Re: postmaster@ and spam

[Peter Blair]

On Thu, Mar 26, 2009 at 12:55 PM, LuKreme  wrote:

> Obviously I can't disable the account as it is required, but is there
> something that I can do to stop the connections for messages like this:
>
> Return-Path: 
> X-Original-To: postmas...@covisp.net
> Delivered-To: postmas...@covisp.net
> Received: from 55.71.98-84.rev.gaoland.net (117.82.193-77.rev.gaoland.net
> [77.193.82.117])
>        by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
>        for ; Fri, 20 Mar 2009 18:18:44 -0600 (MDT)
>
> as it is now, anything to postmaster gets a complete free pass, and most the
> mail to that account is scoring on SA up in the 20's and 30's.

Why not RBL it wish spamhaus?

$ dig 117.82.193.77.zen.spamhaus.org a +short
127.0.0.10
127.0.0.4

Re: postmaster@ and spam

[LuKreme]

On 26-Mar-2009, at 11:53, Peter Blair wrote:

On Thu, Mar 26, 2009 at 12:55 PM, LuKreme  wrote:


Obviously I can't disable the account as it is required, but is there
something that I can do to stop the connections for messages like  
this:


Return-Path: 
X-Original-To: postmas...@covisp.net
Delivered-To: postmas...@covisp.net
Received: from 55.71.98-84.rev.gaoland.net  
(117.82.193-77.rev.gaoland.net

[77.193.82.117])
   by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
   for ; Fri, 20 Mar 2009 18:18:44 -0600  
(MDT)


as it is now, anything to postmaster gets a complete free pass, and  
most the

mail to that account is scoring on SA up in the 20's and 30's.


Why not RBL it wish spamhaus?


Because the helo checks happen before the RBL checks and once the  
message gets and OK it's no longer checked.


--
There is NO Rule six!

Re: postmaster@ and spam

[Brian Evans - Postfix List]

LuKreme wrote:
> On 26-Mar-2009, at 11:53, Peter Blair wrote:
>> On Thu, Mar 26, 2009 at 12:55 PM, LuKreme  wrote:
>>
>>> Obviously I can't disable the account as it is required, but is there
>>> something that I can do to stop the connections for messages like this:
>>>
>>> Return-Path: 
>>> X-Original-To: postmas...@covisp.net
>>> Delivered-To: postmas...@covisp.net
>>> Received: from 55.71.98-84.rev.gaoland.net
>>> (117.82.193-77.rev.gaoland.net
>>> [77.193.82.117])
>>>by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
>>>for ; Fri, 20 Mar 2009 18:18:44 -0600
>>> (MDT)
>>>
>>> as it is now, anything to postmaster gets a complete free pass, and
>>> most the
>>> mail to that account is scoring on SA up in the 20's and 30's.
>>
>> Why not RBL it wish spamhaus?
>
> Because the helo checks happen before the RBL checks and once the
> message gets and OK it's no longer checked.
>
The helo check you mention will OK the helo_restrictions. (assuming this
is where you have it)
However, it will not affect the recipient_restrictions.

An OK is for a single restriction class.  Not globally (thank goodness).

Brian

Re: postmaster@ and spam

[LuKreme]

On 26-Mar-2009, at 13:36, Brian Evans - Postfix List wrote:

LuKreme wrote:

On 26-Mar-2009, at 11:53, Peter Blair wrote:

On Thu, Mar 26, 2009 at 12:55 PM, LuKreme  wrote:

Obviously I can't disable the account as it is required, but is  
there
something that I can do to stop the connections for messages like  
this:


Return-Path: 
X-Original-To: postmas...@covisp.net
Delivered-To: postmas...@covisp.net
Received: from 55.71.98-84.rev.gaoland.net
(117.82.193-77.rev.gaoland.net
[77.193.82.117])
  by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
  for ; Fri, 20 Mar 2009 18:18:44 -0600
(MDT)

as it is now, anything to postmaster gets a complete free pass, and
most the
mail to that account is scoring on SA up in the 20's and 30's.


Why not RBL it wish spamhaus?


Because the helo checks happen before the RBL checks and once the
message gets and OK it's no longer checked.

The helo check you mention will OK the helo_restrictions. (assuming  
this

is where you have it)
However, it will not affect the recipient_restrictions.


smtpd_recipient_restrictions =
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_invalid_hostname,
 permit_mynetworks,
 check_client_access hash:$config_directory/pbs,
 permit_sasl_authenticated,
 reject_unauth_destination,
 reject_unlisted_sender,
 check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit
 check_helo_access pcre:$config_directory/helo_checks.pcre,
 check_sender_access pcre:$config_directory/sender_access.pcre,
 check_client_access pcre:$config_directory/check_client_fqdn.pcre,
 check_recipient_access pcre:$config_directory/recipient_checks.pcre,
 check_client_access hash:$config_directory/access,
 reject_rbl_client zen.spamhaus.org,
 permit

An OK is for a single restriction class.  Not globally (thank  
goodness).


Once the message gets OKed by helo_checks.pcre it does not get checked  
by the reject_rbl_client.



--
...but then a lot of nice things turn bad out there

Re: postmaster@ and spam

[LuKreme]

On 26-Mar-2009, at 14:10, LuKreme wrote:
Once the message gets OKed by helo_checks.pcre it does not get  
checked by the reject_rbl_client.


Ah.. OK, this is not right.  It is just that the IP was not in the RBL  
when that message came through.


