Re: spammers masquerading as me
On Thu, June 25, 2009 01:47, mouss wrote: > Stuart Matthews a écrit : > smtpd_sender_restrictions = > permit_mynetworks > permit_sasl_authenticated reject > check_sender_access hash:/etc/postfix/access_sender > check_helo_access hash:/etc/postfix/access_helo remove both lines should still give same result -- xpoint
Re: spammers masquerading as me
Hi all, That seems to have done it... banging my head against the problem all because of a typo. Thanks, Stu J.P. Trosclair wrote: Stuart Matthews wrote: I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. You say check_sender_access didn't work, did you use it with smtpd_recipient_restrictions? A similar setup to the following works for us (this is a modified version of your output from postconf -n): smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:$config_directory/access # Look Here reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit $config_directory/access: t...@eff.orgREJECT This is just a guess and a proposed solution, you probably need to supply supporting log entries for cases it didn't work to get to the bottom of what's really wrong.
Re: spammers masquerading as me
On 1681 0, Stuart Matthews wrote: > Hi everyone, > > I am the systems administrator for the Electronic Frontier Foundation. I > have been having a problem with getting spam that has a from of, for > example, t...@eff.org (which is a valid email address). I would like my > mail server to not accept mail that says it is from @eff.org unless it is > sent via an authenticated end user, or unless it is mail generated by the > mail server itself. Essentially, in pseudo-code, what I want is: > > if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or > (sent using SMTP auth))) then REJECT > > I have already tried editing /usr/local/etc/postfix/access, adding: > eff.org REJECT you can't send mail as me! > And of course I ran postmap after this. I have also tried using the setting > that rejects mail that says HELO eff.org. > > Neither worked. i use a different approach on this. for example, it will reject all unauthenticated sender claiming to be from domain.com. the error message would be "not logged in". smtpd_sender_login_maps = hash:/etc/postfix/sender_login virtual_mailbox_maps = hash:/etc/postfix/sender_login smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, reject_sender_login_mismatch, permit_sasl_authenticated ... smtpd_recipient_restrictions = ... permit_sasl_authenticated, ... # /etc/postfix/sender_login us...@domain.com user1 us...@domain.com user2 ad...@domain.com admin,user1 t...@domain.com tech,admin
Re: spammers masquerading as me
On Wed June 24 2009 18:21:19 Stuart Matthews wrote: > I am the systems administrator for the Electronic Frontier > Foundation. I have been having a problem with getting spam that has a And I talked to you yesterday in IRC. > from of, for example, t...@eff.org (which is a valid email address). > I would like my mail server to not accept mail that says it is from > @eff.org unless it is sent via an authenticated end user, or unless > it is mail generated by the mail server itself. Essentially, in > pseudo-code, what I want is: > > if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) > or (sent using SMTP auth))) then REJECT > > I have already tried editing /usr/local/etc/postfix/access, adding: > eff.org REJECT you can't send mail as me! > And of course I ran postmap after this. I have also tried using the > setting that rejects mail that says HELO eff.org. > > Neither worked. > > I should also point out that, at least for now, this is the ONLY type > of mail that I want to explicitly block. At this time I am not able > to do a spam assassin install or reject via black lists due to our > current spam policy. > > Here is my postconf -n output: I'm leaving in only the relevant settings below. > smtpd_client_restrictions = permit_mynetworks reject_unknown_client > check_client_access hash:$config_directory/accesslist permit > smtpd_helo_restrictions = permit_mynetworks check_helo_access > hash:$config_directory/restrict_helo check_helo_access > hash:$config_directory/accesslist reject_invalid_hostname permit > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_non_fqdn_recipient > reject_multi_recipient_bounce reject_unknown_recipient_domain > reject_unauth_destination reject_unlisted_recipient > permit_mx_backup permit > smtpd_sender_restrictions = permit_mynetworks check_sender_access > hash:$config_directory/accesslist reject_non_fqdn_sender > reject_unknown_sender_domain reject_unlisted_sender > hash:$config_directory/sender_access permit Many users (well, I am one of them) find it easier to consolidate all smtpd restrictions into a single stage. The logical choice for such consolidation would be smtpd_recipient_restrictions, because that's the only required stage. Since you did not include logs with your post we can only guess, but best guess would be that you're not doing this in your two check_sender_access lookups. Either accesslist or sender_access should contain your blocking rule, and should be preceded by permit_sasl_authenticated, else you will block your own authenticating senders. Multiple use of the same lookup can lead to undesired results. What is looked up for a check_sender_access differs from check_*_access (other access(5) lookups.) You should really understand access.5.html well. You mentioned a /usr/local/etc/postfix/access file above, yet the postconf output has no evidence of such a file. Therefore, it is not used. If you need to followup, please include logs and relevant snippets from the map files. