Blocking emails that claim to come from our

Glenn Steen glenn.steen at GMAIL.COM
Wed Dec 7 11:50:44 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 07/12/05, Drew Marshall <drew at themarshalls.co.uk> wrote:
> On Wed, December 7, 2005 10:43, Glenn Steen wrote:
> > On 07/12/05, Erick Perez <eaperezh at gmail.com> wrote:
> >> what about MS and postfix?
> >> where do i implement that?
> >>
> > I'm at home on sick-leave (hopfully, just today....), so this is
> > entirely from memory (and that is a bit flaky at best:-)...
>
> Get well soon!
>
> > As said, I apply a restriktion on helo and on senders so this might
> > look something like (in main.cf "#" inserted to show where the lines
> > are (wrapping))
> > #
> > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
> > reject_non_fqdn_hostname, check_helo_access
> > hash:/path/to/access_map/file
> > #
> > smtpd_helo_restrictions = permit_mynetworks,  check_sender_access
> > hash:/path/to/access_map/file
> > #
> > And in the map file, you have a line rejecting your own domain...
> > something like
> > yourdomain.tld REJECT You are not me...
> >
> > Then couple that with the recipient maps check (for valid recipients),
> > and then you can only receive mail from non-spoofing senders to valid
> > recipients (that part is described well in the MailScanner wiki). You
> > can, of course, couple these restrictions with any restrictions you
> > feel are necessary ("man 5 postconf" is a good place to see exactly
> > what settings you have available)
>
> The only thing I would add is that sometimes helo rejection can be too
> harsh (There are loads of Exchange boxes that have strange AD domains
> setup due to AD getting confused over internal and external DNS and end up
> heloing with something like exchange.domain.internal which will be
> rejected with 'reject_invalid_hostname') so you might chose to add
> 'warn_if_reject' in front so you just log these and take a view on
> rejection based on your hits (Like your best customer won't be rejected
> for example!).
>
> Drew
>

Ah yes.... "The mighty buck" forcing "shoddy" behaviour onto the world.
Sure, I take a somewhat harsh attitude to this, but really... If we
don't reject them, how will they ever know they're in the wrong?!
Luckily for me, I've got my PHB "onboard"(:-)... He's sensitive to
arguments about standards compliance, for some reason.
Admittedly, the very few rejections from this that "should have gone
through" are from laces that simply don't monitor their systems enough
to ... take the hint.
OTOH, I've had 0 (zero) complaints from users about missing mails,
so.... It all depends on ones situation, I guess.
Most rejections don't come from HELOing with an invalid name though,
but from HELOing with a non-FQDN. Don't have the numbers, since I'm at
home:-).
Anyway, the gist of the matter is the anti-spoof thing.

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list