Re: Domain emails from outside

2008-12-09 Thread Gabriel Hahmann 
Hi,

I'm grateful to all of you that helped me to solve this problem.

The check_sender_access on smtpd_sender_restrictions including my domain
with REJECT solved my problem completely as all my clients connect using
SASL. So I permited_sasl and then I rejected my domain from outside with
check_sender_access.

Thanks,
Gabriel.

On Thu, Dec 4, 2008 at 2:46 PM, mouss <[EMAIL PROTECTED]> wrote:

> Brian Evans - Postfix List a écrit :
> > Gabriel Hahmann wrote:
> >> Hi all,
> >>
> >> I'm new to the list and have a problem with my mail system. Recently
> >> I'm receiving a lot of spam emails coming from the internet but the
> >> sender is a user from my domain. Then I tried the same thing directly
> >> from other system, as described below:
> >>
> >
> > The answer to your question is as such.
> > Add 'check_sender_access pcre:/path/to/config/restrict_internal_domain'
> > to the end of smtpd_sender_restrictions
> > (You may use regexp instead of pcre if your postfix does not support it,
> > use 'postconf -m' to check)
> >
> > /path/to/config/restrict_internal_domain:
> > /.*\.example.com/REJECT external email with an internal sender
> address
> >
>
> that should be
> /(^|\.)example\.com$/   REJECT ...
>
> but there is no need to use pcre. a hash/cdb/... map is enough:
> .example.comREJECT ...
> example.com REJECT ...
>
>
>
> > [snip]
>

Re: Domain emails from outside

2008-12-04 Thread mouss 
Brian Evans - Postfix List a écrit :
> Gabriel Hahmann wrote:
>> Hi all,
>>
>> I'm new to the list and have a problem with my mail system. Recently
>> I'm receiving a lot of spam emails coming from the internet but the
>> sender is a user from my domain. Then I tried the same thing directly
>> from other system, as described below:
>>
> 
> The answer to your question is as such.
> Add 'check_sender_access pcre:/path/to/config/restrict_internal_domain'
> to the end of smtpd_sender_restrictions
> (You may use regexp instead of pcre if your postfix does not support it,
> use 'postconf -m' to check)
> 
> /path/to/config/restrict_internal_domain:
> /.*\.example.com/REJECT external email with an internal sender address
> 

that should be
/(^|\.)example\.com$/   REJECT ...

but there is no need to use pcre. a hash/cdb/... map is enough:
.example.comREJECT ...
example.com REJECT ...



> [snip]

Re: Domain emails from outside

2008-12-04 Thread mouss 
[EMAIL PROTECTED] a écrit :
> 
> I too am trying to achieve this, here is my blocked_senders map followed by 
> my postconf -n  output:
> 
> Would this achieve the desired results of restricting inbound email with 
> faked "From" headers?
> 
> Many thanks in advance,
> 
> .vp
> 
> 
>   ### blocked_senders ###
> example.com  554 example.com sender? But you're not in my network 
> ...
> example.org  554 example.org sender? But you're not in my network 
> ...
> example.net  554 example.net sender? But you're not in my network 
> ...
> example.us   554 example.us  sender? But you're not in my network 
> ...
> ###
> [snip]
> smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access 
> dbm:/etc/postfix/blocked_senders,   reject_rbl_client 67679988282.rbl.com,  
> reject_unauth_destination

this is unsfae. use

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_sender_access dbm:/etc/postfix/blocked_senders
reject_rbl_client 67679988282.rbl.com

reject_unauth_destination prevent open relay, and should be used before
check_* when maps could return an OK (accidentally or not). it is also
cheap (compared to an rbl lookup, even if it's a local rbl).


PS. please do not top post. put your reply after the text you reply to.

> [snip]

Re: Domain emails from outside

2008-12-04 Thread Brian Evans - Postfix List 
LuKreme wrote:
> On 4-Dec-2008, at 08:18, Brian Evans - Postfix List wrote:
>> Add 'check_sender_access pcre:/path/to/config/restrict_internal_domain'
>> to the end of smtpd_sender_restrictions
>>
>> /path/to/config/restrict_internal_domain:
>> /.*\.example.com/REJECT external email with an internal sender
>> address
>
>
> You would need to list all the domains you process mail for here,
> right?  And this is a check against the envelope from, right?  (From_
> and not From:)
>
That is correct.
You can also use pcre/regex magic to do multiple domains in a single
check, but test throughly and be comfortable before committing.
Only the envelope matters to me for rejects. 
This allows proper mailing list software to function as well as many web
forms.

Brian

Re: Domain emails from outside

2008-12-04 Thread LuKreme 

On 4-Dec-2008, at 08:18, Brian Evans - Postfix List wrote:
Add 'check_sender_access pcre:/path/to/config/ 
restrict_internal_domain'

to the end of smtpd_sender_restrictions

/path/to/config/restrict_internal_domain:
/.*\.example.com/REJECT external email with an internal sender  
address



You would need to list all the domains you process mail for here,  
right?  And this is a check against the envelope from, right?  (From_  
and not From:)


--
Rincewind had always been happy to think of himself as a racist.
The One Hundred Meters, the Mile, the Marathon -- he'd run them
all.

