On 2010-11-25 Patric Falinder wrote: > Ansgar Wiechers skrev 2010-11-24 18:11: >> On 2010-11-24 Patric Falinder wrote: >>> lst_ho...@kwsoft.de skrev 2010-11-24 11:08: >>>> Be sure to limit the usage of the list to the affected account and maybe >>>> even to bounce sender addresses as a lot of legitim hosts are listed. >>>> See http://www.backscatterer.org/?target=usage >>> >>> Ok, thanks! Is there any other ways to protect yourself against >>> backscatter? >> >> I wrote a filter based on smtpprox [1]. Disclaimer: AFAIK this has never >> been used on medium or high traffic servers, so I don't know how it >> would perform in such environments. >> >> [1] http://www.planetcobalt.net/sdb/backscatter.shtml > > Cool, I will check that out and see if I can try it out on my personal > mail-server first and see how it works.
Feel free. Feedback is welcome, of course. > I looked arround and found check_sender_access and > check_recipient_access, can I for example do something like this: > > smtpd_recipient_restrictions = > ... > check_recipient_access = /etc/postfix/check-for-backscatter > ... > > > /etc/postfix/check-for-backscatter: > u...@domain.com reject_rbl_client ips.backscatterer.org Doesn't work that way. cob...@iridium:~ $ man 5 postconf | grep -A3 check_recipient_access check_recipient_access type:table Search the specified access(5) database for the resolved RCPT TO address, domain, parent domains, or localpart@, and execute the corresponding action. With check_*_access you have to use some kind of table lookup: check_recipient_access hash:/etc/postfix/check-for-backscatter check_recipient_access regexp:/etc/postfix/check-for-backscatter check_recipient_access pcre:/etc/postfix/check-for-backscatter ... However, you can't use reject_rbl_client in these tables (see man 5 access). You could try something like this: # /etc/postfix/main.cf ... smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/bounce-senders ... # /etc/postfix/bounce-senders <> backscatter_rbl This should check NDNs (or rather, all messages sent with a null sender address, which usually are NDNs) against ips.backscatterer.org. Not sure if it does work though, as I haven't tested it. > and then only the address u...@domain.com gets checked at > ips.backscatterer.org? > > And if I would want to check all the mails that comes from <> can I do > the same only in the smtpd_sender_restrictions? I'd recommend doing the latter rather than the former. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky