On Wed June 24 2009 18:21:19 Stuart Matthews wrote:
> I am the systems administrator for the Electronic Frontier
> Foundation. I have been having a problem with getting spam that has a
And I talked to you yesterday in IRC.
> from of, for example, t...@eff.org (which is a valid email address).
> I would like my mail server to not accept mail that says it is from
> @eff.org unless it is sent via an authenticated end user, or unless
> it is mail generated by the mail server itself. Essentially, in
> pseudo-code, what I want is:
>
> if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org)
> or (sent using SMTP auth))) then REJECT
>
> I have already tried editing /usr/local/etc/postfix/access, adding:
> eff.org REJECT you can't send mail as me!
> And of course I ran postmap after this. I have also tried using the
> setting that rejects mail that says HELO eff.org.
>
> Neither worked.
>
> I should also point out that, at least for now, this is the ONLY type
> of mail that I want to explicitly block. At this time I am not able
> to do a spam assassin install or reject via black lists due to our
> current spam policy.
>
> Here is my postconf -n output:
I'm leaving in only the relevant settings below.
> smtpd_client_restrictions = permit_mynetworks reject_unknown_client
> check_client_access hash:$config_directory/accesslist permit
> smtpd_helo_restrictions = permit_mynetworks check_helo_access
> hash:$config_directory/restrict_helo check_helo_access
> hash:$config_directory/accesslist reject_invalid_hostname permit
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject_non_fqdn_recipient
> reject_multi_recipient_bounce reject_unknown_recipient_domain
> reject_unauth_destination reject_unlisted_recipient
> permit_mx_backup permit
> smtpd_sender_restrictions = permit_mynetworks check_sender_access
> hash:$config_directory/accesslist reject_non_fqdn_sender
> reject_unknown_sender_domain reject_unlisted_sender
> hash:$config_directory/sender_access permit
Many users (well, I am one of them) find it easier to consolidate all
smtpd restrictions into a single stage. The logical choice for such
consolidation would be smtpd_recipient_restrictions, because that's the
only required stage.
Since you did not include logs with your post we can only guess, but
best guess would be that you're not doing this in your two
check_sender_access lookups. Either accesslist or sender_access should
contain your blocking rule, and should be preceded by
permit_sasl_authenticated, else you will block your own authenticating
senders.
Multiple use of the same lookup can lead to undesired results. What is
looked up for a check_sender_access differs from check_*_access (other
access(5) lookups.) You should really understand access.5.html well.
You mentioned a /usr/local/etc/postfix/access file above, yet the
postconf output has no evidence of such a file. Therefore, it is not
used.
If you need to followup, please include logs and relevant snippets from
the map files.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
