[pfx] Re: Domain-Specific inbound relay host rules

2023-10-15 Thread Viktor Dukhovni via Postfix-users
On Sun, Oct 15, 2023 at 11:40:57AM -0400, Viktor Dukhovni via Postfix-users 
wrote:

> > This is rather straightforward with access(5) rules:
> > 
> > smtpd_restriction_classes = reject_unfiltered
> > 
> > # Allow the filtering service IPv4/IPv6 CIDR blocks and reject
> > # everything else.
> > reject_unfiltered =
> > check_client_access cidr:{
> > {192.0.2.0/24   permit_auth_destination},
> > {2001:db8:feed:cafe::/64permit_auth_destination},
> > {0.0.0.0/0  REJECT 5.7.1 MX bypass attempt},
> > {::/0   REJECT 5.7.1 MX bypass attempt}
> > }
> > 
> > # If large enough, or changes more than rarely, use an access(5)
> > # table ("cdb", "hash", ...) instead.  Assumes smtpd_delay_reject
> > # is not changed from "yes" default.
> > #
> > smtpd_client_restrictions =
> > check_recipient_access inline:{
> > {filtered1.example = reject_unfiltered},
> > {filtered2.example = reject_unfiltered}
> > }
>
> OK, in this example, where would I specify which domains must go through the 
> spam filter?

Replace the names "filter1.example", "filter2.example", ... with the
names of the domains that are accepted only from the filter services.

> These domains MUST go through the spam filter: domain1.com domain2.net

smtpd_client_restrictions =
check_recipient_access inline:{
{domain1.com = reject_unfiltered},
{domain2.net = reject_unfiltered}
}


> These can be delivered directly WITHOUT going through the spam filters: 
> bypass1.com bypass2.net

They don't need to be specifically mentioned.

> Would this be put into a hash table or in place of the
> filtered1.example in your config?

Whether to use a hash table for the recipient access checks, or not, is
up to you.

  main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_client_restrictions =
check_recipient_access ${indexed}filtered

  filtered:
domain1.com reject_unfiltered
domain2.net reject_unfiltered

The client access lookup could also be configured in a separate file,
but not a "postmapped" indexed table, "cidr" tables stay in source form.

  main.cf:
reject_unfiltered =
check_client_access cidr:reject_unfiltered.cidr

  reject_unfiltered.cidr:
192.0.2.0/24   permit_auth_destination
2001:db8:feed:cafe::/64permit_auth_destination
0.0.0.0/0  REJECT 5.7.1 MX bypass attempt
::/0   REJECT 5.7.1 MX bypass attempt

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


[pfx] Re: Domain-Specific inbound relay host rules

2023-10-15 Thread B Williams via Postfix-users
> On Oct 15, 2023, at 10:40 AM, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote:
> 
>> So what I’m trying to devise is a strategy that would allow me to
>> reject email for some domains if it didn’t come through the spam
>> filtering service, but allow messages for other domains to be
>> delivered that I don’t have going through the spam service. 
> 
> This is rather straightforward with access(5) rules:
> 
>smtpd_restriction_classes = reject_unfiltered

OK, in this example, where would I specify which domains must go through the 
spam filter?

Let’s get more concrete.

These domains MUST go through the spam filter: domain1.com domain2.net

These can be delivered directly WITHOUT going through the spam filters: 
bypass1.com bypass2.net

Would this be put into a hash table or in place of the filtered1.example in 
your config?

Thanks!

Best,

B Williams
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


[pfx] Re: Domain-Specific inbound relay host rules

2023-10-15 Thread Viktor Dukhovni via Postfix-users
On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote:

> So what I’m trying to devise is a strategy that would allow me to
> reject email for some domains if it didn’t come through the spam
> filtering service, but allow messages for other domains to be
> delivered that I don’t have going through the spam service. 