So, the original question still stands:

is there something that I can do to stop the connections for  
messages like this:


Return-Path: 
X-Original-To: postmas...@covisp.net
Delivered-To: postmas...@covisp.net
Received: from 55.71.98-84.rev.gaoland.net  
(117.82.193-77.rev.gaoland.net [77.193.82.117])

by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
for ; Fri, 20 Mar 2009 18:18:44 -0600 (MDT)



--
Say, give it up, give it up, television's taking its toll
That's enough, that's enough, gimme the remote control
I been nice, I been good, please don't do this to me
Turn it off, turn it off, I don't want to have to see

Re: postmaster@ and spam

[mouss]

LuKreme a écrit :
> I have in my postffix helo checks, perhaps a bad idea,
> 
> [some checks up here that reject]
> /^postmaster\@/ OK
> /^abuse\@/  OK
> 
> At the time I set this up it was pretty important that postmaster mail
> got through, but looking over the last 12 months of mail, I've received
> exactly two legitimate messages to postmaster, both auto replies from
> the monkeys at yahoo.
> 
> Obviously I can't disable the account as it is required, but is there
> something that I can do to stop the connections for messages like this:
> 
> Return-Path: 
> X-Original-To: postmas...@covisp.net
> Delivered-To: postmas...@covisp.net
> Received: from 55.71.98-84.rev.gaoland.net
> (117.82.193-77.rev.gaoland.net [77.193.82.117])
> by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B
> for ; Fri, 20 Mar 2009 18:18:44 -0600 (MDT)
> 
> as it is now, anything to postmaster gets a complete free pass, and most
> the mail to that account is scoring on SA up in the 20's and 30's.
> 


you can reject mail from postmas...@yourdomain.example if no external
system should use it.

check_sender_access hash:/etc/postfix/access_sender

== access_sender
postmas...@covip.netREJECT blah blah

Re: postmaster@ and spam

[Sahil Tandon]

On Thu, 26 Mar 2009, LuKreme wrote:

> I have in my postffix helo checks, perhaps a bad idea,
>
> [some checks up here that reject]
> /^postmaster\@/ OK
> /^abuse\@/  OK

Why do these email address patterns appear in a HELO access(5) map?

> At the time I set this up it was pretty important that postmaster mail  
> got through, but looking over the last 12 months of mail, I've received 
> exactly two legitimate messages to postmaster, both auto replies from the 
> monkeys at yahoo.
>
> Obviously I can't disable the account as it is required, but is there  
> something that I can do to stop the connections for messages like this:
>
> Return-Path: 

Reject externally originating email with ENVELOPE from postmas...@example.org
if you are responsible for example.org.

-- 
Sahil Tandon 

Re: postmaster@ and spam

[LuKreme]

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this list,  
I'm pretty sure.



--
...but the senator, while insisting he was not intoxicated,
could not explain his nudity.

Re: postmaster@ and spam

[Ralf Hildebrandt]

* LuKreme :
> On 26-Mar-2009, at 18:06, Sahil Tandon wrote:
>> On Thu, 26 Mar 2009, LuKreme wrote:
>>
>>> I have in my postffix helo checks, perhaps a bad idea,
>>>
>>> [some checks up here that reject]
>>> /^postmaster\@/ OK
>>> /^abuse\@/  OK
>>
>> Why do these email address patterns appear in a HELO access(5) map?
>
> Because 9 years ago or so it is what I was told to do.  On this list, I'm 
> pretty sure.

In HELO?

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
This is the crucial difference between fiction and real life: fiction
must be plausible; real life has no such constraint.   -- Kevin Kelly

Re: postmaster@ and spam

[LuKreme]

On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:

* LuKreme :

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this  
list, I'm

pretty sure.


In HELO?


Doesn't sound right, does it.  Did helo checks used to apply to the  
entire pre-DATA part of the transaction?



--
When the routine bites hard / and ambitions are low
And the resentment rides high / but emotions won't grow
And we're changing our ways, / taking different roads
Then love, love will tear us apart again

Re: postmaster@ and spam

[Sahil Tandon]

On Mar 27, 2009, at 12:18 PM, LuKreme  wrote:


On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:

* LuKreme :

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this  
list, I'm

pretty sure.


In HELO?


Doesn't sound right, does it.  Did helo checks used to apply to the  
entire pre-DATA part of the transaction?


There are scenarios in which non HELO checks can be placed under  
smtpd_helo_restrictions, but in your case you explicitly call  
check_helo_access and then reference a map with email address patterns  
on the LHS.  Don't believe everything you read on the list, or at  
least confirm it with the documentation.


--
Sahil Tandon 

Re: postmaster@ and spam

[mouss]

LuKreme a écrit :
> On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:
>> * LuKreme :
>>> On 26-Mar-2009, at 18:06, Sahil Tandon wrote:
 On Thu, 26 Mar 2009, LuKreme wrote:

> I have in my postffix helo checks, perhaps a bad idea,
>
> [some checks up here that reject]
> /^postmaster\@/ OK
> /^abuse\@/  OK

 Why do these email address patterns appear in a HELO access(5) map?
>>>
>>> Because 9 years ago or so it is what I was told to do.  On this list,
>>> I'm
>>> pretty sure.
>>
>> In HELO?
> 
> Doesn't sound right, does it.  Did helo checks used to apply to the
> entire pre-DATA part of the transaction?
> 
> 

do not confuse smtpd_helo_restrictions and check_helo_access

smtpd_helo_restrictions are a set of checks that can may contain many
checks, including permit_sasl_authenticated,
reject_unknown_sender_domain, ... etc.

check_helo_access is ONE check that looks the HELO/EHLO argument in a
map and applies the decision found in that map.

in short,
check_helo_access whatever
will never do anything with
/^postmaster\@/
except if a silly spammer heloes with "postmas...@something", which I
have never seen (and which is easily blocked by
reject_invalid_helo_hostname anyway).

and by the way, pcre isn't perl. '@' doesn't need to be escaped ('\@'
isn't needed. '@' is ok).