. Laude

05:09

New subject: [SLE] postfix - blocking internet mail to root@domain.com

On Monday 16 January 2006 17:08, david rankin wrote:

...

List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

-- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC

Wow, a lawyer that can't do a little research via google or checking on postfix.org. ;) Yep, don't flame me... just a personal observation. Dana

david rankin

05:44

New subject: [SLE] postfix - blocking internet mail to root@domain.com

From: "Dana J. Laude"

...

On Monday 16 January 2006 17:08, david rankin wrote:

...
List, (Sandy):

I am getting more and more spam sent to root@rankin-bertin.com. How do I stop delivery from the internet to root but still allow delivery to root from localhost or the local lan? Can I add an entry to recipient_check or something similar?

-- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC

Wow, a lawyer that can't do a little research via google or checking on postfix.org. ;) Yep, don't flame me... just a personal observation.

Dana

Perhaps the years of research has taught me to first expend efforts in the most likely place to yeild concise results; and knowing Sandy may be lurking around tonight; the list was starting point of choice. No flames taken or given. Cold logic is hard to beat.... and it looks like it paid off in spades tonight! Thank you Sandy....Again! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --

6685

Age (days ago)

6685

Last active (days ago)

List overview

Download

12 comments

5 participants

participants (5)

Dana J. Laude
david rankin
Ken Schneider
Per Jessen
Sandy Drobic