On Wed, 2009-07-29 at 22:22 +0930, Nick Sharp wrote:
> Hi all,
>
> I am new to this list, so forgive me if I am not up with your current level
> of etiquette, I do tune in pretty quickly.. so starting with a long email..
>
> Been trying to stop people sending email to us setting FROM as a user in our
> domains. Seems basic enough spam limitation.
>
> It seems if I configure reject_unauthenticated_sender_login_mismatch in
> smtp_sender_restrictions all email gets rejected (with my config below)
> (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed -
> seems ok) or if the client is not sasl auth'd (smtp ok again in this
> situation)
>
> So email to somevalidu...@ourdomain.com from
> someotheru...@anotherdomain.com.au (external domain) not sasl auth'd gets
> rejected with 'not logged in' - now I know that we shouldn't use
> $mydestination with virtual domains, so should it be looking at
> virtual_mailbox_domains? (which appears to be mysql mapped ok)
>
> I would presume the default is to always accept email to our domains and the
> reject_unauthenticated_sender_login part just says if FROM matches our
> domain maps, then you must be authenticated to send it? (this is mainly what
> I want to confirm)
>
> Or am I missing something obvious? (its not unknown :)
>
>
> #some conf stuff..
> mydestination =
> relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
> smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sender_login_maps.cf
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
> smtpd_sender_restrictions = permit_sasl_authenticated,
>
> permit_mynetworks,reject_unauthenticated_sender_login_mismatch,
> reject_non_fqdn_sender,
> reject_unauth_pipelining, permit
>
>
> /etc/postfix/mysql_sender_login_maps.cf
> <User/Pass/DB/host/table stuff removed>
> select_field=id #which is the email address in full
> where_field='%s'
> additional_conditions = and enabled = 1
>
> /etc/postfix/mysql_domains.cf
> <removed connection stuff>
> select_field=domain
> where_field=domain
> additional_conditions = and enabled = 1
>
> Let me know if you want some more config/info to help you help me?
>
> TIA
>
> Nick
>
This is how I block those pesky spoof mail spams;
EDIT main.cf
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
....
check_sender_access hash:/etc/postfix/spoofprotection
CREATE /etc/postfix/spoofprotection
#spoof protection
domain1.com REJECT we dont mail ourselves
domain2.com REJECT we dont mail ourselves
BUILD MAP TO IT
postmap /etc/postfix/spoofprotection
RELOAD
postfix reload
Caveats;
Breaks forwarding (where this is relevant)
Other caveats may exist too and someone else may point out a better way
or other issues. This has worked for me and I am very happy with it.
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
