On 2010-11-25 Patric Falinder wrote:
> Ansgar Wiechers skrev 2010-11-24 18:11:
>> On 2010-11-24 Patric Falinder wrote:
>>> lst_ho...@kwsoft.de skrev 2010-11-24 11:08:
>>>> Be sure to limit the usage of the list to the affected account and maybe
>>>> even to bounce sender addresses as a lot of legitim hosts are listed.
>>>> See http://www.backscatterer.org/?target=usage
>>>
>>> Ok, thanks! Is there any other ways to protect yourself against
>>> backscatter?
>>
>> I wrote a filter based on smtpprox [1]. Disclaimer: AFAIK this has never
>> been used on medium or high traffic servers, so I don't know how it
>> would perform in such environments.
>>
>> [1] http://www.planetcobalt.net/sdb/backscatter.shtml
>
> Cool, I will check that out and see if I can try it out on my personal
> mail-server first and see how it works.
Feel free. Feedback is welcome, of course.
> I looked arround and found check_sender_access and
> check_recipient_access, can I for example do something like this:
>
> smtpd_recipient_restrictions =
> ...
> check_recipient_access = /etc/postfix/check-for-backscatter
> ...
>
>
> /etc/postfix/check-for-backscatter:
> u...@domain.com reject_rbl_client ips.backscatterer.org
Doesn't work that way.
cob...@iridium:~ $ man 5 postconf | grep -A3 check_recipient_access
check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO
address, domain, parent domains, or localpart@, and execute the
corresponding action.
With check_*_access you have to use some kind of table lookup:
check_recipient_access hash:/etc/postfix/check-for-backscatter
check_recipient_access regexp:/etc/postfix/check-for-backscatter
check_recipient_access pcre:/etc/postfix/check-for-backscatter
...
However, you can't use reject_rbl_client in these tables (see man 5
access).
You could try something like this:
# /etc/postfix/main.cf
...
smtpd_restriction_classes = backscatter_rbl
backscatter_rbl = reject_rbl_client ips.backscatterer.org
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/bounce-senders
...
# /etc/postfix/bounce-senders
<> backscatter_rbl
This should check NDNs (or rather, all messages sent with a null sender
address, which usually are NDNs) against ips.backscatterer.org. Not sure
if it does work though, as I haven't tested it.
> and then only the address u...@domain.com gets checked at
> ips.backscatterer.org?
>
> And if I would want to check all the mails that comes from <> can I do
> the same only in the smtpd_sender_restrictions?
I'd recommend doing the latter rather than the former.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
