Re: Reject email based on a key header?
@lbutlr: > I should have said to "only allow emails that contain an address = > extension, any address extension, not a repopulated list." > > I know what I was thinking!=20 Use a regexp or pcre table. /^foo[_+]?@example\.com$/ reject Wietse
Re: Reject email based on a key header?
On 07 Jan 2021, at 17:13, Wietse Venema wrote: >> Similarly, given a email address of "p...@example.com" would it be = >> possible to reject all emails to that address that did not contain an = >> extension in the user name? I should have said to "only allow emails that contain an address extension, any address extension, not a repopulated list." I know what I was thinking! >> # using recipient_delimiter = +_ >> plus+plus OK >> plus+foo OK >> Plus_bar OK >> plus REJECT > > The above works. Postfix always tries to match the complete address > before stripping off the extension and matching the unextended name. > >> plus+ REJECT > > You don't need this, because Postfix will try the form without > address extension, and that form is already rejected. Those were example of possible incoming usernames used in an email, not a list of allowed address+extension examples. So, basically plus+ or plus_ is allowed, but plus@… is rejected. -- We all live in an Eldrich Horror's dream an Eldrich Horror's dream an Eldrich Horror's dream
Re: Reject email based on a key header?
@lbutlr: > Given an email address like admin-...@example.com is it possible to = > REJECT all email to that address that doesn't contain a header = > "X-foobar" (or maybe a header that that is "X-foobar: = > ")? Postfix built-in support matches one line at a time, and the action for that match cannot depend on earlier or later matches. > I know I could do this for all email addresses, but doing it for one = > would require some sort of simple milter in order to actually reject the = > email before accepting it, right? Any suitable non-builtin filter. > Similarly, given a email address of "p...@example.com" would it be = > possible to reject all emails to that address that did not contain an = > extension in the user name? > # using recipient_delimiter = +_ > plus+plus OK > plus+foo OK > Plus_bar OK > plus REJECT The above works. Postfix always tries to match the complete address before stripping off the extension and matching the unextended name. > plus+ REJECT You don't need this, because Postfix will try the form without address extension, and that form is already rejected. Wietse
Re: Reject email containing Google forms
lists: > About 70% of my spam these days contains links to Google Forms. > I've been googling for tips on how to reject such email but Google > find hits for the converse. (People are complaining about Gmail > blocking Google Forms which is ironic.)? > > My current configuration doesn't include SpamAssassin since rbls > and the existence of a reverse pointer was good enough.? > > I'm looking for advice specifically to bounce email that contains > a link to any Google form. If this is inappropriate for this list > serve then I'm fine with the moderator nuking the request. I can > take it up with stackexchange but it had been my experience that > the postfix list has the best gurus.? This will require deep instection with software that decodes base64 text, and that understands enough of HTML so that it can figure out what the links are. Postfix's built-in support for regular expressions won't be sufficient to stop this. Wietse
Re: Reject email containing Google forms
How about a general sieve rule in your dovecot server or a filter in your delivery agent? Sent from my iPhone > On Dec 1, 2020, at 5:11 PM, lists wrote: > > About 70% of my spam these days contains links to Google Forms. I've been > googling for tips on how to reject such email but Google find hits for the > converse. (People are complaining about Gmail blocking Google Forms which is > ironic.) > > My current configuration doesn't include SpamAssassin since rbls and the > existence of a reverse pointer was good enough. > > I'm looking for advice specifically to bounce email that contains a link to > any Google form. If this is inappropriate for this list serve then I'm fine > with the moderator nuking the request. I can take it up with stackexchange > but it had been my experience that the postfix list has the best gurus. > > > >
Re: Reject email
