Loading ...
Sorry, an error occurred while loading the content.

How to filter emails based on both To: and From:

Expand Messages
  • Narancs
    Dear All, We are running postfix 2.3.2 as an internet mail gateway like this: Internet Mailgw company M$ Exchange SMTP on private network. Due to a bug
    Message 1 of 9 , Jul 26, 2007
    • 0 Attachment
      Dear All,

      We are running postfix 2.3.2 as an internet mail gateway like this:

      Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.

      Due to a bug in MS systems, whenever a company local user sends an email to a non-existent other local user (user exists in the AD, but doesn't have a mailbox for some other reasons), then MSexch wants to send the email through the relay_host which is the mailgw. Mailgw decides to send back the mail to the exch as its transport table says so and a mail loop is created.
      This caused heavy performance slowdown and we have to kill these emails by hand deleting postfix's spools which method is unacceptable. The real solution should be done at MS side, but our exch admins don't seem to ever succeed. To stop stupid mail loop going on, I need a solution that:

      if /^From:.*@.../ and /^To:.*foo.com/ then DISCARD

      With header_checks it's impossible, as the pattern matching works only for one line only.
      Is there any solution for such problems around?

      Thank you!
      Narancs

    • Ralf Hildebrandt
      ... Simply give the relay a list of recipients and you re done. relay_recipient_maps. See my book. -- Ralf Hildebrandt (Ralf.Hildebrandt@charite.de)
      Message 2 of 9 , Jul 26, 2007
      • 0 Attachment
        * Narancs <narancs3@...>:
        > Dear All,
        >
        > We are running postfix 2.3.2 as an internet mail gateway like this:
        >
        > Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
        >
        > Due to a bug in MS systems, whenever a company local user sends an email
        > to a non-existent other local user (user exists in the AD, but doesn't
        > have a mailbox for some other reasons), then MSexch wants to send the
        > email through the relay_host which is the mailgw. Mailgw decides to send
        > back the mail to the exch as its transport table says so and a mail loop
        > is created.

        Simply give the relay a list of recipients and you're done.
        relay_recipient_maps. See my book.

        --
        Ralf Hildebrandt (Ralf.Hildebrandt@...) plonk@...
        Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
        http://www.arschkrebs.de
        "The danger from computers is not that they will eventually get as smart
        as men, but we will meanwhile agree to meet them halfway."-Bernard Avishai
      • Narancs
        Ralf Hildebrandt wrote: * Narancs : Dear All, We are running postfix 2.3.2 as an internet mail gateway like this: Internet Mailgw
        Message 3 of 9 , Jul 26, 2007
        • 0 Attachment

          Ralf Hildebrandt wrote:
          * Narancs <narancs3@...>:
            
             Dear All,
          
             We are running postfix 2.3.2 as an internet mail gateway like this:
          
             Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
          
             Due to a bug in MS systems, whenever a company local user sends an email
             to a non-existent other local user (user exists in the AD, but doesn't
             have a mailbox for some other reasons), then MSexch wants to send the
             email through the relay_host which is the mailgw. Mailgw decides to send
             back the mail to the exch as its transport table says so and a mail loop
             is created.
              
          Simply give the relay a list of recipients and you're done.
          relay_recipient_maps. See my book.
          
            
          Dear Ralf,

          Well we've got hundreds of users and the list cannot be maintained, as they are changing frequently.
          AD/LDAP lookup is neither an option, just as I wrote, the win domain user exists, but has never used his/her email so no mailbox is created.
          By default all users/employers are granted company email access due to the company policy, but a lot of technical/field engineers just never log in to the network, but when they're employed, their account is created.

          so I need a solution that if the sender's (from:) and the recipient's domain is the same, and it's our domain, the email is to be discarded.
          It's like headers_check, but multi-line intelligence.

          Thank you
          N.
        • Jan P. Kessler
          ... Address verification can be done dynamically and is important for not becoming a source of backscatter:
          Message 4 of 9 , Jul 26, 2007
          • 0 Attachment
            Narancs schrieb:
            >
            > Dear Ralf,
            >
            > Well we've got hundreds of users and the list cannot be maintained, as
            > they are changing frequently.
            > AD/LDAP lookup is neither an option, just as I wrote, the win domain
            > user exists, but has never used his/her email so no mailbox is created.
            > By default all users/employers are granted company email access due to
            > the company policy, but a lot of technical/field engineers just never
            > log in to the network, but when they're employed, their account is
            > created.
            >
            > /so I need a solution that if the sender's (from:) and the recipient's
            > domain is the same, and it's our domain, the email is to be discarded./
            > It's like headers_check, but multi-line intelligence.
            >
            > Thank you
            > N.