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: spammers masquerading as me
Stuart Matthews: > Hi everyone, > > I am the systems administrator for the Electronic Frontier Foundation. I > have been having a problem with getting spam that has a from of, for > example, t...@eff.org (which is a valid email address). I would like my > mail server to not accept mail that says it is from @eff.org unless it > is sent via an authenticated end user, or unless it is mail generated by > the mail server itself. Essentially, in pseudo-code, what I want is: > > if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or > (sent using SMTP auth))) then REJECT Making a variation on http://www.nabble.com/false-return-addresses-td24058164.html Not tested: # Pass mail from inside mynetworks, reject senders /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, # Also matches subdomains of example.com by default (see # parent_matches_subdomains documentation). # Needs "postmap /etc/postfix/sender_access" after change. /etc/postfix/sender_access: example.com REJECT Bad sender address - you are not example.com Wietse > I have already tried editing /usr/local/etc/postfix/access, adding: > eff.org REJECT you can't send mail as me! > And of course I ran postmap after this. I have also tried using the > setting that rejects mail that says HELO eff.org. > > Neither worked. > > I should also point out that, at least for now, this is the ONLY type of > mail that I want to explicitly block. At this time I am not able to do a > spam assassin install or reject via black lists due to our current spam > policy. > > Here is my postconf -n output: > address_verify_negative_expire_time = 1d > alias_database = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > alias_maps = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > home_mailbox = Maildir/ > html_directory = no > mail_owner = postfix > mail_spool_directory = /var/mail > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > mydestination = $myhostname, localhost, $myhostname.$mydomain, > $mydomain, email.$mydomain > myhostname = mail1.eff.org > mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = no > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_client_restrictions = permit_mynetworks reject_unknown_client > check_client_access hash:$config_directory/accesslist permit > smtpd_data_restrictions = reject_unauth_pipelining permit > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks check_helo_access > hash:$config_directory/restrict_helo check_helo_access > hash:$config_directory/accesslist reject_invalid_hostname permit > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_non_fqdn_recipient > reject_multi_recipient_bounce reject_unknown_recipient_domain > reject_unauth_destination reject_unlisted_recipient permit_mx_backup > permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks check_sender_access > hash:$config_directory/accesslist reject_non_fqdn_sender > reject_unknown_sender_domain reject_unlisted_sender > hash:$config_directory/sender_access permit > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt > smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > unknown_address_reject_code = 550 > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 450 > unverified_sender_reject_code = 550 > virtual_alias_domains = $virtual_alias_maps > virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, > hash:$config_directory/virtual.ourvotelive.org, > hash:$config_directory/virtual.stopthespying.org, > hash:$config_directory/virtual.soundcopyright.eu > > > > Thanks for any help you might be able to provide. > > - Stu > >
Re: spammers masquerading as me
Stuart Matthews wrote: I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. You say check_sender_access didn't work, did you use it with smtpd_recipient_restrictions? A similar setup to the following works for us (this is a modified version of your output from postconf -n): smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:$config_directory/access # Look Here reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit $config_directory/access: t...@eff.orgREJECT This is just a guess and a proposed solution, you probably need to supply supporting log entries for cases it didn't work to get to the bottom of what's really wrong.
