Discussion:
Antw: Re: From adress must match the smtp clients DNS domain
(too old to reply)
Gerhard Rappenecker
2016-06-22 13:11:56 UTC
Permalink
Hi Curtis,

thanks for your suggestion but it seems not to realize my idea. I'll try to describe it better:

When a smtp client with the IP address 1.2.3.4 and the DNS hostname host1.mydomain delivers messages to my postfix/amavis MTA with tcp/25, all the messages must have from-headers and envelope-from-addresses of the form ***@host1.mydomain. I want to configure my MTA to apply this policy only to the IP 1.2.3.4 or the subnet 1.2.3.0/24

Is there any other advice?

Best regards
Gerhard Rappenecker
On my system this is done with postfix.
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
...
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
Statistics since Sunday.
104 messages blocked by rbl zen.spamhaus.org
33 messages blocked by rbl bl.spamcop.net
21 messages blocked by rbl b.barracudacentral.org
211 messages quarantined by amavis
210 messages blocked by amavis
3635 blocked by no reverse DNS
Hope this helps,
Curtis
Hi all,
I want to reject mails from some smtp clients specified by IP or subnet, if
the from address don't match the clients DNS Domain.
Can anyone help me?
postfix 2.11.6
amavisd-new-2.8.1
I allready posted this message yesterday but it seems something went wrong
Regards
Gerhard
--
Curtis Maurand
207-252-7748
Gregory Sloop
2016-06-22 14:48:32 UTC
Permalink
GR> Hi Curtis,

GR> thanks for your suggestion but it seems not to realize my idea. I'll try to describe it better:

GR> When a smtp client with the IP address 1.2.3.4 and the DNS
GR> hostname host1.mydomain delivers messages to my postfix/amavis MTA
GR> with tcp/25, all the messages must have from-headers and
GR> envelope-from-addresses of the form ***@host1.mydomain. I
GR> want to configure my MTA to apply this policy only to the IP 1.2.3.4 or the subnet 1.2.3.0/24

GR> Is there any other advice?

GR> Best regards
GR> Gerhard Rappenecker

You do realize that this will cause you a LOT of pain, unless your inbound mail is incredibly unusual, right?

For example - the reverse on my VPS server is, say, mail.xyz.com. But I host mail for many domains - like abc.com, def.com ghi.com etc. [Not to mention, the mail server will likely identify as mail.xyz.com - but my mail will be from the 2nd level domain, xyz.com - and you'd block that too!]

So, if you implement [at least what I think I understand] what you're trying to do you'll block all mail that isn't from xyz.com coming from my VPS, even though there could be many, many legitimate other domains.

If you don't care about blocking mail in those conditions, or if you don't get mail from most of the real world, then I suppose what you want works. But I suspect that's not the case - and implementing your design will break email for your entire server. [And I'm not aware of any way any MTA would implement this "out-of-the-box" anyway.]

What I think you want is more likely to be accomplished with SPF. SPF certainly isn't universally used, so it's of limited utility. But it's the closest workable concept to what you put forward above that's likely to not break/cripple your mail server.

But to reiterate - what you've described above [at least how I read it] is so completely unworkable, if you accept mail from the rest of the world, it's simply going to block a vast amount of legitimate mail.

-Greg
Gerhard Rappenecker
2016-06-23 10:20:49 UTC
Permalink
In fact, its an unusual environment: In our university there are some hosts in our dmz managed by students and reachable from the internet for testing. I look at those hosts as "untrusted smtp clients" because sometimes they are compromised and try to deliver spam using my MTA. Instead of blocking all messages I'd like to permit administrative messages coming from some services like cron or www. Those messages have to use from adresses with the clients domain and are forwarded on my MTA only to the postfix mynetworks.

These policy should be used for all IPs in the dmz except some whitelisted IPs which should be handled in normal way. Is there any better idea to manage this?

Regards Gerhard
Post by Gregory Sloop
GR> Hi Curtis,
GR> thanks for your suggestion but it seems not to realize my idea. I'll try
GR> When a smtp client with the IP address 1.2.3.4 and the DNS
GR> hostname host1.mydomain delivers messages to my postfix/amavis MTA
GR> with tcp/25, all the messages must have from-headers and
GR> want to configure my MTA to apply this policy only to the IP 1.2.3.4 or
the subnet 1.2.3.0/24
GR> Is there any other advice?
GR> Best regards
GR> Gerhard Rappenecker
You do realize that this will cause you a LOT of pain, unless your inbound
mail is incredibly unusual, right?
For example - the reverse on my VPS server is, say, mail.xyz.com. But I host
mail for many domains - like abc.com, def.com ghi.com etc. [Not to mention,
the mail server will likely identify as mail.xyz.com - but my mail will be
from the 2nd level domain, xyz.com - and you'd block that too!]
So, if you implement [at least what I think I understand] what you're trying
to do you'll block all mail that isn't from xyz.com coming from my VPS, even
though there could be many, many legitimate other domains.
If you don't care about blocking mail in those conditions, or if you don't
get mail from most of the real world, then I suppose what you want works. But
I suspect that's not the case - and implementing your design will break email
for your entire server. [And I'm not aware of any way any MTA would implement
this "out-of-the-box" anyway.]
What I think you want is more likely to be accomplished with SPF. SPF
certainly isn't universally used, so it's of limited utility. But it's the
closest workable concept to what you put forward above that's likely to not
break/cripple your mail server.
But to reiterate - what you've described above [at least how I read it] is so
completely unworkable, if you accept mail from the rest of the world, it's
simply going to block a vast amount of legitimate mail.
-Greg
Loading...