Oliver Kohll - Mailing Lists a écrit :
> Hello,
>
> My postfix manages mail for a number of domains, e.g. gtwm.co.uk. The MX
> records are set so that mail is filtered through a third party spam
> catcher.
>
> However the server has one domain that is the 'main' hostname of the
> server, listed in /etc/hosts:
> 62.73.174.227 eul0001189.eu.verio.net eul0001189
> and in 'mydestination' in /etc/postfix/main.cf
>
> The MX record for this just points to itself:
> eul0001189.eu.verio.net. 3600 IN MX 100 eul0001189.eu.verio.net.
>
> Addresses are mapped to accounts in /etc/postfix/virtual, e.g.
> [email protected] wmoliver
>
> Now the problem is that if a spammer sends email directly to
> [email protected] it bypasses the third party spam filter
> and gets delivered. This has been happening.
>
> I've tried removing eul0001189.eu.verio.net from mydestination but this
> stopped any mail from being able to be delivered, probably because
> address rewriting uses this as the final destination. e.g. here is some
> of the header of an example mail to [email protected]
>
> X-Original-To: [email protected]
> Delivered-To: [email protected]
> Received: from psmtp.com (eu1sys200amx108.postini.com [207.126.144.57])
> by eul0001189.eu.verio.net (Postfix) with SMTP id 9B0AF66800A
> for <[email protected]>; Fri, 15 May 2009 17:05:47 +0100 (BST)
>
> Ideally I'd just like to block all email TO
> [email protected] while still of course allowing
> [email protected] or any of the other domains on the server. Are there
> any ways to accomplish this?
>
smtpd_recipient_restrictions =
permit_mynetworks
#permit_sasl_authenticated
reject_unauth_destination
check_client_access cidr:/etc/postfix/access_client
check_recipient_access hash:/etc/postfix/access_recipient
...
== access_client:
# whitelist filtering service
192.0.2.1 OK
#to whitelist multiple IPs, use a cidr block
#192.0.2.0/24 OK
== access_recipient
# do not forget to postmap this file after every change
eul0001189.eu.verio.net REJECT access denied
This will block mail to <*...@eul....> except from
- mynetworks
- your filtering service (more generally, any IP you whitelist in
access_client)
- authenticated users if you uncomment permit_sasl_authenticated
- and of cours, mail that you submit via the sendmail command (on the
postfix box), because it is not subject to smtpd restrictions.
> If not, would changing the MX records to pass that domain through the
> filter too cause a problem?
>
Ratware has already cached your IP, so whatever changes you do in DNS
won't stop all spam. better implement access control in postfix.