Stuart Matthews: > Hi everyone, > > I am the systems administrator for the Electronic Frontier Foundation. I > have been having a problem with getting spam that has a from of, for > example, t...@eff.org (which is a valid email address). I would like my > mail server to not accept mail that says it is from @eff.org unless it > is sent via an authenticated end user, or unless it is mail generated by > the mail server itself. Essentially, in pseudo-code, what I want is: > > if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or > (sent using SMTP auth))) then REJECT
Making a variation on http://www.nabble.com/false-return-addresses-td24058164.html Not tested: # Pass mail from inside mynetworks, reject senders /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, # Also matches subdomains of example.com by default (see # parent_matches_subdomains documentation). # Needs "postmap /etc/postfix/sender_access" after change. /etc/postfix/sender_access: example.com REJECT Bad sender address - you are not example.com Wietse > I have already tried editing /usr/local/etc/postfix/access, adding: > eff.org REJECT you can't send mail as me! > And of course I ran postmap after this. I have also tried using the > setting that rejects mail that says HELO eff.org. > > Neither worked. > > I should also point out that, at least for now, this is the ONLY type of > mail that I want to explicitly block. At this time I am not able to do a > spam assassin install or reject via black lists due to our current spam > policy. > > Here is my postconf -n output: > address_verify_negative_expire_time = 1d > alias_database = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > alias_maps = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > home_mailbox = Maildir/ > html_directory = no > mail_owner = postfix > mail_spool_directory = /var/mail > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > mydestination = $myhostname, localhost, $myhostname.$mydomain, > $mydomain, email.$mydomain > myhostname = mail1.eff.org > mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = no > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_client_restrictions = permit_mynetworks reject_unknown_client > check_client_access hash:$config_directory/accesslist permit > smtpd_data_restrictions = reject_unauth_pipelining permit > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks check_helo_access > hash:$config_directory/restrict_helo check_helo_access > hash:$config_directory/accesslist reject_invalid_hostname permit > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_non_fqdn_recipient > reject_multi_recipient_bounce reject_unknown_recipient_domain > reject_unauth_destination reject_unlisted_recipient permit_mx_backup > permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks check_sender_access > hash:$config_directory/accesslist reject_non_fqdn_sender > reject_unknown_sender_domain reject_unlisted_sender > hash:$config_directory/sender_access permit > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt > smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > unknown_address_reject_code = 550 > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 450 > unverified_sender_reject_code = 550 > virtual_alias_domains = $virtual_alias_maps > virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, > hash:$config_directory/virtual.ourvotelive.org, > hash:$config_directory/virtual.stopthespying.org, > hash:$config_directory/virtual.soundcopyright.eu > > > > Thanks for any help you might be able to provide. > > - Stu > >
