Roman Medina-Heigl Hernandez wrote:
Noel Jones escribió:
Roman Medina-Heigl Hernandez wrote:
Hello,
Spammers often send (forged) mail where "mail from" address is the
same as
"rcpt to" address. An extension of that could be using a "mail from"
address where src domain is one of our valid virtual domains. I can only
think of 3 cases:
1) Src IP is 127.0.0.1 -> Mail should pass (eg: sent by webmail,
installed
on the same MTA host).
2) Authenticated sender -> Legit users authenticated by SASL -> Should
pass
3) All the rest -> Should be rejected (SPAM) (assuming a simple
single-MTA
config, where MX -receiving mail server- is the same as MTA -outbound
sending mail server-)
Which is the best/preferred Postfix config to filter out that kind of
spam?
I have all my valid domains in:
virtual_mailbox_domains = hash:/etc/postfix/vdomain
The current format of /etc/postfix/vdomain is:
domain1 whatever
domain2 whatever
So perhaps I could do somthing like:
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
XXXXX,
permit
where XXXX could be some kind of "check_sender_access" clausule,
rejecting
domains listed in $virtual_mailbox_domains. How could I implement
this? Is
there any other preferred solution?
Yes, you can use a map for this;
XXXX above =
check_sender_access hash:/etc/postfix/mydomains
# mydomains
example.com REJECT inside sender not allowed
example.net REJECT inside sender not allowed
...
So there is no other way to do this without having to "duplicate" the
same/similar hash file (/etc/postfix/vdomain and /etc/postfix/mydomains). I
thought perhaps it could exist some directive of the form:
reject_mydestination_domain_sender or something similar to avoid
duplicating domain databases ;-)).
If you have a large number of domains, keep a separate list of
the domains and let the computer build the different tables
for you. Use a Makefile to make it easy.
Note this will reject some legit mail. Spamassassin is probably a
Could you elaborate on that legit mail cases? Examples? It's very important
for me and I couldn't figure any legit cases (apart from the ones I already
mentioned).
Some web invites / rotten mail lists / web notifications etc.
will arrive with the recipient's address as the sender. While
this is generally poor form, a few legit sites do it. I don't
have any specific examples, but know they exist. "trust me"
--
Noel Jones