OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: whitelist sender address (not by server)

From: /dev/rob0 (rob0gmx.co.uk)
Date: Tue Feb 08 2005 - 23:38:50 CST

On Tuesday 08 February 2005 15:14, Dylan wrote:
> Cami, thank you for the reply. In the following conf output you'll
> notice I moved the check_sender_access to the
> smtpd_sender_restrictions and it seems to be working. Is this not the
> right way to do what I am aming for?

This might help to explain your restrictions to you:
    http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

> smtpd_data_restrictions = reject_unauth_pipelining, permit

That's reasonable.

> smtpd_helo_required = yes

This will probably block some non-spam.

> smtpd_recipient_restrictions = check_sender_mx_access
> cidr:$config_directory/reject_certain_senders_mx.cidr,

We don't know what's in that file.

> check_recipient_access
> hash:$config_directory/block_local, permit_mynetworks,

Ditto block_local.

> reject_unauth_destination, reject_non_fqdn_recipient,

Okay.

> reject_rbl_client relays.ordb.org, reject_rbl_client
> opm.blitzed.org, reject_rbl_client list.dsbl.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client dul.dnsbl.sorbs.net

3 of those (opm.blitzed.org, sbl.spamhaus.org, and cbl.abuseat.org)
could all be queried in a single check of sbl-xbl.spamhaus.org.

Did you investigate these lists? I did before I started entrusting any
RBL's with my mail. I signed up for their announcement lists, too.
RBL's come and go, and some which have gone started returning positive
replies to every query. That would block all your mail!

> smtpd_sender_restrictions = permit_mynetworks,

smtpd_sender_restrictions is evaluated at a different time. Again, see
Jim Seymour's explanation of how these work (and it's always useful to
keep your postconf.5.html open.)

> check_sender_access hash:/etc/postfix/sender_checks,

We don't know what's in this file.

> reject_invalid_hostname,

This is a HELO check, and it will block a lot of legitimate mail. The
fact that you moved your sender_checks here allowed that mail to bypass
this restriction (an "OK"in sender_checks evaluates to a "DUNNO" for
the smtpd_sender_restrictions stage.)

> reject_unknown_address, reject_unknown_hostname,

reject_unknown_hostname is another HELO check, and it's also likely to
block some real mail.

> reject_unknown_sender_domain, reject_non_fqdn_hostname,
> reject_non_fqdn_sender,

These 3 and reject_unknown_address could safely go before all the RBL
checks. It's silly (abusive!) to query those services for mail you're
going to reject anyway. These are even safe to go before
permit_mynetworks.

> At 04:11 PM 2/8/2005, you wrote:

BTW, top-posting is bad. :)

> >Dylan wrote:
> >>I'm finding that a lot of legit email is being rejected due to one
> >> of my UCE measures in postifx.

I wouldn't want to use restrictions I didn't understand, but maybe I'm
too conservative.

> >> I'm trying to whitelist several
> >> domains using the sender_checks hash under
> >> smtpd_recipient_restrictions.

This is reckless, as spammers usually use false envelope sender
addresses ... often forged REAL ones. Spyware grabs your Windows-using
friend's computer, grabs his address book, and sends mail as him to
you! He's in your whitelist, so you accept it.

Take the time to look through and to understand your $html_directory.
There's a lot of good information there.
--
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header