On 5/9/2013 9:55 AM, Reindl Harald wrote: Am 09.05.2013 16:44, schrieb Stan Hoeppner: Normally I'd avoid arguing with your Reindl as it simply clutters the list keep this bullshit for you Nice etiquette... On 5/9/2013 7:26 AM, Reindl Harald wrote: if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail When did you last come across a domain configured strictly for fallback to A? While RFC may require it NOT SO LONG AGO a few years ago i was so naive and stupid to implement a DNS check in the verify-function of my php-framework to prevent import / subscribe to newsletter lists with undeliverable domains i had it to learn the hard way that RFC's are not only for fun You missed the point entirely. I think this is because you are predisposed to argue with anyone who disagrees with you, even when they are correct and you are incorrect. Hence the preface in my previous reply. another story is if there is a MX-Record but the listed hostname does not resolve and at least for me the intention of if the MX does not exist is not clear enough if it means a) no MX record for the domain b) a MX record with a non-resloving hostname reject b) would be fine Only if the response is 4xx. People fat finger records all the time that's their problem after fixing this the next mails would go through nobody expect that if he make mistakes in his DNS configs and is too lazy to verify what he configured that others configure their servers to help him Again you miss the point. The reason for a 4xx here is so the mail gets queued and can simply be flushed after the DNS or other error is corrected. Thus the message isn't needlessly returned to the sender. Most of such errors are found and corrected pretty quickly. Using a 4xx in this case keeps things more transparent to users, whether mine, yours, or the guy at the remote SMTP site. with this attitude you would needto reject all with 4xx because someone could have make a mistake - this is a bad attitude in context of e-mail No, Reindl, this is called courtesy to fellow network operators. The only bad attitude here is yours. You display it both here and on the Dovecot list regularly. Being brash and arrogant is one thing. Most people dislike that but tolerate it. But the constant cursing and berating anyone who disagrees with you crosses the line. Frankly I'm surprised that Wietse and Victor have let you get away with this behavior for so long. I guess they're leaving it up to members to add you to local kill files... -- Stan
Re: Reject email
Am 10.05.2013 08:26, schrieb Stan Hoeppner: On 5/9/2013 9:55 AM, Reindl Harald wrote: Am 09.05.2013 16:44, schrieb Stan Hoeppner: Normally I'd avoid arguing with your Reindl as it simply clutters the list keep this bullshit for you Nice etiquette... and what was your quoted line clown ? On 5/9/2013 7:26 AM, Reindl Harald wrote: if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail When did you last come across a domain configured strictly for fallback to A? While RFC may require it NOT SO LONG AGO a few years ago i was so naive and stupid to implement a DNS check in the verify-function of my php-framework to prevent import / subscribe to newsletter lists with undeliverable domains i had it to learn the hard way that RFC's are not only for fun You missed the point entirely. I think this is because you are predisposed to argue with anyone who disagrees with you, even when they are correct and you are incorrect. Hence the preface in my previous reply but your problem is that you are not correct signature.asc Description: OpenPGP digital signature
Re: Reject email
Am 10.05.2013 08:26, schrieb Stan Hoeppner: nobody expect that if he make mistakes in his DNS configs and is too lazy to verify what he configured that others configure their servers to help him Again you miss the point. The reason for a 4xx here is so the mail gets queued and can simply be flushed after the DNS or other error is corrected. Thus the message isn't needlessly returned to the sender. Most of such errors are found and corrected pretty quickly. Using a 4xx in this case keeps things more transparent to users, whether mine, yours, or the guy at the remote SMTP site. most of these errors are corrected after someone complaints and with a 4xx it takes up to 5 days until this happens a wrong configuration is a wrong configuration period with this attitude you would needto reject all with 4xx because someone could have make a mistake - this is a bad attitude in context of e-mail No, Reindl, this is called courtesy to fellow network operators. The only bad attitude here is yours. You display it both here and on the Dovecot list regularly. Being brash and arrogant is one thing. Most people dislike that but tolerate it. But the constant cursing and berating anyone who disagrees with you crosses the line. diagree is one thing but disagree on clear technical facts is another Frankly I'm surprised that Wietse and Victor have let you get away with this behavior for so long. I guess they're leaving it up to members to add you to local kill files... frankly i am surprised that you not attack Wietse sometimes after he rferes to some documentation flowed by to unsubscribe. signature.asc Description: OpenPGP digital signature
Re: Reject email
Reindl Harald: Am 10.05.2013 08:26, schrieb Stan Hoeppner: On 5/9/2013 9:55 AM, Reindl Harald wrote: Am 09.05.2013 16:44, schrieb Stan Hoeppner: Normally I'd avoid arguing with your Reindl as it simply clutters the list keep this bullshit for you Nice etiquette... and what was your quoted line clown ? OK. A large portion of list traffic is now from Reindl giving rude responses to new and old members of this list. Having an active list member is good, but his manners are not. I unsubscribe Reindl Harald, and I encourage all Postfix list moderators to do the same in the case that he returns. Wietse
