Re: match from mail-from reject not working
Thomas Bohl wrote: > > > > match from mail-from reject > > That line doesn't have a for option, so "for local" is implied. > > match from any for any mail-from reject > > should do the trick. Yes it did! Thank you very much. I completely forgot that not specifying for means for local instead of for any. Sometimes it's just the simple things... :) > > > > However, if i use telnet/openssl s_client to connect to the server, I get > > an OK in > > response to MAIL FROM: and can state RCPT TO and > > DATA without > > any problems. > > The reject (550 Invalid recipient) will happen after RCPT TO. (Earlier is > only possible with a filter.) That is good and bad. The bad side is that the > error message is "wrong", which makes stuff harder to debug. The good side > of this behaviour is that it signals "Invalid recipient" to an adversary. yeah, w/ regards to the spammers, this might actually not be as bad. :) If I don't like it like that I can still use the filter approach. Thanks! Cheers, Simon signature.asc Description: PGP signature
Re: match from mail-from reject not working
Otto Retter wrote: > Simon, > > I have similar functionality working with a filter. Have you tried > using a filter for this? No, I have not yet tried that. I wanted to try the "simpler" solution first. :) > > Here are some anonymized snippets from my smtpd.conf: > > ``` > table bad_guys file:/etc/mail/bad_guys > filter "bad_guys" phase mail-from match mail-from regex reject > "550 Bad Guys" > listen on ... filter { ..., "bad_guys", ... } tag PORT_25 > ``` Thanks for the example! The filter might actually be nice to send the spammers a message back :) I have found the solution now, but I will keep your filter example in mind. Thanks! Cheers, Simon signature.asc Description: PGP signature
Re: match from mail-from reject not working
match from mail-from reject That line doesn't have a for option, so "for local" is implied. match from any for any mail-from reject should do the trick. However, if i use telnet/openssl s_client to connect to the server, I get an OK in response to MAIL FROM: and can state RCPT TO and DATA without any problems. The reject (550 Invalid recipient) will happen after RCPT TO. (Earlier is only possible with a filter.) That is good and bad. The bad side is that the error message is "wrong", which makes stuff harder to debug. The good side of this behaviour is that it signals "Invalid recipient" to an adversary. hth
Re: match from mail-from reject not working
Simon, I have similar functionality working with a filter. Have you tried using a filter for this? Here are some anonymized snippets from my smtpd.conf: ``` table bad_guys file:/etc/mail/bad_guys filter "bad_guys" phase mail-from match mail-from regex reject "550 Bad Guys" listen on ... filter { ..., "bad_guys", ... } tag PORT_25 ``` - Otto On 2024-03-09, Simon Hoffmann wrote: Hey list, cat smtpd.conf # some general config like pki, ttl, message size etc stripped table aliases file:/etc/aliases table vusers file:/etc/smtpd/vusers table vdoms file:/etc/smtpd/vdoms table passwd file:/etc/dovecot/passwd-file table blocked_senders file:/etc/smtpd/blocked_senders listen on ens18 port 25 tls-require pki mx01.hoffbox.net listen on ens18 port 587 tls-require pki mx01.hoffbox.net auth listen on ens18 port 465 smtps pki mx01.hoffbox.net auth action "local" lmtp "/var/run/dovecot/lmtp" virtual action "relay" relay host smtps://smtp...@mailout.mailout.hoffmann-systems.net helo mx01.klm.hoffbox.net auth match from mail-from reject match from any for domain action "local" match from local for any action "relay" match from auth for any action "relay" cat blocked_senders t...@simonhoffmann.net root@mx01:~# dpkg -l opensmtpd ii opensmtpd 6.8.0p2-3amd64secure, reliable, lean, and easy-to configure SMTP server I was under the impression that with this config, all mail coming from addresses in the blocked_senders table would immediately be rejected. However, if i use telnet/openssl s_client to connect to the server, I get an OK in response to MAIL FROM: and can state RCPT TO and DATA without any problems. I then used a remote server and sendmail to send an email from t...@simonhoffmann.net to si...@simonhoffmann.net and this email was delivered into my mailbox. I was not authenticated (on purpose), but rather used the normal unauthenticated mail flow (hence not sending from mutt oder thunderbird but just piping a mail into sendmail on a server on the internet). (Based in the man pages being authenticated should not matter anyways because the reject match is the first in the file and the first match is always used.) What am I doing wrong? Did I interpret the matching options wrong? Thanks! Cheers, Simon
match from mail-from reject not working
Hey list, cat smtpd.conf # some general config like pki, ttl, message size etc stripped table aliases file:/etc/aliases table vusers file:/etc/smtpd/vusers table vdoms file:/etc/smtpd/vdoms table passwd file:/etc/dovecot/passwd-file table blocked_senders file:/etc/smtpd/blocked_senders listen on ens18 port 25 tls-require pki mx01.hoffbox.net listen on ens18 port 587 tls-require pki mx01.hoffbox.net auth listen on ens18 port 465 smtps pki mx01.hoffbox.net auth action "local" lmtp "/var/run/dovecot/lmtp" virtual action "relay" relay host smtps://smtp...@mailout.mailout.hoffmann-systems.net helo mx01.klm.hoffbox.net auth match from mail-from reject match from any for domain action "local" match from local for any action "relay" match from auth for any action "relay" cat blocked_senders t...@simonhoffmann.net root@mx01:~# dpkg -l opensmtpd ii opensmtpd 6.8.0p2-3amd64secure, reliable, lean, and easy-to configure SMTP server I was under the impression that with this config, all mail coming from addresses in the blocked_senders table would immediately be rejected. However, if i use telnet/openssl s_client to connect to the server, I get an OK in response to MAIL FROM: and can state RCPT TO and DATA without any problems. I then used a remote server and sendmail to send an email from t...@simonhoffmann.net to si...@simonhoffmann.net and this email was delivered into my mailbox. I was not authenticated (on purpose), but rather used the normal unauthenticated mail flow (hence not sending from mutt oder thunderbird but just piping a mail into sendmail on a server on the internet). (Based in the man pages being authenticated should not matter anyways because the reject match is the first in the file and the first match is always used.) What am I doing wrong? Did I interpret the matching options wrong? Thanks! Cheers, Simon signature.asc Description: PGP signature