Re: Blocking mail from clients who

[Bill Shirley]

> /.*@mydomain.tld/ REJECT

The leading .* is not needed.  You should escape the period before tld (\.).  
You can
also send a message:
/@.*example\.com$/        REJECT You are not me (40,000).
This works for me.  Note: I'm using pcre instead of regexp.

Bill

On 10/15/2017 1:04 PM, Dominic Raferd wrote:

On 15 October 2017 at 17:34, Gerben Wierda <gerben.wie...@rna.nl 
<mailto:gerben.wie...@rna.nl>> wrote:

    My main restrictions in main.cf <http://main.cf> are (on macOS Server)

    smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_client_access 
regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
    reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
    permit
    smtpd_delay_reject = yes
    smtpd_enforce_tls = no
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit
    smtpd_recipient_restrictions =
    ​​
    permit_sasl_authenticated reject_unauth_pipelining 
reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination
    reject_unlisted_recipient check_client_access 
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
    check_sender_access 
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders 
check_policy_service
    unix:private/policy permit

    Rbl and greylisting helps to filter out most spam attempts. I have to turn 
of greylisting for a few hours today, and a
    message came through that had both From: and To: set to my email address. 
This was accepted because I am the delivery
    agent for that domain.

    But an outside, non SASL-authenticated client that says it wants to deliver 
mail From my domain is illegal. Apparently,
    that one still gets through (though is generally blocked by greylisting). 
Anyway, is there a way to block that without
    blocking legitimate mail?


​You could add your domain to 
/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders as a reject:

/.*@mydomain.tld/ REJECT

Any sender purporting to be from your domain but not authenticated should be blocked by this. Authenticated senders will not be touched by this because they are already approved by ​permit_sasl_authenticated.