|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Pablo Yaggi (pyaggi
alsurdelsur.com)
Date: Sun Jul 26 2009 - 17:49:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sunday 26 July 2009 07:19:39 pm Magnus Bäck wrote:
> On Sunday, July 26, 2009 at 23:58 CEST,
> Pablo Yaggi <pyaggialsurdelsur.com> wrote:
>
> > I'm running postfix as a virtual mail server and I have the
> > following issue, relay control is working fine with pop-before-smtp,
> > but still get spam passing through because when a spammer puts the
> > "From" header with any of my virtual domains and a "Rcpt" also is on
> > the virtual domains no authentication is required because
> > pop-before-smtp only authenticates for relay.
> > So the question is, is it possible to condition the smtp access
> > to deny access when the destination is local and the user is local and
> > the client agent IP is not in pop-before-smtp database ?
>
> I suggest you use SASL instead of POP-before-SMTP and use the
> smtpd_sender_login_maps feature.
But I'm running a mass virtual hosting server, if i use authenticated
smtp, it will not prevent for external smtp to deliver mail to my users ?
>
> But you can do something similar with POP-before-SMTP.
>
> main.cf:
> smtpd_restriction_classes = permit_pop_before_smtp
> permit_pop_before_smtp =
> check_client_access hash:/etc/postfix/pop-before-smtp
> smtpd_sender_restrictions = check_sender_access hash:/path/to/file
>
> /path/to/file:
> example.com permit_pop_before_smtp, reject
>
> example.com is a domain that you want to protect from non-POPed clients.
>
This will prevent anyone how tries to send mail to example.com need to be
authenticated, but external smtp needs no authentication.
What I need is to example.com (if example.com is in my virtuals) to be
protected from non-POPed clients when the signature of the mail (the FROM)
is IN my virtuals.
In other words, i need clients of my servers to be pop-authenticated what ever
they want to do, meaning relay or not relay. And outsiders need no authentication
to deliver to my locals if they are not rbl listed.
> [...]
>
> > these are my current restrictions:
> > smtpd_recipient_restrictions = permit_mynetworks,
> > check_client_access hash:/etc/postfix/pop-before-smtp,
> > reject_authenticated_sender_login_mismatch,
> > permit_sasl_authenticated,
>
> These last two lines don't make any sense unless you use SASL.
>
> > reject_unauth_destination,
> > reject_unauth_pipelining,
> > check_recipient_maps,
>
> check_recipient_maps has been deprecated for years. Use
> reject_unlisted_recipient instead.
>
> > reject_non_fqdn_sender,
> > reject_non_fqdn_recipient,
> > reject_rbl_client sbl-xbl.spamhaus.org,
> > reject_rbl_client bl.spamcop.net,
> > reject_rbl_client list.dsbl.org,
>
> dsbl.org is dead. Remove it.
ok, I'm on it
>
> > reject_rhsbl_client sbl-xbl.spamhaus.org,
> > reject_rhsbl_client bl.spamcop.net,
> > reject_rhsbl_client list.dsbl.org,
> > reject_rhsbl_sender sbl-xbl.spamhaus.org,
> > reject_rhsbl_sender bl.spamcop.net,
> > reject_rhsbl_sender list.dsbl.org,
> > permit_auth_destination,
> > reject
>
> The two last ones serve no purpose.
removed ...
Thank's a lot
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]