Re: restricting acceptence of mail users except from local network
On 2/24/2010 12:47 AM, Ruben Safir wrote: Anyway to restrict the From: header to the local domain as well as the Fromwhitespace header It seems that Majordomo will accept the mail if the From: is different than the From From mrbrk...@panix.com From: ru...@mrbrklyn.com I'd like to reject it at the mail server if either is spoofed and it is not originating from my local hosts on the internal network. Actually, thing about this, that might not be a good idea and I doubt it is even in the envelope. Ruben Right, rejecting From: headers that falsely claim to be from your domain is guaranteed to cause problems. Look at your posts to this mail list... There's no easy solution to forged From: headers, but SpamAssassin can be a big help by identifying the underlying spam payload. Also clamav antivirus with the Sanesecurity anti-spam/anti-phish addon signatures can catch a good amount of unwanted mail. Postfix can use clamav-milter to reject unwanted mail before it enters your system. -- Noel Jones
Re: restricting acceptence of mail users except from local network
Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safir ru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. Ruben -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software I'm an engineer. I choose the best tool for the job, politics be damned. You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one. -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/chbrowser
Re: restricting acceptence of mail users except from local network
On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safir ru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. I don't want them to autheticate. I want the mailserver to just know that my domain doesn't exist in Taiwan. Ruben Ruben -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software I'm an engineer. I choose the best tool for the job, politics be damned. You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one. -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/chbrowser -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 Yeah - I write Free Software...so SUE ME The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society. I'm an engineer. I choose the best tool for the job, politics be damned. You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one. © Copyright for the Digital Millennium
Re: restricting acceptence of mail users except from local network
On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safir ru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org Will that do it? Ruben
Re: restricting acceptence of mail users except from local network
On 2/23/2010 7:35 PM, Ruben Safir wrote: On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safirru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org Will that do it? Ruben While spamhaus is likely to block the majority of spam aimed at your server, it won't specifically reject mail claiming to be from your domain that isn't. If spamhaus doesn't block enough of the spam, you can tell postfix to reject mail claiming to be from unknown local sender addresses. Set in main.cf: smtpd_reject_unlisted_sender = yes or you can add a check_sender_access map to specifically reject your domain when mail isn't local. # WARNING this is likely to reject some legit mail # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_access reject_rbl_client zen.spamhaus.org # /etc/postfix/sender_access example.com REJECT only for internal use to activate these changes you'll need to run # postmap sender_access # postfix reload -- Noel Jones
Re: restricting acceptence of mail users except from local network
On Tue, Feb 23, 2010 at 08:23:11PM -0600, Noel Jones wrote: On 2/23/2010 7:35 PM, Ruben Safir wrote: On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safirru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org Will that do it? Ruben While spamhaus is likely to block the majority of spam aimed at your server, it won't specifically reject mail claiming to be from your domain that isn't. I didn't think it would. Different issue. I want the mail to flatly deny any mail from any of my domains unless it arrives from my local network on eth1 which is a 10.0.0.0 block with hostnames given by my dhcpd server, or from the mailserver itself. I want it to flatly reject mail claiming to be from my doamins from anywhere else. If spamhaus doesn't block enough of the spam, you can tell postfix to reject mail claiming to be from unknown local sender addresses. Set in main.cf: smtpd_reject_unlisted_sender = yes or you can add a check_sender_access map to specifically reject your domain when mail isn't local. If, if it is not from my local network it is not legitimate mail if it is using my domain. I can not service or recieve mail addressed From mrbrklyn.com that isn't coming from my local network. It is 100% of the time always wrong. I know that panix allows me to send mail from my local network to the panix mail servers for later relay, using authentication, or maybe pop. I don't want this functionality. If it is not coming from our servers or hosts, its not us and I want to summerly reject such mail. # WARNING this is likely to reject some legit mail # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_access reject_rbl_client zen.spamhaus.org # /etc/postfix/sender_access example.com REJECT only for internal use to activate these changes you'll need to run # postmap sender_access # postfix reload -- Noel Jones -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society. © Copyright for the Digital Millennium
Re: restricting acceptence of mail users except from local network
On 23-Feb-10 17:32, Ruben Safir wrote: How do I get postfix to reject mails From my own domains coming from outside the local network? This is a FAQ, and a complicated one. Are you trying to just block any email that is from u...@yourdomain.tld and to u...@yourdomain.tld? If so, the easiest way, and the most sensible is to have users authenticate and then reject unauthenticated local users. You could also just take a sledgehammer and forbid anyone outside sending mail 'from' a local user, but unless you are absolutely positive that no one will even want to send mail to themselves (something i do daily for example) you are just going to piss people off. You can set up SPF for yourself and enforce it, but again, this is going to annoy your road warrior who is forced to use a 3rd party server to send out mail (since many ISPs block port 25). Really, the best solution is to tell your users to use port 587 and make them authenticate. Works for everyone.