            Address verification can be done dynamically and is important for not
            becoming a source of backscatter:
            http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
            (read carefully about the caveeats)

            A combined filtering can be done with postfix restriction classes:
            http://www.postfix.org/RESTRICTION_CLASS_README.html

            or more in a more enhanced fashion with Policy Delegation:
            http://www.postfix.org/SMTPD_POLICY_README.html
          • Robert Schetterer
            ... Hash: SHA1 ... perhaps this would work or equal smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access
            Message 5 of 9 , Jul 26, 2007
            • 0 Attachment
              -----BEGIN PGP SIGNED MESSAGE-----
              Hash: SHA1

              Narancs schrieb:
              >
              > Ralf Hildebrandt wrote:
              >> * Narancs <narancs3@...>:
              >>
              >>> Dear All,
              >>>
              >>> We are running postfix 2.3.2 as an internet mail gateway like this:
              >>>
              >>> Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
              >>>
              >>> Due to a bug in MS systems, whenever a company local user sends an email
              >>> to a non-existent other local user (user exists in the AD, but doesn't
              >>> have a mailbox for some other reasons), then MSexch wants to send the
              >>> email through the relay_host which is the mailgw. Mailgw decides to send
              >>> back the mail to the exch as its transport table says so and a mail loop
              >>> is created.
              >>>
              >>
              >> Simply give the relay a list of recipients and you're done.
              >> relay_recipient_maps. See my book.
              >>
              >>
              > Dear Ralf,
              >
              > Well we've got hundreds of users and the list cannot be maintained, as
              > they are changing frequently.
              > AD/LDAP lookup is neither an option, just as I wrote, the win domain
              > user exists, but has never used his/her email so no mailbox is created.
              > By default all users/employers are granted company email access due to
              > the company policy, but a lot of technical/field engineers just never
              > log in to the network, but when they're employed, their account is created.
              >
              > /so I need a solution that if the sender's (from:) and the recipient's
              > domain is the same, and it's our domain, the email is to be discarded./
              > It's like headers_check, but multi-line intelligence.
              >
              > Thank you
              > N.

              perhaps this would work
              or equal

              smtpd_client_restrictions = permit_sasl_authenticated,
              permit_mynetworks,
              check_client_access hash:/etc/postfix/client_access,


              /etc/postfix/client_access

              ex.change.server.ip reject_local_users

              smtpd_restriction_classes = reject_local_users

              reject_local_users = check_sender_access
              hash:/etc/postfix/check_local_sender_access

              /etc/postfix/check_local_sender_access
              mydomain.tld DISCARD

              - --
              Mit freundlichen Gruessen
              Best Regards

              Robert Schetterer

              Germany/Bavaria/Munich
              -----BEGIN PGP SIGNATURE-----
              Version: GnuPG v1.4.5 (GNU/Linux)
              Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

              iD8DBQFGqIZ3fGH2AvR16oERAnoQAJ9zEYVKxU4ybMy9YijONAl1Q89Z4gCaA80n
              kYYNxAsE0NOosCetPXSAsBk=
              =kMee
              -----END PGP SIGNATURE-----
            • Robert Schetterer
              ... Hash: SHA1 ... sorry this was nonsense you would never could sen any mail thsi way *g from yourdomain, but maybe you could some match with a pcre table -
              Message 6 of 9 , Jul 26, 2007
              • 0 Attachment
                -----BEGIN PGP SIGNED MESSAGE-----
                Hash: SHA1

                Robert Schetterer schrieb:
                > Narancs schrieb:
                >> Ralf Hildebrandt wrote:
                >>> * Narancs <narancs3@...>:
                >>>
                >>>> Dear All,
                >>>>
                >>>> We are running postfix 2.3.2 as an internet mail gateway like this:
                >>>>
                >>>> Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
                >>>>
                >>>> Due to a bug in MS systems, whenever a company local user sends an email
                >>>> to a non-existent other local user (user exists in the AD, but doesn't
                >>>> have a mailbox for some other reasons), then MSexch wants to send the
                >>>> email through the relay_host which is the mailgw. Mailgw decides to send
                >>>> back the mail to the exch as its transport table says so and a mail loop
                >>>> is created.
                >>>>
                >>> Simply give the relay a list of recipients and you're done.
                >>> relay_recipient_maps. See my book.
                >>>
                >>>
                >> Dear Ralf,
                >
                >> Well we've got hundreds of users and the list cannot be maintained, as
                >> they are changing frequently.
                >> AD/LDAP lookup is neither an option, just as I wrote, the win domain
                >> user exists, but has never used his/her email so no mailbox is created.
                >> By default all users/employers are granted company email access due to
                >> the company policy, but a lot of technical/field engineers just never
                >> log in to the network, but when they're employed, their account is created.
                >
                >> /so I need a solution that if the sender's (from:) and the recipient's
                >> domain is the same, and it's our domain, the email is to be discarded./
                >> It's like headers_check, but multi-line intelligence.
                >
                >> Thank you
                >> N.
                >
                > perhaps this would work
                > or equal
                >
                > smtpd_client_restrictions = permit_sasl_authenticated,
                > permit_mynetworks,
                > check_client_access hash:/etc/postfix/client_access,
                >
                >
                > /etc/postfix/client_access
                >
                > ex.change.server.ip reject_local_users
                >
                > smtpd_restriction_classes = reject_local_users
                >
                > reject_local_users = check_sender_access
                > hash:/etc/postfix/check_local_sender_access
                >
                > /etc/postfix/check_local_sender_access
                > mydomain.tld DISCARD
                >

