Neroxyr started: >>> our internal mail server has encountered some unknown senders >>> and we want to control them by validating the users that are in >>> the passwd file
Chris Hoogendyk wrote: > make sure you are not an open relay, and you want your own users to > have to authenticate to send mail out. Typically, TLS or SSL over > port 587 (submission port) rather than port 25. Neroxyr may have been asking something else. Is this regarding mail *received* from unknown senders? Do you want to check for forged senders? Do you want to check for invalid recipients? Forgery can be mitigated with SPF* and/or DKIM while invalid recipients has no easy solution. A plugin could conceivably check against a passwd file (and aliases, virutal users, ...) to catch for invalid users at the local domain(s) that appear in the message headers, but I don't know of such a thing. Note - I'd love to see a reversed whitelist_from_spf, matching an address with the SPF failure rules, perhaps like: blacklist_from_spf_fail *...@my-domain.example.net blacklist_from_spf_softfail *...@my-other-domain.example.com # inclusive Currently, the softfail version can be done (I think?) through: # Assumes the scores USER_IN_BLACKLIST + USER_IN_SPF_WHITELIST = 0 # (the default is 100 + -100 = 0) ifplugin Mail::SpamAssassin::Plugin::SPF blacklist_from *...@my-domain.example.net whitelist_from_spf *...@my-domain.example.net endif Notable problem: if for some reason the SPF plugin is loaded but doesn't fire (which happens for me all the time), this has BIG problems. Uglier but safer implementation: ifplugin Mail::SpamAssassin::Plugin::SPF header __LOCAL_SPF_BL From:addr =~ /\...@my-domain.example.net$/i meta BLACKLIST_FROM_SPF __LOCAL_SPF_BL && (SPF_FAIL||SPF_HELO_FAIL) describe BLACKLIST_FROM_SPF From: address is in the SPF blacklist tflags BLACKLIST_FROM_SPF userconf noautolearn score BLACKLIST_FROM_SPF 100 endif