Re: Reject email
Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco: I would like to reject an email if the MX does not exist. We have enable the setting /reject_unknown_sender_domain/ and /reject_unknown_recipient_domain/. However, if the domain has DNS and resolves it, the message is sent, and we don’t want that this is a completly broken idea no RFC at this world says that a domain must have a MX record and many do not - your idea would result in drop a lot of legit email signature.asc Description: OpenPGP digital signature
RE: Reject email
Hello Reindl, Thanks for the tip. I will consider your advice. Thank you very much. Kind regards. Héctor Moreno Blanco -Mensaje original- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Reindl Harald Enviado el: jueves, 09 de mayo de 2013 12:29 Para: postfix-users@postfix.org Asunto: Re: Reject email Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco: I would like to reject an email if the MX does not exist. We have enable the setting /reject_unknown_sender_domain/ and /reject_unknown_recipient_domain/. However, if the domain has DNS and resolves it, the message is sent, and we don't want that this is a completly broken idea no RFC at this world says that a domain must have a MX record and many do not - your idea would result in drop a lot of legit email P Please consider the environment before printing this e-mail. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __
Re: Reject email
On 5/9/2013 5:28 AM, Reindl Harald wrote: Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco: I would like to reject an email if the MX does not exist. We have enable the setting /reject_unknown_sender_domain/ and /reject_unknown_recipient_domain/. However, if the domain has DNS and resolves it, the message is sent, and we don’t want that this is a completly broken idea Not completely broken. It's not really no MX that Hector is after, but undeliverable sender addresses in snowshoe spam. No MX would fall under this umbrella. Hector, I think what you're looking for is Sender Address Verification, or SAV. This is implemented in Postfix as reject_unverified_sender. See: http://www.postfix.org/postconf.5.html#reject_unverified_sender http://www.postfix.org/ADDRESS_VERIFICATION_README.html Read the ADDRESS_VERIFICATION_README at least twice, or more times, until you fully understand it. There are serious caveats to using SAV. -- Stan
Re: Reject email
Am 09.05.2013 14:14, schrieb Stan Hoeppner: On 5/9/2013 5:28 AM, Reindl Harald wrote: Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco: I would like to reject an email if the MX does not exist. We have enable the setting /reject_unknown_sender_domain/ and /reject_unknown_recipient_domain/. However, if the domain has DNS and resolves it, the message is sent, and we don’t want that this is a completly broken idea Not completely broken. It's not really no MX that Hector is after, but undeliverable sender addresses in snowshoe spam. No MX would fall under this umbrella if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail another story is if there is a MX-Record but the listed hostname does not resolve and at least for me the intention of if the MX does not exist is not clear enough if it means a) no MX record for the domain b) a MX record with a non-resloving hostname reject b) would be fine reject a) would be stupid signature.asc Description: OpenPGP digital signature
RE: Reject email
Thanks for all the answers! They helped me quite a lot :) Regards. Héctor Moreno Blanco -Mensaje original- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Reindl Harald Enviado el: jueves, 09 de mayo de 2013 14:27 Para: postfix-users@postfix.org Asunto: Re: Reject email Am 09.05.2013 14:14, schrieb Stan Hoeppner: On 5/9/2013 5:28 AM, Reindl Harald wrote: Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco: I would like to reject an email if the MX does not exist. We have enable the setting /reject_unknown_sender_domain/ and /reject_unknown_recipient_domain/. However, if the domain has DNS and resolves it, the message is sent, and we don't want that this is a completly broken idea Not completely broken. It's not really no MX that Hector is after, but undeliverable sender addresses in snowshoe spam. No MX would fall under this umbrella if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail another story is if there is a MX-Record but the listed hostname does not resolve and at least for me the intention of if the MX does not exist is not clear enough if it means a) no MX record for the domain b) a MX record with a non-resloving hostname reject b) would be fine reject a) would be stupid P Please consider the environment before printing this e-mail. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __
Re: Reject email