                sorry this was nonsense you would never could sen any mail thsi way *g
                from yourdomain, but maybe you could some match with a pcre table
                - --
                Mit freundlichen Gruessen
                Best Regards

                Robert Schetterer

                Germany/Bavaria/Munich
                -----BEGIN PGP SIGNATURE-----
                Version: GnuPG v1.4.5 (GNU/Linux)
                Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

                iD8DBQFGqIdVfGH2AvR16oERAtFbAJ9Oug71FrxbyN3C5y0eR+A6FRJ/twCffvgq
                ESb5lwiIjqoSAYPzuUUrHaU=
                =SP/b
                -----END PGP SIGNATURE-----
              • Robert Schetterer
                ... Hash: SHA1 ... smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access hash:/etc/postfix/client_access,
                Message 7 of 9 , Jul 26, 2007
                • 0 Attachment
                  -----BEGIN PGP SIGNED MESSAGE-----
                  Hash: SHA1

                  Robert Schetterer schrieb:
                  > Robert Schetterer schrieb:
                  >> Narancs schrieb:
                  >>> Ralf Hildebrandt wrote:
                  >>>> * Narancs <narancs3@...>:
                  >>>>
                  >>>>> Dear All,
                  >>>>>
                  >>>>> We are running postfix 2.3.2 as an internet mail gateway like this:
                  >>>>>
                  >>>>> Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
                  >>>>>
                  >>>>> Due to a bug in MS systems, whenever a company local user sends an email
                  >>>>> to a non-existent other local user (user exists in the AD, but doesn't
                  >>>>> have a mailbox for some other reasons), then MSexch wants to send the
                  >>>>> email through the relay_host which is the mailgw. Mailgw decides to send
                  >>>>> back the mail to the exch as its transport table says so and a mail loop
                  >>>>> is created.
                  >>>>>
                  >>>> Simply give the relay a list of recipients and you're done.
                  >>>> relay_recipient_maps. See my book.
                  >>>>
                  >>>>
                  >>> Dear Ralf,
                  >>> Well we've got hundreds of users and the list cannot be maintained, as
                  >>> they are changing frequently.
                  >>> AD/LDAP lookup is neither an option, just as I wrote, the win domain
                  >>> user exists, but has never used his/her email so no mailbox is created.
                  >>> By default all users/employers are granted company email access due to
                  >>> the company policy, but a lot of technical/field engineers just never
                  >>> log in to the network, but when they're employed, their account is created.
                  >>> /so I need a solution that if the sender's (from:) and the recipient's
                  >>> domain is the same, and it's our domain, the email is to be discarded./
                  >>> It's like headers_check, but multi-line intelligence.
                  >>> Thank you
                  >>> N.
                  >> perhaps this would work
                  >> or equal
                  >
                  >> smtpd_client_restrictions = permit_sasl_authenticated,
                  >> permit_mynetworks,
                  >> check_client_access hash:/etc/postfix/client_access,
                  >
                  >
                  >> /etc/postfix/client_access
                  >
                  >> ex.change.server.ip reject_local_users
                  >
                  >> smtpd_restriction_classes = reject_local_users
                  >
                  >> reject_local_users = check_sender_access
                  >> hash:/etc/postfix/check_local_sender_access
                  >
                  >> /etc/postfix/check_local_sender_access
                  >> mydomain.tld DISCARD
                  >
                  >
                  > sorry this was nonsense you would never could sen any mail thsi way *g
                  > from yourdomain, but maybe you could some match with a pcre table

                  smtpd_client_restrictions = permit_sasl_authenticated,
                  permit_mynetworks,
                  check_client_access hash:/etc/postfix/client_access,


                  /etc/postfix/client_access

                  ex.change.server.ip reject_local_users

                  smtpd_restriction_classes = reject_local_users

                  reject_local_users = check_recipient_access
                  hash:/etc/postfix/check_local_recipient_access

