[pfx] Re: Domain-Specific inbound relay host rules
On Mon, Oct 16, 2023 at 10:08:37AM -0500, B Williams wrote: > Huge thank you to Viktor and Tom for their ideas. I ended up using > this route (without the hash maps as the config doesn’t change much). Note that Tom's suggestion doesn't quite work as advertised. The configuration parameters: - mydestination - virtual_alias_domains - virtual_mailbox_domains - relay_domains Are mainly processed in the trivial_rewrite(8) process, which rewrites addresses to standard form and classifies them by address class. The smtpd(8) service determines whether to accept a recipient, or not, based on the address class returned by trivial-rewrite(8). Therefore, master.cf overrides of "mydestination", ... in smtpd(8) don't work the way one might naïvely expect. So to limit which domains you accept to be a subset of the local domains, you need actual access(5) tables, not the suggested parameter overrides. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
Dnia 15.10.2023 o godz. 08:52:18 B Williams via Postfix-users pisze: > There is a spam network that has figured out that they can bypass my spam > filtering service by ignoring the MX record and just sending mail directly > to the mail server. Pretty sneaky. [...] > Open to any and all ideas! The best idea here is to run your own spam filtering directly on your server, and not rely on any external service. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On Sun, Oct 15, 2023 at 11:40:57AM -0400, Viktor Dukhovni via Postfix-users
wrote:
> > This is rather straightforward with access(5) rules:
> >
> > smtpd_restriction_classes = reject_unfiltered
> >
> > # Allow the filtering service IPv4/IPv6 CIDR blocks and reject
> > # everything else.
> > reject_unfiltered =
> > check_client_access cidr:{
> > {192.0.2.0/24 permit_auth_destination},
> > {2001:db8:feed:cafe::/64permit_auth_destination},
> > {0.0.0.0/0 REJECT 5.7.1 MX bypass attempt},
> > {::/0 REJECT 5.7.1 MX bypass attempt}
> > }
> >
> > # If large enough, or changes more than rarely, use an access(5)
> > # table ("cdb", "hash", ...) instead. Assumes smtpd_delay_reject
> > # is not changed from "yes" default.
> > #
> > smtpd_client_restrictions =
> > check_recipient_access inline:{
> > {filtered1.example = reject_unfiltered},
> > {filtered2.example = reject_unfiltered}
> > }
>
> OK, in this example, where would I specify which domains must go through the
> spam filter?
Replace the names "filter1.example", "filter2.example", ... with the
names of the domains that are accepted only from the filter services.
> These domains MUST go through the spam filter: domain1.com domain2.net
smtpd_client_restrictions =
check_recipient_access inline:{
{domain1.com = reject_unfiltered},
{domain2.net = reject_unfiltered}
}
> These can be delivered directly WITHOUT going through the spam filters:
> bypass1.com bypass2.net
They don't need to be specifically mentioned.
> Would this be put into a hash table or in place of the
> filtered1.example in your config?
Whether to use a hash table for the recipient access checks, or not, is
up to you.
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_client_restrictions =
check_recipient_access ${indexed}filtered
filtered:
domain1.com reject_unfiltered
domain2.net reject_unfiltered
The client access lookup could also be configured in a separate file,
but not a "postmapped" indexed table, "cidr" tables stay in source form.
main.cf:
reject_unfiltered =
check_client_access cidr:reject_unfiltered.cidr
reject_unfiltered.cidr:
192.0.2.0/24 permit_auth_destination
2001:db8:feed:cafe::/64permit_auth_destination
0.0.0.0/0 REJECT 5.7.1 MX bypass attempt
::/0 REJECT 5.7.1 MX bypass attempt
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
> On Oct 15, 2023, at 10:40 AM, Viktor Dukhovni via Postfix-users > wrote: > > On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote: > >> So what I’m trying to devise is a strategy that would allow me to >> reject email for some domains if it didn’t come through the spam >> filtering service, but allow messages for other domains to be >> delivered that I don’t have going through the spam service. > > This is rather straightforward with access(5) rules: > >smtpd_restriction_classes = reject_unfiltered OK, in this example, where would I specify which domains must go through the spam filter? Let’s get more concrete. These domains MUST go through the spam filter: domain1.com domain2.net These can be delivered directly WITHOUT going through the spam filters: bypass1.com bypass2.net Would this be put into a hash table or in place of the filtered1.example in your config? Thanks! Best, B Williams ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote:
> So what I’m trying to devise is a strategy that would allow me to
> reject email for some domains if it didn’t come through the spam
> filtering service, but allow messages for other domains to be
> delivered that I don’t have going through the spam service.
This is rather straightforward with access(5) rules:
smtpd_restriction_classes = reject_unfiltered
# Allow the filtering service IPv4/IPv6 CIDR blocks and reject
# everything else.
reject_unfiltered =
check_client_access cidr:{
{192.0.2.0/24 permit_auth_destination},
{2001:db8:feed:cafe::/64permit_auth_destination},
{0.0.0.0/0 REJECT 5.7.1 MX bypass attempt},
{::/0 REJECT 5.7.1 MX bypass attempt}
}
# If large enough, or changes more than rarely, use an access(5)
# table ("cdb", "hash", ...) instead. Assumes smtpd_delay_reject
# is not changed from "yes" default.
#
smtpd_client_restrictions =
check_recipient_access inline:{
{filtered1.example = reject_unfiltered},
{filtered2.example = reject_unfiltered}
}
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On 15.10.23 08:52, B Williams via Postfix-users wrote: There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. Spammers do this for decades. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. You can do this by allowing virus filter (check_client_access) and then blocking mentioned domains (check_recipient_access) at the end of smtpd_recipient_access I recomment start with temporary blocking. Or maybe there is a custom milter strategy. yeah, but writing that will be more compliated. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On 15-10-2023 15:52, B Williams via Postfix-users wrote: All: Long time postfix user. I have an internet facing mail server running Postfix. For about half of my domains, I have them run through a spam filtering service (like MimeCast/Proofpoint). The other half just come direct because they are either very low volume or are used for testing/automation. There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. Or maybe there is a custom milter strategy. I'm running a similar Postfix instance, receiving mail from an external spamfilter. I run an additional smtpd process on a dedicated port for the spamfilter. This port only accepts mail from the spamfiltering company (using a check_client_access cidr map). Note: The spamfilter company allows me to configure a specific delivery hostname and port, so no port 25 required. On the public smtpd process at port 25, there should never arrive any mail for the spamfiltered domains, so you can leave the domains out of mydestination, virtual_alias_domains, or whichever way you define the list of domains that you accept mail for. Or maybe simpler to add to your existing setup: create a check_recipient_access table to reject the domains only in the smtpd process listening at port 25. Tom ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