RE: Domain emails from outside

2008-12-04 Thread wiskbroom 


I too am trying to achieve this, here is my blocked_senders map followed by my 
postconf -n  output:

Would this achieve the desired results of restricting inbound email with faked 
"From" headers?

Many thanks in advance,

.vp


  ### blocked_senders ###
example.com  554 example.com sender? But you're not in my network 
...
example.org  554 example.org sender? But you're not in my network 
...
example.net  554 example.net sender? But you're not in my network 
...
example.us   554 example.us  sender? But you're not in my network 
...
###


alias_database = dbm:/etc/postfix/aliases
alias_maps = dbm:/etc/postfix/aliases
command_directory = /postfix/sbin
config_directory = /postfix/etc
content_filter = avx:127.0.0.1:10025
daemon_directory = /postfix/libexec
debug_peer_level = 2
default_process_limit = 500
disable_vrfy_command = yes
html_directory = no
mail_owner = postfix
mailbox_size_limit = 102400
mailq_path = /postfix/bin/mailq
manpage_directory = /postfix/man
message_size_limit = 1536
mydomain = dmx.example.com
myhostname = smtp1.dmx.example.com
mynetworks = 127.0.0.0/8, !192.168.1.50, 192.168.1.0/24
myorigin = $myhostname
newaliases_path = /postfix/bin/newaliases
queue_directory = /postfix/var/spool/mqueue
rbl_reply_maps = dbm:/$config_directory/rbl_reply
readme_directory = /postfix/doc
recipient_delimiter = +
relay_domains = example.com example.org example.net us.example.com example.us 
localhost
sample_directory = /postfix/doc/samples
sendmail_path = /postfix/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = ignore_policy_error,check_policy_service 
inet:localhost:5577
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access 
dbm:/etc/postfix/blocked_senders,   reject_rbl_client 67679988282.rbl.com,  
reject_unauth_destination
smtpd_sender_restrictions = reject_unauth_pipelining,   
reject_unknown_sender_domain,   reject_non_fqdn_sender, 
check_recipient_access dbm:/etc/postfix/access
transport_maps = dbm:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 450



> Date: Thu, 4 Dec 2008 10:02:08 -0500
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Domain emails from outside
> 
> On 12/4/2008, Gabriel Hahmann ([EMAIL PROTECTED]) wrote:
>> My configuration is listed below
> 
> Output of postconf -n is preferred...
> 
> -- 
> 
> Best regards,
> 
> Charles

Re: Domain emails from outside

2008-12-04 Thread Roman Medina-Heigl Hernandez 
Hello,

I initiated a similar thread, few days ago, with interesting responses.
Have a look at it:
http://archives.neohapsis.com/archives/postfix/2008-12/0010.html

Summaryzing, there's a chance of legitimate mail being filtered. See the
former thread for examples and a nice discussion :-)

PS: And thanks to all who have contributed to it!

Cheers,
-Roman

Geert Hendrickx escribió:
> On Thu, Dec 04, 2008 at 10:15:55AM -0500, Sahil Tandon wrote:
>> Gabriel Hahmann <[EMAIL PROTECTED]> wrote:
>>
>>> I'm new to the list and have a problem with my mail system. Recently I'm
>>> receiving a lot of spam emails coming from the internet but the sender is a
>>> user from my domain. Then I tried the same thing directly from other system,
>>> as described below:
>>>
>>> telnet mailsystemwithproblem 25
>>> helo testdomain
>>> MAIL FROM: <[EMAIL PROTECTED]>
>>> RCPT TO: <[EMAIL PROTECTED]>
>>> DATA
>>> test
>>> .
>>>
>>> I've done this with success, and the machine that i've used to telnet is not
>>> in the mynetworks or other parameter.
>> This makes sense; MXs outside your networks should be able to send mail
>> to your domains.
>>
>>> The problem is that all my users are receiving spam from themselfs. My
>>> server is not an open relay because from outside I can't send email to other
>>> domains, but if somebody connects and send to my own domain it works like I
>>> said before.
>> /etc/postfix/main.cf:
>> smtpd_recipient_restrictions =
>>  ...
>>  reject_unauth_destination
>>  check_sender_access hash:/etc/postfix/copycats
>>  ...
>>
>> /etc/postfix/copycats:
>> testdomain.com   REJECT
>>
>> Be aware that your own users will not be able to send email to each
>> other unless they're on mynetworks or SASL authenticated (both permits
>> should precede the reject_unauth_destination directive).
> 
> 
> Note that this will also block mail coming from your own users through
> forwarders or mailing lists that do not rewrite the original sender.
> 
> (eg. [EMAIL PROTECTED] -> [EMAIL PROTECTED] -> [EMAIL PROTECTED])
> 
>   Geert
> 
>

