Ruleset questions

Glenn Steen glenn.steen at gmail.com
Thu Aug 14 10:02:15 IST 2008 

2008/8/14 Richard Frovarp <Richard.Frovarp at sendit.nodak.edu>:
> Glenn Steen wrote:
>>
>> 2008/8/14 Richard Frovarp <Richard.Frovarp at sendit.nodak.edu>:
>>
>>>
>>> How would one go about blacklisting a From email address that is did not
>>> come from a subnet. Email would for this one address would only come
>>> legitimately from one of my subnets. Everything else should be thrown
>>> away.
>>> What would be the best way to accomplish this?
>>>
>>> Thanks,
>>> Richard
>>>
>>
>> Apart from SPF, which I'm sure one could use to reject fakers, one
>> could do as I do in postfix... I simply reject all faked senders (we
>> only allow internal senders for our domain, exactly as you would
>> likedo it)... A simple access map restriction on the sender...
>> something like "smtpd_sender_restrictions
>> permit_mynetworks,check_access regexp:/path/to/accessfile ... How one
>> would do it with other MTAs... I do not know... Should be possible
>> though:-).
>>
>> Cheers
>>
>
> SPF wouldn't do it. SPF would only check the envelope from. We are concerned
> about the displayed from. And in particular of only one of our accounts.

Ah. Well, the same goes for my little thing. I think you'll have to
look at some SA rule creation, it is the best tool for the job.
MailScanner rulesets are out of the question too, since they only
operate on the envelope info too. Same for BLs and such.
So SA it is.

> We run sendmail. However, how does your system handle mail from other
> systems claiming to be from your users? Like say this mailing list?
Pure and simple... REJECT;-).
This works since the mailing list doesn't try forge the envelope info,
of course. The few "greeting card" type things that actually (very
naively) do such things are rejected... and if they care, will soon
notice the relative idiocy of doing something like that.
When I set this up, SPF wasn't that well spread (meaning I didn't know
about it... Was "some" years ago...:-), and ... well... "if it works,
don't fix it"... So I'm sticking with it. It's very cheap,
resource-wise, so I've never seen any reason to change it.

> Richard

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list