On Wed, Jul 28, 2021 at 05:58:43AM -0700, Greg Earle <ea...@isolar.dyndns.org>
wrote:
> Hello, long time (Courier user) listener, first time (Postfix user) caller
> ...
>
> I'm getting repeated spåms from Brazil and there is no un-sub link.
>
> The sending SMTP servers are various hosts in the *.cnode.io domain, with
> different subnets involved so trying to block them all is like playing
> Whack-a-Mole™. They also like to change up the "From: " address as well.
> It's a cat and mouse game and I'm losing.
>
> So I tried to set up a "sender_access" file to block them but it's not
> working:
>
> --
> [root@isolar postfix]# ls -lt sender_access*
> -rw-r--r-- 1 root root 12288 Jul 13 01:54 sender_access.db
> -rw-r--r-- 1 root root 609 Jul 13 01:53 sender_access
>
> [root@isolar postfix]# grep -n sender_access master.cf
> 27: -o mua_sender_restrictions= permit_sasl_authenticated,
> reject_unknown_reverse_client_hostname, reject_unknown_client_hostname,
> reject_unknown_sender_domain, check_sender_access
> hash:/etc/postfix/sender_access, reject
>
> 45: -o mua_sender_restrictions= permit_sasl_authenticated,
> reject_unknown_reverse_client_hostname, reject_unknown_client_hostname,
> reject_unknown_sender_domain, check_sender_access
> hash:/etc/postfix/sender_access, reject
>
> [root@isolar postfix]# cat sender_access
> # ADDRESS PATTERNS # ACTION
> pro...@magazineluiza.com 550 Blacklisted
> sald...@magazineluiza.com 550 Blacklisted
> magazineluiza.com 550 Blacklisted
> personalizado*@ 550 Blacklisted
> mag...@magazine-luiza.com.br 550 Blacklisted
> magazine-luiza.com.br 550 Blacklisted
> cnode.io REJECT
> stretchoid.com REJECT
> --
>
> (I was hoping Postfix would reject any SMTP connections from *.cnode.io and
> *.stretchoid.com with those last two lines.)
> --
>
> What am I doing wrong? ¯\_(ツ)_/¯
>
> Thanks.
As Matus pointed out, you're only adding
check_sender_access etc. to SASL authenticated
connections, which is for outgoing mail from your own
users, not for incoming mail from other servers, and
any SASL authenticated connections won't apply those
tests anyway because they are permitted before the
checks take place. And mua_sender_restrictions doesn't
exist anyway (unless you make use of it somewhere else
in main.cf). You probably meant smtpd_sender_restrictions.
You could move all of those checks to main.cf and put
them in smtpd_sender_restrictions, and change hash: to
regexp: or pcre:, so you can use regexps in the
sender_access file, and convert it to regexp syntax, e.g.:
/etc/postfix/main.cf:
smtpd_sender_restrictions =
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
reject_unknown_sender_domain
check_sender_access regexp:/etc/postfix/sender_access
/etc/postfix/sender_access:
# ADDRESS PATTERNS # ACTION
/.*promos@magazineluiza\.com.*/ 550 Blacklisted
/.*saldoes@magazineluiza\.com.*/ 550 Blacklisted
/.*@magazineluiza\.com.*/ 550 Blacklisted
/.*personalizado.*@.*/ 550 Blacklisted
/.*magalu@magazine-luiza\.com\.br.*/ 550 Blacklisted
/.*@magazine-luiza\.com\.br.*/ 550 Blacklisted
/.*cnode\.io.*/ REJECT
/.*@stretchoid\.com.*/ REJECT
rm /etc/postfix/sender_access.db # Not needed for regexp:
Or you could have one hash: sender_access database for
straight string matches, and a regexp: database for
more complex patterns that require it.
HOWEVER:
You might still be playing whack-a-mole by configuring
your own sender access database. Another approach might
be to make use of RBL services. They provide
whack-a-mole-as-a-service for you. e.g. In main.cf, you
could have something like:
/etc/postfix/main.cf:
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_rbl_client zen.spamhaus.org
reject_rbl_client dnsbl-1.uceprotect.net
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
permit
These RBL services are based on IP addresses, not
sender email addresses or domains. But there are ones
that work on sender domain names (RHSBL).
See http://www.postfix.org/SMTPD_ACCESS_README.html for
details. There are also lots of non-DNS based checks
you can apply to prevent spam. They seem to do just as
good a job for me (particularly postgrey).
cheers,
raf
