|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sandy Drobic (postfix-users
japantest.homelinux.com)
Date: Thu Feb 07 2008 - 13:44:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alejandro Facultad wrote:
> Magnus Bäck wrote:
>>
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 mail.example.com ESMTP Postfix (2.3.2)
>> HELO localhost
>> 250 mail.example.com
>> MAIL FROM:<>
>> 250 2.1.0 Ok
>> RCPT TO:<nonexistentuserexample.com>
>> 250 2.1.5 Ok
>> DATA
>> 554 5.5.1 Error: no valid recipients
>
> Here is the point, I want the same behaviour you say because we have
> information that some people from Internet do just you write above and
> when they get:
This information should be in your log file, so search for proof of that rumor
and solve the real problem:
If you see someone probing your server block him at the ip level with tools
like fail2ban or denyhosts.
Do not allow someone to use a dictionary approach to find out valid addresses.
Have a look at smtpd_soft_error_limit and smtpd_hard_error_limit and the tools
I mentioned above.
> RCPT TO:<nonexistentuserexample.com>
> 250 2.1.5 Ok
>
> this 250 indicates that the user from our organization is a valid user
> and they get it, so they stop here and they don't follow with DATA
> command.
Unfortunately there are a lot of clients that want to submit mails to your
server (at least I assume there are). If not please unplug the network cable
and simply spare yourself a lot of trouble.
If you do not reject invalid recipients after RCPT TO, then after DATA you
have no choice but to reject the entire mail for all recipients. Please be
aware that many mails are addressed to more than one recipient.
What do you do with mails where 5 recipients are valid and one recipient has a
typo in the address? If you accept the mail then you also accept the mail for
the invalid recipient, if you reject the mail the valid recipients won't get
their mail and the sender is notified that the mail was rejected.
Two hours later your boss wants to know from you why his terribly important
mail from his trusted communication partner was rejected.
> We work for a government organization with sensible data, so our mails
> can't be in public data bases.
>
> If "intruder" do:
>
> RCPT TO:<nonexistentuserexample.com>
> 250 2.1.5 Ok
>
> they won't know wich mail account is valid or invalid, always get the
> same code and this behaviour "ofuscate" the valid mail accounts.
Yes, this obfuscation also works very well on real senders. Please think very
carefully about the consequences of such an implementation. It would
definitely reduce the reliability of your mailsystem. Either you reject mails
for legit senders or you accept responsibility for undeliverable mails. Both
are BAD solutions.
Solve the real problem of the probing clients.
--
Sandy
List replies only please!
Please address PMs to: news-reply2 () japantest (.) homelinux (.) com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]