Postfix header check to reject certain senders

Glenn Steen glenn.steen at gmail.com
Tue Jul 17 16:19:44 IST 2007 

On 17/07/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> On Tue, 2007-07-17 at 14:05, Glenn Steen wrote:
> > On 17/07/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > On Tue, 2007-07-17 at 12:55, Glenn Steen wrote:
> > > > On 17/07/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > > > A bit off topic but you are normally a friendly bunch :)
> > > > >
> > > > > I am trying to get postfix () to reject mail from certain senders rather
> > > > > than accept and then delete it in mailscanner.
> > > > >
> > > > > One such mail has the following in the headers:-
> > > > > From: root at adsl.linguaphone.com
> > > > > To: root at adsl.linguaphone.com
> > > > > Subject: adsl.linguaphone.com security run output
> > > > >
> > > > > I have my postfix header checks set to use regexp matching and the file
> > > > > contains :-
> > > > >
> > > > > /^From:.*\@adsl\.linguaphone\,com/                      REJECT Sender
> > > > > address blacklisted.
> > > > > /^Received:/ HOLD
> > > > >
> > > > > The problem is that the mail I am trying to block is not being rejected.
> > > > > All mail is being put in the hold queue and Mailscanner working
> > > > > correctly so header checks are working.
> > > > > Have I done something wrong with the syntax?
> > > > >
> > > > Look at rejecting the _envelope_ sender instead. That From: is
> > > > probably spoofed to high heaven:-).
> > > >
> > > > Also, this should be done in the access map instead.
> > > > ... Then again, I'm on vacation, so the brain might be sligtly turned
> > > > off (more than usual, that is:-).
> > >
> > > ok I added :-
> > > smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
> > >
> > > then added the following line to the access file :-
> > > adsl.linguaphone.com                      REJECT Sender address
> > > blacklisted.
> > >
> > > I then used postmap and restarted postfix but the mail is still being
> > > accepted. I configured a copy of outlook with that email address for
> > > testing purposes.
> > >
> > > Any ideas?
> > >
> > Ok, might be your (postfix, implicit) trust rules taking effect before
> > the access rule (permit_mynetworks ...). See to it that the client
> > machine isn't part of that trust.
> >
>
> I thought it would be easier to ssh into my home machine and then test
> it using telnet from there :-
>
> 220 mailscanner.linguaphone-intranet.co.uk ESMTP Postfix
> HELO gbhome
> 250 mailscanner.linguaphone-intranet.co.uk
> MAIL FROM: test at adsl.linguaphone.com
> 250 2.1.0 Ok
> RCPT TO: test at cdlive.co.uk
> 250 2.1.5 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> test
> .
> 250 2.0.0 Ok: queued as 0E128AA0123
>
> still not working for some reason. Thanks for your help so far.
>
Hm, that should've worked.... Wait and I'll check how I've set this up
at work (I have an access file named deny_domain_spoof (could've named
it ... whatever:-), which basically deny anyone from the outside from
pretending to be me/my servers... Those I let through via the
permit_mynetworks setting preceding the access map instruction. I have
this set on helo_restrictions (check_helo_access hash:/...) and on
sender_access (check_sender_restrictions hash:...) respectively... but
client should be OK too (unless I'm totally on vacation:-).
Just a moment while I invoke the SSL--X magic word...
Nah, as said, these are the relevant lines for that (I have a load of
others (as usual) on recipients too:-):

smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/deny_domain_spoof
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/deny_domain_spoof

... and  that file basically look like:
dt2116.ap1.se OK
ap1.se REJECT
172.18.3.60 REJECT
194.14.216.2 REJECT
127.0.0.1 REJECT
... where the first is a testbox (needs to get through this, without
being part of mynetworks) and the rest are things that I've seen
spammers try use. Rejects quite a lot of crap:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list