NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2005-06

Re: Stopping Spam/Virus using fake address' inside local network

From: mouss (usebsdfree.fr)
Date: Wed Jun 01 2005 - 17:01:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Righteous Jester wrote:
> Howdy Everybody.
>
> I want to allow clients to relay through my box, but base the allow
> rules on IP address and domain names.
>
> Here is the situation. We currenlty have about a 100 IP that are
> allowed to relay through our box which works wonderfully.
>
> The problem is, when one of these guys gets a virus, it sends out
> hundreds of emails with a fake sender address e.g. moocowyahoo.com to
> random address e.g. foobarhotmail.com which we kindly deliver for them
> because their IP address is in $my_networks.
>
> I want to be able to allow these guys to relay through us using there IP
> but the same time say that the senders domain must be in this list
> "/etc/postfix/clients" - if it isn't then the recpient must be either a
> local destination or a relay_domain. So if the senders domain is not in
> the list and there recipient is not a local user or relay_domain - then
> it must be denied.
>
> Here is the setup I tried.
>
> smtpd_recipient_restrictions = permit_auth_destination,
> check_client_access hash:/etc/postfix/clients,
> reject_unlisted_sender,
> reject_unauth_destination
>
> This works until the local domains try to send outside e.g.
> memydomain.com to moocowyahoo.com then I get:
> reject: RCPT from memydomain.com - Relay access denied

that's because you didn't allow your clients to relay!

> And as soon as I add "permit_mynetworks" then I am back to sqaure one.
>
> So can someone throw me a freakin bone here?
>
>

Don't put them in mynetworks. Instead, put'em in their own list and do
whatever checks you like. here is an example:

relay_client_maps = hash:$path/relay_clients
smtpd_restriction_classes = .... relay_client

relay_client =
check_sender_access hash:path/relay_senders

smtpd_recipient_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        check_client_access $relay_client_maps
        reject_unauth_destination
        ...

# cat relay_clients
10.20.30.40 relay_client
myfriend.example relay_client
another.example relay_client
athird.example relay_client

# cat relay_senders
myfriend.example OK
another.example OK
...

of course, generate relay_senders from relay_clients by removing IP
lines, replacing relay_client by OK.

you can also add other checks for these guys. for instance:

relay_client =
        reject_non_fqdn_sender
        reject_non_fqdn_hostname
        ...
        check_sender_access hash:path/relay_senders
        ...

some viruses helo with UPPER.lower (such as MYCOMPUTER.com). you may (at
your own risk) filter such things with a pcre, something like:
/^[A-Z]+\.[a-z]+$/ REJECT
in check_helo_access.

(also, you can restrict the helo to these domains. this is similar to
the sender restriction above, but using both is tricky. use another
restriction class if needed).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]