Re: Domain emails from outside

2008-12-04 Thread Geert Hendrickx 
On Thu, Dec 04, 2008 at 10:15:55AM -0500, Sahil Tandon wrote:
> Gabriel Hahmann <[EMAIL PROTECTED]> wrote:
> 
> > I'm new to the list and have a problem with my mail system. Recently I'm
> > receiving a lot of spam emails coming from the internet but the sender is a
> > user from my domain. Then I tried the same thing directly from other system,
> > as described below:
> > 
> > telnet mailsystemwithproblem 25
> > helo testdomain
> > MAIL FROM: <[EMAIL PROTECTED]>
> > RCPT TO: <[EMAIL PROTECTED]>
> > DATA
> > test
> > .
> > 
> > I've done this with success, and the machine that i've used to telnet is not
> > in the mynetworks or other parameter.
> 
> This makes sense; MXs outside your networks should be able to send mail
> to your domains.
> 
> > The problem is that all my users are receiving spam from themselfs. My
> > server is not an open relay because from outside I can't send email to other
> > domains, but if somebody connects and send to my own domain it works like I
> > said before.
> 
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
>   ...
>   reject_unauth_destination
>   check_sender_access hash:/etc/postfix/copycats
>   ...
> 
> /etc/postfix/copycats:
> testdomain.comREJECT
> 
> Be aware that your own users will not be able to send email to each
> other unless they're on mynetworks or SASL authenticated (both permits
> should precede the reject_unauth_destination directive).


Note that this will also block mail coming from your own users through
forwarders or mailing lists that do not rewrite the original sender.

(eg. [EMAIL PROTECTED] -> [EMAIL PROTECTED] -> [EMAIL PROTECTED])

Geert

Re: Domain emails from outside

2008-12-04 Thread Brian Evans - Postfix List 
Gabriel Hahmann wrote:
> Hi all,
>
> I'm new to the list and have a problem with my mail system. Recently
> I'm receiving a lot of spam emails coming from the internet but the
> sender is a user from my domain. Then I tried the same thing directly
> from other system, as described below:
>

The answer to your question is as such.
Add 'check_sender_access pcre:/path/to/config/restrict_internal_domain'
to the end of smtpd_sender_restrictions
(You may use regexp instead of pcre if your postfix does not support it,
use 'postconf -m' to check)

/path/to/config/restrict_internal_domain:
/.*\.example.com/REJECT external email with an internal sender address

> My configuration is listed below, i just changed the name of the
> domain with testdomain.com  and another domain
> that this machine receive mail with anotherdomain.com
> :
>
We recommend 'postconf -n' to make sure you did not make a typo.
Also, please use example.(com|net|org) instead of making up domain names.
> maximal_queue_lifetime = 4h
This is amazingly short.  I hope you, or the recipient, never have any
network issues.

> virtual_maps = hash:/etc/postfix/virtualusertable
Is this a really old Postfix?
This was replaced in Postfix 2.0.
Most likely you mean virtual_alias_maps, but one cannot be sure.

Brian

Re: Domain emails from outside

2008-12-04 Thread Sahil Tandon 
Gabriel Hahmann <[EMAIL PROTECTED]> wrote:

> I'm new to the list and have a problem with my mail system. Recently I'm
> receiving a lot of spam emails coming from the internet but the sender is a
> user from my domain. Then I tried the same thing directly from other system,
> as described below:
> 
> telnet mailsystemwithproblem 25
> helo testdomain
> MAIL FROM: <[EMAIL PROTECTED]>
> RCPT TO: <[EMAIL PROTECTED]>
> DATA
> test
> .
> 
> I've done this with success, and the machine that i've used to telnet is not
> in the mynetworks or other parameter.

This makes sense; MXs outside your networks should be able to send mail
to your domains.

> The problem is that all my users are receiving spam from themselfs. My
> server is not an open relay because from outside I can't send email to other
> domains, but if somebody connects and send to my own domain it works like I
> said before.

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_sender_access hash:/etc/postfix/copycats
...

/etc/postfix/copycats:
testdomain.com  REJECT

Be aware that your own users will not be able to send email to each
other unless they're on mynetworks or SASL authenticated (both permits
should precede the reject_unauth_destination directive).

> My configuration is listed below, i just changed the name of the domain with
> testdomain.com and another domain that this machine receive mail with
> anotherdomain.com:

As advised in the DEBUG_README, next time include the output of
'postconf -n'.

-- 
Sahil Tandon <[EMAIL PROTECTED]>

Re: Domain emails from outside

2008-12-04 Thread Charles Marcus 
On 12/4/2008, Gabriel Hahmann ([EMAIL PROTECTED]) wrote:
> My configuration is listed below

Output of postconf -n is preferred...

-- 

Best regards,

Charles