Noel Jones escribió: > Roman Medina-Heigl Hernandez wrote: >> Hello, >> >> Spammers often send (forged) mail where "mail from" address is the >> same as >> "rcpt to" address. An extension of that could be using a "mail from" >> address where src domain is one of our valid virtual domains. I can only >> think of 3 cases: >> 1) Src IP is 127.0.0.1 -> Mail should pass (eg: sent by webmail, >> installed >> on the same MTA host). >> 2) Authenticated sender -> Legit users authenticated by SASL -> Should >> pass >> 3) All the rest -> Should be rejected (SPAM) (assuming a simple >> single-MTA >> config, where MX -receiving mail server- is the same as MTA -outbound >> sending mail server-) >> >> Which is the best/preferred Postfix config to filter out that kind of >> spam? >> >> I have all my valid domains in: >> virtual_mailbox_domains = hash:/etc/postfix/vdomain >> >> The current format of /etc/postfix/vdomain is: >> domain1 whatever >> domain2 whatever >> >> So perhaps I could do somthing like: >> smtpd_sender_restrictions = >> smtpd_recipient_restrictions = >> permit_mynetworks, >> reject_unauth_destination, >> XXXXX, >> permit >> >> where XXXX could be some kind of "check_sender_access" clausule, >> rejecting >> domains listed in $virtual_mailbox_domains. How could I implement >> this? Is >> there any other preferred solution? > > Yes, you can use a map for this; > XXXX above = > check_sender_access hash:/etc/postfix/mydomains > > # mydomains > example.com REJECT inside sender not allowed > example.net REJECT inside sender not allowed > ...
So there is no other way to do this without having to "duplicate" the same/similar hash file (/etc/postfix/vdomain and /etc/postfix/mydomains). I thought perhaps it could exist some directive of the form: reject_mydestination_domain_sender or something similar to avoid duplicating domain databases ;-)). > Note this will reject some legit mail. Spamassassin is probably a Could you elaborate on that legit mail cases? Examples? It's very important for me and I couldn't figure any legit cases (apart from the ones I already mentioned). > better choice for filtering this type mail. If I use spamassasing for this, I have to supply my vdomains to spamassassin. Currently, I implemented a quick have in Amavis, so all domains are treated as local: @local_domains_acl = qw( . ); My Amavis/spamassasing setup is not filtering at all; it is only used for marking/scoring (adding headers to) mails (filtering is performed via Sieve, based on X-Spam-*/X-Amavis-* Headers). > http://www.openspf.org/ As I said, SPF is plannified for next stage, and I'll have a look to different resources (thanks for your notes!!). Regards, -Roman