Normally I'd avoid arguing with your Reindl as it simply clutters the list. However you made some invalid points that need to be corrected for those who may browse the archives in the future. On 5/9/2013 7:26 AM, Reindl Harald wrote: if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail When did you last come across a domain configured strictly for fallback to A? While RFC may require it, and some used it in the 70s and 80s, no receivers rely on fallback to A in 2013. Anyone versed sufficiently in SMTP to know of the existence of fallback to A isn't going to rely on it. They'll have proper MX records. another story is if there is a MX-Record but the listed hostname does not resolve and at least for me the intention of if the MX does not exist is not clear enough if it means a) no MX record for the domain b) a MX record with a non-resloving hostname reject b) would be fine Only if the response is 4xx. People fat finger records all the time. reject a) would be stupid If generic and not selective then yes, but not because of fallback to A. The real problem here is legitimate send-only domains, such as some mailing lists, bulk mail campaigns, emergency alert and other notification systems, etc. -- Stan
Re: Reject email
Am 09.05.2013 16:44, schrieb Stan Hoeppner: Normally I'd avoid arguing with your Reindl as it simply clutters the list keep this bullshit for you On 5/9/2013 7:26 AM, Reindl Harald wrote: if you have a A-record for example.com and you incoming mail-server is on this IP you do not need any MX record and postfix will happily use the A-record to deliver mail When did you last come across a domain configured strictly for fallback to A? While RFC may require it NOT SO LONG AGO a few years ago i was so naive and stupid to implement a DNS check in the verify-function of my php-framework to prevent import / subscribe to newsletter lists with undeliverable domains i had it to learn the hard way that RFC's are not only for fun another story is if there is a MX-Record but the listed hostname does not resolve and at least for me the intention of if the MX does not exist is not clear enough if it means a) no MX record for the domain b) a MX record with a non-resloving hostname reject b) would be fine Only if the response is 4xx. People fat finger records all the time that's their problem after fixing this the next mails would go through nobody expect that if he make mistakes in his DNS configs and is too lazy to verify what he configured that others configure their servers to help him with this attitude you would needto reject all with 4xx because someone could have make a mistake - this is a bad attitude in context of e-mail signature.asc Description: OpenPGP digital signature
Re: reject email sending to certain MX
Am 15.12.2011 12:44, schrieb Joe Wong: Hello, is it possible to configure postfix not to send email with recipient domains to certain MX host? - Joe perhaps you need stuff like this check_recipient_mx_access type:table Search the specified access(5) database for the MX hosts for the RCPT TO domain, and execute the corresponding action. Note: a result of OK is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. you might have to mix it with some recipient policy other *mx_access are exist too -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: reject email sending to certain MX
On 12/15/2011 5:44 AM, Joe Wong wrote: Hello, is it possible to configure postfix not to send email with recipient domains to certain MX host? - Joe http://www.postfix.org/postconf.5.html#check_recipient_mx_access
Re: reject email sending to certain MX
Hi, I tried, it works but not the way I would like to implement. Say sender sent a email to 3 recipients, one of them hit the rule. What I want is sender will not get any bounce but the offending recipient will simply dropped, while the other 2 will still get the email. Is this possible? - Joe On Thu, Dec 15, 2011 at 9:37 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 12/15/2011 5:44 AM, Joe Wong wrote: Hello, is it possible to configure postfix not to send email with recipient domains to certain MX host? - Joe http://www.postfix.org/postconf.5.html#check_recipient_mx_access
Re: reject email sending to certain MX
On 12/15/2011 10:34 AM, Joe Wong wrote: Hi, I tried, it works but not the way I would like to implement. Say sender sent a email to 3 recipients, one of them hit the rule. What I want is sender will not get any bounce but the offending recipient will simply dropped, while the other 2 will still get the email. Is this possible? - Joe Discarding mail is almost always the wrong choice. Don't use the DISCARD action with check_recipient_mx_access map, as that will discard the mail for ALL recipients, not just the offending recipient. You could add a transport map entry for offending destinations, but that operates on recipient domains, not the MX, so not exactly what you've asked for. # transport blacklisted.example.com discard: Or you could use your firewall to reroute offending IP destinations to a local smtp-sink process. -- Noel Jones