Re: restricting acceptence of mail users except from local network
On Tue, Feb 23, 2010 at 08:32:57PM -0700, LuKreme wrote: On 23-Feb-10 17:32, Ruben Safir wrote: How do I get postfix to reject mails From my own domains coming from outside the local network? This is a FAQ, and a complicated one. Are you trying to just block any email that is from u...@yourdomain.tld and to u...@yourdomain.tld? If so, the easiest way, and the most sensible is to have users authenticate and then reject unauthenticated local users. You could also just take a sledgehammer and forbid anyone outside sending mail 'from' a local user, but unless you are absolutely positive that no one will even want to send mail to themselves (something i do daily for example) you are just going to piss people off. You can set up SPF for yourself and enforce it, but again, this is going to annoy your road warrior who is forced to use a 3rd party server to send out mail (since many ISPs block port 25). Really, the best solution is to tell your users to use port 587 and make them authenticate. Works for everyone. This is getting philophical and I just don't care. Mail From our domain has to originate from OUR domain. No exceptions. They can ssh in an use mutt, or use the VPN. Ruben -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 Yeah - I write Free Software...so SUE ME The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society. I'm an engineer. I choose the best tool for the job, politics be damned. You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one. © Copyright for the Digital Millennium
Re: restricting acceptence of mail users except from local network
On 23-Feb-10 20:48, Ruben Safir wrote: This is getting philophical and I just don't care. Mail From our domain has to originate from OUR domain. No exceptions. Then you've already been given the solution by Noel. -- Bite me, suck me, show me you care
Re: restricting acceptence of mail users except from local network
On Tue, Feb 23, 2010 at 08:52:00PM -0700, LuKreme wrote: On 23-Feb-10 20:48, Ruben Safir wrote: This is getting philophical and I just don't care. Mail From our domain has to originate from OUR domain. No exceptions. Then you've already been given the solution by Noel. Thanks -- Bite me, suck me, show me you care Hah - think I'll pass :)
Re: restricting acceptence of mail users except from local network
On Tue, Feb 23, 2010 at 08:23:11PM -0600, Noel Jones wrote: On 2/23/2010 7:35 PM, Ruben Safir wrote: On Wed, Feb 24, 2010 at 01:41:00AM +0100, Steve wrote: Original-Nachricht Datum: Tue, 23 Feb 2010 19:32:25 -0500 Von: Ruben Safirru...@mrbrklyn.com An: postfix-users@postfix.org Betreff: restricting acceptence of mail users except from local network How do I get postfix to reject mails From my own domains coming from outside the local network? If all your users are authenticating when sending mails you could use something like reject_sender_login_mismatch to reject those senders (from inside or outside) that use your domains but have not authenticated. Anyway to restrict the From: header to the local domain as well as the Fromwhitespace header It seems that Majordomo will accept the mail if the From: is different than the From From mrbrk...@panix.com From: ru...@mrbrklyn.com I'd like to reject it at the mail server if either is spoofed and it is not originating from my local hosts on the internal network. Ruben smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org Will that do it? Ruben While spamhaus is likely to block the majority of spam aimed at your server, it won't specifically reject mail claiming to be from your domain that isn't. If spamhaus doesn't block enough of the spam, you can tell postfix to reject mail claiming to be from unknown local sender addresses. Set in main.cf: smtpd_reject_unlisted_sender = yes or you can add a check_sender_access map to specifically reject your domain when mail isn't local. # WARNING this is likely to reject some legit mail # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_access reject_rbl_client zen.spamhaus.org # /etc/postfix/sender_access example.com REJECT only for internal use to activate these changes you'll need to run # postmap sender_access # postfix reload -- Noel Jones -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software
Re: restricting acceptence of mail users except from local network
Anyway to restrict the From: header to the local domain as well as the Fromwhitespace header It seems that Majordomo will accept the mail if the From: is different than the From From mrbrk...@panix.com From: ru...@mrbrklyn.com I'd like to reject it at the mail server if either is spoofed and it is not originating from my local hosts on the internal network. Actually, thing about this, that might not be a good idea and I doubt it is even in the envelope. Ruben Ruben smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org Will that do it? Ruben While spamhaus is likely to block the majority of spam aimed at your server, it won't specifically reject mail claiming to be from your domain that isn't. If spamhaus doesn't block enough of the spam, you can tell postfix to reject mail claiming to be from unknown local sender addresses. Set in main.cf: smtpd_reject_unlisted_sender = yes or you can add a check_sender_access map to specifically reject your domain when mail isn't local. # WARNING this is likely to reject some legit mail # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_access reject_rbl_client zen.spamhaus.org # /etc/postfix/sender_access example.com REJECT only for internal use to activate these changes you'll need to run # postmap sender_access # postfix reload -- Noel Jones -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 Yeah - I write Free Software...so SUE ME The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society. I'm an engineer. I choose the best tool for the job, politics be damned. You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one. © Copyright for the Digital Millennium