* Ted Mittelstaedt <t...@ipinc.net>: > On 12/17/2010 8:41 AM, Jason Bertoch wrote: > >On 2010/12/17 11:28 AM, Aaron Bennett wrote: > >>I've got an issue where users off-campus who are doing authenticated > >>SMTP/TLS from home networks are having their mail hit by the PBL. I > >>have trusted_networks set to include the incoming relay, but still the > >>PBL hits it as follows: > >> > >>Received: from cmail.clarku.edu (muse.clarku.edu [140.232.1.151]) > >>by mothra.clarku.edu (Postfix) with ESMTP id D4FC2684FEA > >>for<re...@clarku.edu>; Tue, 7 Dec 2010 00:11:24 -0500 (EST) > >>Received: from SENDERMACHINE (macaddress.hsd1.ma.comcast.net > >>[98.216.185.77]) > >>by cmail.clarku.edu (Postfix) with ESMTP id 82F21901E48 > >>for<re...@clarku.edu>; Tue, 7 Dec 2010 00:11:24 -0500 (EST) > >>From: "USER NAME"<sen...@clarku.edu> > >> > >>Despite that internal_networks and trusted_networks are set to > >>140.232.0.0/16, the message still triggers the PBL rule. Given that I > >>know that (unless there's a trojaned machine or whatever) I must trust > >>email that comes in over authenticated SMTP/TLS through the 'cmail' > >>host, how can I prevent it from hitting the PBL? > >
The examples you provided above only tell ESMTP was used. This make me think
you are either using a very ancient version of Postfix or the Received: headers
stem from a sender who did not SMTP AUTH, because Postfix prints ESMTPSA
(S=secure, A=authenticated) when TLS and SMTP AUTH have been used in the SMTP
session.
> >Based on the headers you included, there's nothing indicating the sender
> >was authenticated. Are you using the following in postfix?
> >
> >smtpd_sasl_authenticated_header yes
>
> And what prevents a spammer from forging this into a header and
> bypassing SA? Just askin.
Anyone can forge this, but you don't need to fall for it.
You could, for example, only let users send messages from your servers if they
use the submission port (tcp/587). On this port SMTP AUTH is a must to send a
message and smtpd_sasl_authenticated_header may be trusted safely (unless
someones credentials have been stolen and the spammer uses that identity).
At the same time you disable SMTP AUTH on port 25 and kill any header that
claims to be from your server using ESMTPA or ESMTPSA.
You could, for example, place a special header check next to your regular port
25 smtp service in master.cf. The header check rule matches on your server
name and the string ESMTP[A|SA] and results in IGNORE (see: man 5
header_checks):
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o header_checks=pcre:/etc/postfix/kill_forged_headers
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
in /etc/postfix/kill_forged_headers:
/^by\hexample.org\h\(Postfix\)\hwith\hESMTP[A|SA]/ IGNORE
p...@rick
--
state of mind
Digitale Kommunikation
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
signature.asc
Description: Digital signature
