restricting acceptence of mail users except from local network
in [Postfix]
|
From: Ruben Safir on 23 Feb 2010 22:03 On Tue, Feb 23, 2010 at 08:23:11PM -0600, Noel Jones wrote: > On 2/23/2010 7:35 PM, Ruben Safir wrote: > >On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: > >> > >>-------- Original-Nachricht -------- > >>>Datum: Tue, 23 Feb 2010 19:32:25 -0500 > >>>Von: Ruben Safir<ruben(a)mrbrklyn.com> > >>>An: postfix-users(a)postfix.org > >>>Betreff: restricting acceptence of mail users except from local network > >> > >>>How do I get postfix to reject mails "From" my own domains coming from > >>>outside the local network? > >>> > >>If all your users are authenticating when sending mails you could use something like "reject_sender_login_mismatch" to reject those senders (from inside or outside) that use your domains but have not authenticated. > >> > > > >smtpd_recipient_restrictions = > >permit_mynetworks,reject_unauth_destination, reject_rbl_client > >zen.spamhaus.org > > > >Will that do it? > > > >Ruben > > > > While spamhaus is likely to block the majority of spam aimed at your > server, it won't specifically reject mail claiming to be from your > domain that isn't. > I didn't think it would. Different issue. I want the mail to flatly deny any mail from any of my domains unless it arrives from my local network on eth1 which is a 10.0.0.0 block with hostnames given by my dhcpd server, or from the mailserver itself. I want it to flatly reject mail claiming to be from my doamins from anywhere else. > If spamhaus doesn't block "enough" of the spam, you can tell postfix > to reject mail claiming to be from unknown local sender addresses. > Set in main.cf: > smtpd_reject_unlisted_sender = yes > > or you can add a check_sender_access map to specifically reject your > domain when mail isn't local. > If, if it is not from my local network it is not legitimate mail if it is using my domain. I can not service or recieve mail addressed From mrbrklyn.com that isn't coming from my local network. It is 100% of the time always wrong. I know that panix allows me to send mail from my local network to the panix mail servers for later relay, using authentication, or maybe pop. I don't want this functionality. If it is not coming from our servers or hosts, its not us and I want to summerly reject such mail. > # WARNING this is likely to reject "some" legit mail > # main.cf > smtpd_recipient_restrictions = > permit_mynetworks > reject_unauth_destination > check_sender_access hash:/etc/postfix/sender_access > reject_rbl_client zen.spamhaus.org > > # /etc/postfix/sender_access > example.com REJECT only for internal use > > to activate these changes you'll need to run > # postmap sender_access > # postfix reload > > -- Noel Jones -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society." � Copyright for the Digital Millennium
From: LuKreme on 23 Feb 2010 22:52 On 23-Feb-10 20:48, Ruben Safir wrote: > This is getting philophical and I just don't care. Mail From our domain > has to originate from OUR domain. No exceptions. Then you've already been given the solution by Noel. -- Bite me, suck me, show me you care
From: Ruben Safir on 23 Feb 2010 23:24 On Tue, Feb 23, 2010 at 08:52:00PM -0700, LuKreme wrote: > On 23-Feb-10 20:48, Ruben Safir wrote: > >This is getting philophical and I just don't care. Mail From our domain > >has to originate from OUR domain. No exceptions. > > Then you've already been given the solution by Noel. > Thanks > -- > Bite me, suck me, show me you care Hah - think I'll pass :)
From: Ruben Safir on 24 Feb 2010 00:59 On Tue, Feb 23, 2010 at 08:23:11PM -0600, Noel Jones wrote: > On 2/23/2010 7:35 PM, Ruben Safir wrote: > >On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: > >> > >>-------- Original-Nachricht -------- > >>>Datum: Tue, 23 Feb 2010 19:32:25 -0500 > >>>Von: Ruben Safir<ruben(a)mrbrklyn.com> > >>>An: postfix-users(a)postfix.org > >>>Betreff: restricting acceptence of mail users except from local network > >> > >>>How do I get postfix to reject mails "From" my own domains coming from > >>>outside the local network? > >>> > >>If all your users are authenticating when sending mails you could use something like "reject_sender_login_mismatch" to reject those senders (from inside or outside) that use your domains but have not authenticated. > >> Anyway to restrict the From: header to the local domain as well as the From<whitespace> header It seems that Majordomo will accept the mail if the From: is different than the From From mrbrklyn(a)panix.com From: ruben(a)mrbrklyn.com I'd like to reject it at the mail server if either is spoofed and it is not originating from my local hosts on the internal network. Ruben > > > >smtpd_recipient_restrictions = > >permit_mynetworks,reject_unauth_destination, reject_rbl_client > >zen.spamhaus.org > > > >Will that do it? > > > >Ruben > > > > While spamhaus is likely to block the majority of spam aimed at your > server, it won't specifically reject mail claiming to be from your > domain that isn't. > > If spamhaus doesn't block "enough" of the spam, you can tell postfix > to reject mail claiming to be from unknown local sender addresses. > Set in main.cf: > smtpd_reject_unlisted_sender = yes > > or you can add a check_sender_access map to specifically reject your > domain when mail isn't local. > > # WARNING this is likely to reject "some" legit mail > # main.cf > smtpd_recipient_restrictions = > permit_mynetworks > reject_unauth_destination > check_sender_access hash:/etc/postfix/sender_access > reject_rbl_client zen.spamhaus.org > > # /etc/postfix/sender_access > example.com REJECT only for internal use > > to activate these changes you'll need to run > # postmap sender_access > # postfix reload > > -- Noel Jones -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software
From: Ruben Safir on 24 Feb 2010 01:47 > > Anyway to restrict the From: header to the local domain as well as the > From<whitespace> header > > It seems that Majordomo will accept the mail if the From: is different > than the From > > >From mrbrklyn(a)panix.com > > From: ruben(a)mrbrklyn.com > > I'd like to reject it at the mail server if either is spoofed and it is > not originating from my local hosts on the internal network. > Actually, thing about this, that might not be a good idea and I doubt it is even in the envelope. Ruben > Ruben > > > > > > >smtpd_recipient_restrictions = > > >permit_mynetworks,reject_unauth_destination, reject_rbl_client > > >zen.spamhaus.org > > > > > >Will that do it? > > > > > >Ruben > > > > > > > While spamhaus is likely to block the majority of spam aimed at your > > server, it won't specifically reject mail claiming to be from your > > domain that isn't. > > > > If spamhaus doesn't block "enough" of the spam, you can tell postfix > > to reject mail claiming to be from unknown local sender addresses. > > Set in main.cf: > > smtpd_reject_unlisted_sender = yes > > > > or you can add a check_sender_access map to specifically reject your > > domain when mail isn't local. > > > > # WARNING this is likely to reject "some" legit mail > > # main.cf > > smtpd_recipient_restrictions = > > permit_mynetworks > > reject_unauth_destination > > check_sender_access hash:/etc/postfix/sender_access > > reject_rbl_client zen.spamhaus.org > > > > # /etc/postfix/sender_access > > example.com REJECT only for internal use > > > > to activate these changes you'll need to run > > # postmap sender_access > > # postfix reload > > > > -- Noel Jones > > -- > http://www.mrbrklyn.com - Interesting Stuff > http://www.nylxs.com - Leadership Development in Free Software -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 "Yeah - I write Free Software...so SUE ME" "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society." "> I'm an engineer. I choose the best tool for the job, politics be damned.< You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one." � Copyright for the Digital Millennium
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Mail Transport Unavailable Next: "Display-name" rewriting |