NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-09

Re: Update: Postfix blacklist by MX or NS host

From: Alexander Skwar (listenalexander.skwar.name)
Date: Fri Sep 19 2003 - 13:21:27 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Noel Jones wrote:

> You need to upgrade to the postfix-2.0.16-mumble snapshot version or newer
> to get smtpd_mumble_restrictions enabled.
>
>
> No, wait, I can't do that to you.... ;) smtpd_mumble_restrictions is
> shorthand for smtpd_SOMETHING_restrictions, such as

*ARGL* Now I made a complete fool out of myself, didn't I? I hope you
all had a good laugh!

*G* Reading my mails again, I *am* laughing ;)

> smtpd_sender_restrictions, smtpd_recipient_restrictions, etc. There is not
> a literal "smtpd_mumble_restrictions".

Ah, thanks. It would be nice if this were written somewhere.

> check_sender_mx_access check the MX records of the MAIL FROM domain, not
> the domain itself.

Okay. So suppose I've got:

smtpd_helo_restrictions =
check_helo_mx_access hash:/etc/postfix/mx_access

roothetzner:/etc/postfix# cat /etc/postfix/mx_access
spammer.haven.tld reject spammer mx host
64.94.110.11 reject mail server in verisign wild-card domain

What would this do? I understand it that way, that it would check if the
MX record of the domain given in HELO is listed in mx_access, and if so
it would reject the mail. Is this correct? If it is, how does this help
against the Verisign wildcard trick? The Verisign wildcard domains don't
have MX records:

roothetzner:/etc/postfix# dig verisign-rules-not.net mx

; <<>> DiG 9.2.2 <<>> verisign-rules-not.net mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23049
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;verisign-rules-not.net. IN MX

;; AUTHORITY SECTION:
net. 10800 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 2003091900 1800 900 604800 86400

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 19 20:25:28 2003
;; MSG SIZE rcvd: 113

Thanks again,

Alexander Skwar
--
-> Keine Kopien senden - ich lese die Listen in denen ich schreibe! <-
-> Do not CC me on replies - I read the list in which I write! <-

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]