Re: spammers masquerading as me
Stuart Matthews a écrit : > Hi everyone, > > I am the systems administrator for the Electronic Frontier Foundation. I > have been having a problem with getting spam that has a from of, for > example, t...@eff.org (which is a valid email address). I would like my > mail server to not accept mail that says it is from @eff.org unless it > is sent via an authenticated end user, or unless it is mail generated by > the mail server itself. Essentially, in pseudo-code, what I want is: > > if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or > (sent using SMTP auth))) then REJECT > > I have already tried editing /usr/local/etc/postfix/access, adding: > eff.orgREJECTyou can't send mail as me! you call this file "access", yet your restrictions use "accesslist". BTW, avoid sharing maps. instead of "access" and "accesslist", use something like: access_sender, access_helo, ... (one per type of check). smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/access_sender check_helo_access hash:/etc/postfix/access_helo ... == access_sender eff.org REJECT blah blah .eff.orgREJECT blah blah == access_helo eff.org REJECT blah blah .eff.orgREJECT blah blah > And of course I ran postmap after this. I have also tried using the > setting that rejects mail that says HELO eff.org. > > Neither worked. > > I should also point out that, at least for now, this is the ONLY type of > mail that I want to explicitly block. At this time I am not able to do a > spam assassin install or reject via black lists due to our current spam > policy. > > Here is my postconf -n output: > address_verify_negative_expire_time = 1d > alias_database = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > alias_maps = hash:$config_directory/aliases, > hash:$config_directory/aliases.mailman > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > home_mailbox = Maildir/ > html_directory = no > mail_owner = postfix > mail_spool_directory = /var/mail > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > mydestination = $myhostname, localhost, $myhostname.$mydomain, > $mydomain, email.$mydomain > myhostname = mail1.eff.org > mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, > 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = no > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_client_restrictions = permit_mynetworks reject_unknown_client > check_client_access hash:$config_directory/accesslist permit > smtpd_data_restrictions = reject_unauth_pipelining permit > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks check_helo_access > hash:$config_directory/restrict_helo check_helo_access > hash:$config_directory/accesslist reject_invalid_hostname permit > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_non_fqdn_recipient > reject_multi_recipient_bounce reject_unknown_recipient_domain > reject_unauth_destination reject_unlisted_recipient permit_mx_backup > permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks check_sender_access > hash:$config_directory/accesslist reject_non_fqdn_sender > reject_unknown_sender_domain reject_unlisted_sender > hash:$config_directory/sender_access permit > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt > smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > unknown_address_reject_code = 550 > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 450 > unverified_sender_reject_code = 550 > virtual_alias_domains = $virtual_alias_maps > virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, > hash:$config_directory/virtual.ourvotelive.org, > hash:$config_directory/virtual.stopthespying.org, > hash:$config_directory/virtual.soundcopyright.eu > > > > Thanks for any help you might be able to provide. > > - Stu
spammers masquerading as me
Hi everyone, I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT I have already tried editing /usr/local/etc/postfix/access, adding: eff.org REJECT you can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. I should also point out that, at least for now, this is the ONLY type of mail that I want to explicitly block. At this time I am not able to do a spam assassin install or reject via black lists due to our current spam policy. Here is my postconf -n output: address_verify_negative_expire_time = 1d alias_database = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman alias_maps = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost, $myhostname.$mydomain, $mydomain, email.$mydomain myhostname = mail1.eff.org mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks reject_unknown_client check_client_access hash:$config_directory/accesslist permit smtpd_data_restrictions = reject_unauth_pipelining permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:$config_directory/restrict_helo check_helo_access hash:$config_directory/accesslist reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:$config_directory/accesslist reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:$config_directory/sender_access permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 550 virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, hash:$config_directory/virtual.ourvotelive.org, hash:$config_directory/virtual.stopthespying.org, hash:$config_directory/virtual.soundcopyright.eu Thanks for any help you might be able to provide. - Stu