>So, what I don't understand is how *you* enforce your "I don't accept
>mail from @hotmail.com that comes from MTAs in AOL.COM" rule. Are you
>doing this with a custom script? Or some other postfix facility?
>
>Or did I misunderstand what you said you are doing?
there are two different filters
1. the from_senders_bogus.map had domains that monkeys.com has qualified as
having matching A + PTR records, so any MTA sending MAIL FROM those domains
must have matching A + PTR records, or reject. That's in basic IMGate. It
depends on monkey's work and postfix's "special" interpretation of
reject_unknown_client when used per-domain, but it's still single-criteria.
2. Using restriction classes, it's possible to get two_criteria filtering,
such as
"if helo hostname is aol.com, then PTR hostname must have aol.com"
"if sender_domain is aol.com, then helo hostname must have aol.com"
"if PTR is aol.com, then sender domain must have aol.com"
The 2. filtering is something I've come up in the last week, based on
various postfix list discussions and some postfix how-to sites, for the
IMGate advanced config. Since the new restrictions is "cheap" to check (no
DNS queries or SMTP work (SAV/RAV), I put it early in the my smtpd
restrictions. and it gets amazing numbers at a particularly horribly abused
ISP (93% rejects on weekends):
1 SMTP Exceeded Hard Error Limit after CONNECT
3 ACL mta_header_checks
5 Other
7 ACL [EMAIL PROTECTED]
8 ACL unauthorized relay
9 SMTP invalid [EMAIL PROTECTED]
20 ACL [EMAIL PROTECTED]
23 SMTP Exceeded Hard Error Limit after MAIL
30 SMTP unauthorized pipelining
30 ACL from_senders_slet
34 ACL helo_hostnames
38 SMTP invalid [EMAIL PROTECTED]
53 ACL from_senders_secsag
54 ACL RAV: new verification
58 ACL HTML obfuscation
59 ACL invalid helo hostname
66 ACL bogon network header
79 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
93 ACL mta_clients_regex
99 ACL mta_clients_helo
101 ACL RAV: unverifiable recipient address
123 ACL from_senders_black
125 DNS no A/MX for @recipient.domain
134 ACL mta_clients_sav
379 ACL from_senders_regexp
411 ACL mta_clients_conn
513 DNS timeout for MTA PTR hostname (forged @sender.domain)
529 ACL mta_clients_spamdomins
587 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
667 ACL body checks
1009 ACL from_senders_imgfx
1043 ACL PTR and HELO hostnames mismatch (forged)! <<<<<<<
1045 ACL major ISP domain sending forged @sender.domain <<<<<<<<
1131 ACL SAV: new verification in progress
1570 ACL header checks
1574 ACL from_senders_bw
2107 RBL spamdomains.blackholes.easynet.nl
2146 ACL unqualified helo hostname
3082 DNS no A/MX for @sender.domain
7282 ACL SAV: unverifiable sender address
11180 ACL mta_clients_subscriber network
11282 ACL SAV: undeliverable sender address
15257 ACL helo hostname contains an IP
15336 ACL mta_clients_dict
16816 SMTP Exceeded Hard Error Limit after DATA
17613 ACL RAV: undeliverable recipient address
20073 ACL forged sender domain of major ISP <<<<<<<<<<<<
20237 ACL mta_clients_bw
28888 SMTP Exceeded Hard Error Limit after RCPT
183009 TOTAL
Len