This is rather straightforward with access(5) rules:

smtpd_restriction_classes = reject_unfiltered

# Allow the filtering service IPv4/IPv6 CIDR blocks and reject
# everything else.
reject_unfiltered =
check_client_access cidr:{
{192.0.2.0/24   permit_auth_destination},
{2001:db8:feed:cafe::/64permit_auth_destination},
{0.0.0.0/0  REJECT 5.7.1 MX bypass attempt},
{::/0   REJECT 5.7.1 MX bypass attempt}
}

# If large enough, or changes more than rarely, use an access(5)
# table ("cdb", "hash", ...) instead.  Assumes smtpd_delay_reject
# is not changed from "yes" default.
#
smtpd_client_restrictions =
check_recipient_access inline:{
{filtered1.example = reject_unfiltered},
{filtered2.example = reject_unfiltered}
}

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


[pfx] Re: Domain-Specific inbound relay host rules

2023-10-15 Thread Matus UHLAR - fantomas via Postfix-users

On 15.10.23 08:52, B Williams via Postfix-users wrote:
There is a spam network that has figured out that they can bypass my spam 
filtering service by ignoring the MX record and just sending mail directly 
to the mail server.  Pretty sneaky.


Spammers do this for decades.

So what I’m trying to devise is a strategy that would allow me to reject 
email for some domains if it didn’t come through the spam filtering 
service, but allow messages for other domains to be delivered that I don’t 
have going through the spam service.


Ideally, there would be some kind of hash map that would basically say if 
the domain is present in the map it must come through a defined relayhost.  


You can do this by allowing virus filter (check_client_access) and then 
blocking mentioned domains (check_recipient_access) at the end of 
smtpd_recipient_access


I recomment start with temporary blocking.


Or maybe there is a custom milter strategy.


yeah, but writing that will be more compliated.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


[pfx] Re: Domain-Specific inbound relay host rules

2023-10-15 Thread Tom Hendrikx via Postfix-users

On 15-10-2023 15:52, B Williams via Postfix-users wrote:

All:

Long time postfix user. I have an internet facing mail server running 
Postfix. For about half of my domains, I have them run through a spam 
filtering service (like MimeCast/Proofpoint). The other half just come 
direct because they are either very low volume or are used for 
testing/automation.


There is a spam network that has figured out that they can bypass my 
spam filtering service by ignoring the MX record and just sending mail 
directly to the mail server. Pretty sneaky.


So what I’m trying to devise is a strategy that would allow me to reject 
email for some domains if it didn’t come through the spam filtering 
service, but allow messages for other domains to be delivered that I 
don’t have going through the spam service.


Ideally, there would be some kind of hash map that would basically say 
if the domain is present in the map it must come through a defined 
relayhost. Or maybe there is a custom milter strategy.




I'm running a similar Postfix instance, receiving mail from an external 
spamfilter. I run an additional smtpd process on a dedicated port for 
the spamfilter. This port only accepts mail from the spamfiltering 
company (using a check_client_access cidr map).
Note: The spamfilter company allows me to configure a specific delivery 
hostname and port, so no port 25 required.


On the public smtpd process at port 25, there should never arrive any 
mail for the spamfiltered domains, so you can leave the domains out of 
mydestination, virtual_alias_domains, or whichever way you define the 
list of domains that you accept mail for.


Or maybe simpler to add to your existing setup: create a 
check_recipient_access table to reject the domains only in the smtpd 
process listening at port 25.


Tom
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


[pfx] Domain-Specific inbound relay host rules

2023-10-15 Thread B Williams via Postfix-users
All:

Long time postfix user. I have an internet facing mail server running Postfix. 
For about half of my domains, I have them run through a spam filtering service 
(like MimeCast/Proofpoint). The other half just come direct because they are 
either very low volume or are used for testing/automation.

There is a spam network that has figured out that they can bypass my spam 
filtering service by ignoring the MX record and just sending mail directly to 
the mail server. Pretty sneaky.

So what I’m trying to devise is a strategy that would allow me to reject email 
for some domains if it didn’t come through the spam filtering service, but 
allow messages for other domains to be delivered that I don’t have going 
through the spam service. 

Ideally, there would be some kind of hash map that would basically say if the 
domain is present in the map it must come through a defined relayhost. Or maybe 
there is a custom milter strategy. 

Open to any and all ideas!

Best,

B Williams


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org