On Sun, 13 Sep 2009, mouss wrote: > > What I mean by this is, if a malicious attacker send an email from > > dam...@hotmail.com is there anyway to check that the email came from > > hotmail.com via a DNS lookup? > > the simplest thing you can do is something like this: > > smtpd_sender_restrictions = > ... > check_client_access hash:/etc/postfix/forged_sender_wl > check_sender_access hash:/etc/postfix/forged_sender_bl > > > == forged_sender_wl > hotmail.com OK > .hotmail.com OK > yahoo.com OK > .yahoo.com OK > ... > > == forged_sender_bl > hotmail.com REJECT blah blah > yahoo.com REJECT blah blah blah > ...
Mouss, a thought: what if there is a temporary DNS lookup problem so that Postfix believes the client hostname is 'unknown' instead of 'foo.bar.yahoo.com'? Unless reject_unknown_client_hostname is specified before these checks (with the default unknown_client_reject_code of 450), the sending server would incorrectly be turned away with a 5xx. This is because the hostname passed to the check_client_access query would not contain the expected domain.tld. Or am I totally off with my reasoning? Based on the above understanding, in my policy server, I reject certain freemail envelopes only if the client hostname != '*.freemail.tld' AND hostname != 'unknown'. This does have the unfortunate consequence of allowing spammers with bad DNS to spoof freemail envelopes, but at least it won't 5xx mail that is really coming from a freemail server. FWIW, I do not use the reject_unknown_client_hostname restriction. -- Sahil Tandon <sa...@tandon.net>
