Prev: How to accept email from unknown servers
Next: restrict user from sending / receiving email to / from allowed domains only
From: Peter Evans on 4 Aug 2010 22:33 I have an experiment I would like to perform but I am uncertain how to do it without breaking everything else. I would like to direct all mail from places with no reverse dns into a big bit-bucket. Obviously something like 95% of those mails would be going to a bogus address. Would: header_checks = regexp:/etc/postfix/unknown_catcher /^Received: unknown/ REDIRECT bitbucket(a)domain.com Be the most effective way to catch these? I have a sneaking feeling it would trip up on multiple Received: lines as legitimate mail comes out of corpulent networks. P
From: Ralf Hildebrandt on 5 Aug 2010 03:46 * Peter Evans <peter(a)ixp.jp>: > I would like to direct all mail from places with no reverse dns into > a big bit-bucket. Obviously something like 95% of those mails would be > going to a bogus address. reject_unknown_reverse_client_hostname > Would: > > header_checks = regexp:/etc/postfix/unknown_catcher Why header_checks? > /^Received: unknown/ > REDIRECT bitbucket(a)domain.com > > > Be the most effective way to catch these? I have a sneaking feeling it > would trip up on multiple Received: lines as legitimate mail comes out > of corpulent networks. These headers may also be inserted by other systems. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Noel Jones on 5 Aug 2010 11:05 On 8/4/2010 9:33 PM, Peter Evans wrote: > > I have an experiment I would like to perform but I am uncertain > how to do it without breaking everything else. > > I would like to direct all mail from places with no reverse dns into > a big bit-bucket. Obviously something like 95% of those mails would be > going to a bogus address. > > > Would: > > header_checks = regexp:/etc/postfix/unknown_catcher > > > /^Received: unknown/ > REDIRECT bitbucket(a)domain.com > > > Be the most effective way to catch these? I have a sneaking feeling it > would trip up on multiple Received: lines as legitimate mail comes out > of corpulent networks. Well, as written above it wouldn't match anything... but the concept is broken. It could trigger on headers from other systems, machines from your local network, or from SASL authenticated users. I can't think of a way to reliably account for all the exceptions; header_checks is not a good tool for this. You could use a policy service that returns "REDIRECT bitbucket(a)example.com when rDNS == unknown. I expect postfwd could do this pretty easily. The policy service would need to be after any authorized relay tests so it wouldn't catch local machines, something like: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service ...rdns_bitbucket ... other restrictions ... If you want the bitbucket to accept mail to invalid users, you can use check_policy_service ...rdns_bitbucket reject_unlisted_recipient ... other restrictions ... and set main.cf: smtpd_reject_unlisted_recipient = no have fun! -- Noel Jones
From: Peter Evans on 6 Aug 2010 21:54
On Thu, Aug 05, 2010 at 09:46:44AM +0200, Ralf Hildebrandt wrote: > * Peter Evans <peter(a)ixp.jp>: > > I would like to direct all mail from places with no reverse dns into > > a big bit-bucket. Obviously something like 95% of those mails would be > > going to a bogus address. > reject_unknown_reverse_client_hostname Ah, but I dont want reject_foo_bar_baz I want redirect_unknown_reverse_client_hostname_to_spamtrap Point about the header_checks noted. The moment after I sent that I thought "I bet it munches them all and trips up over private networks. Someone suggested a milter in email, thanks for that, I will give it a try next week. P |