Use of smtpd_reject_unlisted_sender
On these days where theft of credentials of legitimate e-mail server users in order to send spam checking the MAIL FROM: using smtpd_reject_unlisted_sender would be a helping Postfix feature. Perhaps it is a misunderstanding from my side about the actual meaning of parameter smtpd_reject_unlisted_sender but if smtpd_reject_unlisted_sender = yes is present on main.cf... How is it possible for an user to send an mail from an unknown sender addresses neither listed in virtual nor canonical? The user is connecting to the smtp server and authenticates itself correctly but he's sending e-mails from an absolutely alien e-mail address (both user and domain part of the e-mail address) If the authenticated user tries to send e-mail from a non-existent e-mail address (user part) of a local domain the e-mail is rejected but if he/she uses a non-existent e-mail address of an alien domain the e-mail message is accepted by smtpd server. Shouldn't ALL those mails be rejected by smtpd? -- Bernardo Pons
Re: Use of smtpd_reject_unlisted_sender
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 20-12-13 20:54, Bernardo Pons wrote: On these days where theft of credentials of legitimate e-mail server users in order to send spam checking the MAIL FROM: using smtpd_reject_unlisted_sender would be a helping Postfix feature. Perhaps it is a misunderstanding from my side about the actual meaning of parameter smtpd_reject_unlisted_sender but if smtpd_reject_unlisted_sender = yes is present on main.cf... How is it possible for an user to send an mail from an unknown sender addresses neither listed in virtual nor canonical? The user is connecting to the smtp server and authenticates itself correctly but he's sending e-mails from an absolutely alien e-mail address (both user and domain part of the e-mail address) If the authenticated user tries to send e-mail from a non-existent e-mail address (user part) of a local domain the e-mail is rejected but if he/she uses a non-existent e-mail address of an alien domain the e-mail message is accepted by smtpd server. Shouldn't ALL those mails be rejected by smtpd? The problem is that postfix cannot look up localparts for domains that are not hosted locally. For domains that the server is configured to handle using local/virtual/etc, the localparts are also available (i.e. 'listed'). For random offsite domains, the localpart cannot be verified other than using a VRFY call, which is disable at most sites because it enabled spammers to verify existance of addresses, and usage is considered abusive by many admins. In order to force authenticated senders to use a limited set of MAIL FROM addresses, you'll probably need to use reject_sender_login_mismatch in smtpd_mumble_restrictions. Regards, Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJStKTaAAoJEJPfMZ19VO/1o5sQAJZlWimP2XWy6Ion5NvZtn3v BIxvWuHQSvaytAeL6NyrjjL3eA+p9z8WpOqj1IUZGjL2Egvag8vU34HM8a64gRCF Js8WlE5vop6yLDyDgmo8BdTDLmy00YI67jXCEWFn/H9ivTp8fbRL8QjWw+tDFWNB bPJmWVRx43Qbf5TTl/H2idi/ZTftMIYDaL7cZ7pgG1w2o69r2bzj/uv/bKL7/Mvr niKM4Rcw+zkvOVS9DmEfge8Eh7ZTHPL2nsQm4+pTkk1tgxgjW602i9mgfvjVK/CV o073sF1lbfvMV/77Wm+dSoi4i7nC0A/A7sS4HXpRku9KNoSVfj+gJV2cb1ft5/6F QnyRi/m33654SyzWvChC4UZWg3NleoAnwHTxfIYnoTCiEwdRzk7PczINuXkIZfDC fpZmtu4DSs9jHMCuEA7On0lgDOxdwBCJz3guk3rxOcWvC+2m38vXW9txcjNgfeoE QimyLC1d2sAQV7PVvPpquHmgJQyiiD536WDMwT2V05W13jXSZ7fwEUuXDb29/EIS 2O7dpYe/BiWut7gCwgdbU5jfVxgaJESIPp3kmsI4Zn/nViJH5cR2HaScLSWBjCdz Bf3bVc3FYSZrXCRZyp6bc6ZFNJGCcIo4jmvawZEBSl2ToFTMUSDyG01NFHwu1csN Oll9fk0E/wxupS2/TJKM =OH5l -END PGP SIGNATURE-
Re: Use of smtpd_reject_unlisted_sender
