[pfx] Re: Domain-Specific inbound relay host rules
On Sun, Oct 15, 2023 at 11:40:57AM -0400, Viktor Dukhovni via Postfix-users wrote: > > This is rather straightforward with access(5) rules: > > > > smtpd_restriction_classes = reject_unfiltered > > > > # Allow the filtering service IPv4/IPv6 CIDR blocks and reject > > # everything else. > > reject_unfiltered = > > check_client_access cidr:{ > > {192.0.2.0/24 permit_auth_destination}, > > {2001:db8:feed:cafe::/64permit_auth_destination}, > > {0.0.0.0/0 REJECT 5.7.1 MX bypass attempt}, > > {::/0 REJECT 5.7.1 MX bypass attempt} > > } > > > > # If large enough, or changes more than rarely, use an access(5) > > # table ("cdb", "hash", ...) instead. Assumes smtpd_delay_reject > > # is not changed from "yes" default. > > # > > smtpd_client_restrictions = > > check_recipient_access inline:{ > > {filtered1.example = reject_unfiltered}, > > {filtered2.example = reject_unfiltered} > > } > > OK, in this example, where would I specify which domains must go through the > spam filter? Replace the names "filter1.example", "filter2.example", ... with the names of the domains that are accepted only from the filter services. > These domains MUST go through the spam filter: domain1.com domain2.net smtpd_client_restrictions = check_recipient_access inline:{ {domain1.com = reject_unfiltered}, {domain2.net = reject_unfiltered} } > These can be delivered directly WITHOUT going through the spam filters: > bypass1.com bypass2.net They don't need to be specifically mentioned. > Would this be put into a hash table or in place of the > filtered1.example in your config? Whether to use a hash table for the recipient access checks, or not, is up to you. main.cf: indexed = ${default_database_type}:${config_directory}/ smtpd_client_restrictions = check_recipient_access ${indexed}filtered filtered: domain1.com reject_unfiltered domain2.net reject_unfiltered The client access lookup could also be configured in a separate file, but not a "postmapped" indexed table, "cidr" tables stay in source form. main.cf: reject_unfiltered = check_client_access cidr:reject_unfiltered.cidr reject_unfiltered.cidr: 192.0.2.0/24 permit_auth_destination 2001:db8:feed:cafe::/64permit_auth_destination 0.0.0.0/0 REJECT 5.7.1 MX bypass attempt ::/0 REJECT 5.7.1 MX bypass attempt -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
> On Oct 15, 2023, at 10:40 AM, Viktor Dukhovni via Postfix-users > wrote: > > On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote: > >> So what I’m trying to devise is a strategy that would allow me to >> reject email for some domains if it didn’t come through the spam >> filtering service, but allow messages for other domains to be >> delivered that I don’t have going through the spam service. > > This is rather straightforward with access(5) rules: > >smtpd_restriction_classes = reject_unfiltered OK, in this example, where would I specify which domains must go through the spam filter? Let’s get more concrete. These domains MUST go through the spam filter: domain1.com domain2.net These can be delivered directly WITHOUT going through the spam filters: bypass1.com bypass2.net Would this be put into a hash table or in place of the filtered1.example in your config? Thanks! Best, B Williams ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote: > So what I’m trying to devise is a strategy that would allow me to > reject email for some domains if it didn’t come through the spam > filtering service, but allow messages for other domains to be > delivered that I don’t have going through the spam service. This is rather straightforward with access(5) rules: smtpd_restriction_classes = reject_unfiltered # Allow the filtering service IPv4/IPv6 CIDR blocks and reject # everything else. reject_unfiltered = check_client_access cidr:{ {192.0.2.0/24 permit_auth_destination}, {2001:db8:feed:cafe::/64permit_auth_destination}, {0.0.0.0/0 REJECT 5.7.1 MX bypass attempt}, {::/0 REJECT 5.7.1 MX bypass attempt} } # If large enough, or changes more than rarely, use an access(5) # table ("cdb", "hash", ...) instead. Assumes smtpd_delay_reject # is not changed from "yes" default. # smtpd_client_restrictions = check_recipient_access inline:{ {filtered1.example = reject_unfiltered}, {filtered2.example = reject_unfiltered} } -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On 15.10.23 08:52, B Williams via Postfix-users wrote: There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. Spammers do this for decades. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. You can do this by allowing virus filter (check_client_access) and then blocking mentioned domains (check_recipient_access) at the end of smtpd_recipient_access I recomment start with temporary blocking. Or maybe there is a custom milter strategy. yeah, but writing that will be more compliated. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On 15-10-2023 15:52, B Williams via Postfix-users wrote: All: Long time postfix user. I have an internet facing mail server running Postfix. For about half of my domains, I have them run through a spam filtering service (like MimeCast/Proofpoint). The other half just come direct because they are either very low volume or are used for testing/automation. There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. Or maybe there is a custom milter strategy. I'm running a similar Postfix instance, receiving mail from an external spamfilter. I run an additional smtpd process on a dedicated port for the spamfilter. This port only accepts mail from the spamfiltering company (using a check_client_access cidr map). Note: The spamfilter company allows me to configure a specific delivery hostname and port, so no port 25 required. On the public smtpd process at port 25, there should never arrive any mail for the spamfiltered domains, so you can leave the domains out of mydestination, virtual_alias_domains, or whichever way you define the list of domains that you accept mail for. Or maybe simpler to add to your existing setup: create a check_recipient_access table to reject the domains only in the smtpd process listening at port 25. Tom ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Domain-Specific inbound relay host rules
All: Long time postfix user. I have an internet facing mail server running Postfix. For about half of my domains, I have them run through a spam filtering service (like MimeCast/Proofpoint). The other half just come direct because they are either very low volume or are used for testing/automation. There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. Or maybe there is a custom milter strategy. Open to any and all ideas! Best, B Williams ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org