Bernardo Pons: On these days where theft of credentials of legitimate e-mail server users in order to send spam checking the MAIL FROM: using smtpd_reject_unlisted_sender would be a helping Postfix feature. Perhaps it is a misunderstanding from my side about the actual meaning of parameter smtpd_reject_unlisted_sender but if smtpd_reject_unlisted_sender = yes is present on main.cf... How is it possible for an user to send an mail from an unknown sender addresses neither listed in virtual nor canonical? It can happen on mail hubs, when an inside system sends mail through the mail hub, with a sender address that is not properly registered at the mail hub. Ideally the mail hub would block such mail. For now, I leave it up to you to decide if you want to fight that battle. 5-10 years ago it certainly would break a lot of things in the real world. Wietse
smtpd_reject_unlisted_sender
is this param server-wide, or can it be present in smtpd_*_restrictions ? Len
Re: smtpd_reject_unlisted_sender
* Len Conrad lcon...@go2france.com: is this param server-wide, or can it be present in smtpd_*_restrictions ? Settings in smtpd_*_restrictions ARE server-wide. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: smtpd_reject_unlisted_sender
Len Conrad: is this param server-wide, or can it be present in smtpd_*_restrictions ? Use this in smtpd_mumble_restrictions: reject_unlisted_sender Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later. Use this as a main.cf name=value setting, or as -o name=value override in master.cf: smtpd_reject_unlisted_sender (default: no) Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses. Wietse
Re: smtpd_reject_unlisted_sender
-- Original Message -- From: Wietse Venema wie...@porcupine.org Reply-To: Postfix users postfix-users@postfix.org Date: Thu, 18 Feb 2010 17:21:53 -0500 (EST) Len Conrad: is this param server-wide, or can it be present in smtpd_*_restrictions ? Use this in smtpd_mumble_restrictions: reject_unlisted_sender Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later. Use this as a main.cf name=value setting, or as -o name=value override in master.cf: smtpd_reject_unlisted_sender (default: no) Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses. Wietse Here's the logic we want: smtpd_recipient_restrictions = . . check_sender_access mysql:/path/3rd_level_sender_domain_class.cf, smtpd_reject_unlisted_sender = yes, reject_unlisted_recipient, . . permit 3rd_level_sender_domain_class = . smtpd_reject_unlisted_sender = no, reject_unlisted_recipient, . permit thanks Len
Re: smtpd_reject_unlisted_sender
On 2/18/2010 4:30 PM, Len Conrad wrote: -- Original Message -- From: Wietse Venemawie...@porcupine.org Reply-To: Postfix userspostfix-users@postfix.org Date: Thu, 18 Feb 2010 17:21:53 -0500 (EST) Len Conrad: is this param server-wide, or can it be present in smtpd_*_restrictions ? Use this in smtpd_mumble_restrictions: reject_unlisted_sender Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later. Use this as a main.cf name=value setting, or as -o name=value override in master.cf: smtpd_reject_unlisted_sender (default: no) Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses. Wietse Here's the logic we want: smtpd_recipient_restrictions = . . check_sender_access mysql:/path/3rd_level_sender_domain_class.cf, smtpd_reject_unlisted_sender = yes, Use reject_unlisted_sender here. http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions restrictions listed above are also valid in smtpd_recipient_restrictions. http://www.postfix.org/postconf.5.html#reject_unlisted_sender reject_unlisted_recipient, . . permit 3rd_level_sender_domain_class = . smtpd_reject_unlisted_sender = no, For no (default) sender checking, set main.cf smtpd_reject_unlisted_sender = no or just remove that parameter, since no is the default. reject_unlisted_recipient, . permit thanks Len -- Noel Jones