                  /etc/postfix/check_local_recipient_access
                  mydomain.tld DISCARD

                  this should work

                  - --
                  Mit freundlichen Gruessen
                  Best Regards

                  Robert Schetterer

                  Germany/Bavaria/Munich
                  -----BEGIN PGP SIGNATURE-----
                  Version: GnuPG v1.4.5 (GNU/Linux)
                  Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

                  iD8DBQFGqIiDfGH2AvR16oERAvLIAJ92gZFvIyfJDr0PdiItXqmrTpo4AQCfdAHE
                  43kTVUFpZnqKpEuCLmpPD9E=
                  =jfS4
                  -----END PGP SIGNATURE-----
                • mouss
                  ... why headers? why not use the envelope sender and recipient? In short, the MS Exchange (called msex below :) box should not send mail to the domains it
                  Message 8 of 9 , Jul 26, 2007
                  • 0 Attachment
                    Narancs wrote:
                    >
                    > Ralf Hildebrandt wrote:
                    >> * Narancs <narancs3@...>:
                    >>
                    >>> Dear All,
                    >>>
                    >>> We are running postfix 2.3.2 as an internet mail gateway like this:
                    >>>
                    >>> Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.
                    >>>
                    >>> Due to a bug in MS systems, whenever a company local user sends an email
                    >>> to a non-existent other local user (user exists in the AD, but doesn't
                    >>> have a mailbox for some other reasons), then MSexch wants to send the
                    >>> email through the relay_host which is the mailgw. Mailgw decides to send
                    >>> back the mail to the exch as its transport table says so and a mail loop
                    >>> is created.
                    >>>
                    >>
                    >> Simply give the relay a list of recipients and you're done.
                    >> relay_recipient_maps. See my book.
                    >>
                    >>
                    > Dear Ralf,
                    >
                    > Well we've got hundreds of users and the list cannot be maintained, as
                    > they are changing frequently.
                    > AD/LDAP lookup is neither an option, just as I wrote, the win domain
                    > user exists, but has never used his/her email so no mailbox is created.
                    > By default all users/employers are granted company email access due to
                    > the company policy, but a lot of technical/field engineers just never
                    > log in to the network, but when they're employed, their account is
                    > created.
                    >
                    > /so I need a solution that if the sender's (from:) and the recipient's
                    > domain is the same, and it's our domain, the email is to be discarded./
                    > It's like headers_check, but multi-line intelligence.

                    why headers? why not use the envelope sender and recipient?

                    In short, the MS Exchange (called msex below :) box should not send mail
                    to the domains it handles, right? so use:

                    smtpd_restriction_classes = catch_broken_msex

                    smtpd_recipient_restrictions =
                    check_client_access hash:/etc/postfix/msex_acl

                    catch_broken_msex =
                    check_recipient_access hash:/etc/postfix/msex_domains

                    == catch_broken_msex
                    10.1.2.3 catch_broken_msex

                    where 10.1.2.3 is the IP of the exchange box. duplicate the line if it
                    uses multiple IPs.

                    == msex_domains
                    mydomain.example REJECT

                    if REJECT causes trouble, try DISCARD, but I don't like discarding mail...
                  • Narancs
                    Thank you Mouss! Your solution has proved to be the right one! Regards, N. mouss wrote: Narancs wrote: Ralf Hildebrandt wrote: * Narancs
                    Message 9 of 9 , Aug 1, 2007
                    • 0 Attachment
                      Thank you Mouss!

                      Your solution has proved to be the right one!

                      Regards,
                      N.

                      mouss wrote:
                      Narancs wrote:

                      Ralf Hildebrandt wrote:
                      * Narancs <narancs3@...>:
                       
                         Dear All,

                         We are running postfix 2.3.2 as an internet mail gateway like this:

                         Internet <-> Mailgw <-> company M$ Exchange SMTP on private network.

                         Due to a bug in MS systems, whenever a company local user sends an email
                         to a non-existent other local user (user exists in the AD, but doesn't
                         have a mailbox for some other reasons), then MSexch wants to send the
                         email through the relay_host which is the mailgw. Mailgw decides to send
                         back the mail to the exch as its transport table says so and a mail loop
                         is created.
                         

                      Simply give the relay a list of recipients and you're done.
                      relay_recipient_maps. See my book.

                       
                      Dear Ralf,

                      Well we've got hundreds of users and the list cannot be maintained, as they are changing frequently.
                      AD/LDAP lookup is neither an option, just as I wrote, the win domain user exists, but has never used his/her email so no mailbox is created.
                      By default all users/employers are granted company email access due to the company policy, but a lot of technical/field engineers just never log in to the network, but when they're employed, their account is created.

                      /so I need a solution that if the sender's (from:) and the recipient's domain is the same, and it's our domain, the email is to be discarded./
                      It's like headers_check, but multi-line intelligence.

                      why headers? why not use the envelope sender and recipient?

                      In short, the MS Exchange (called msex below :) box should not send mail to the domains it handles, right? so use:

                      smtpd_restriction_classes = catch_broken_msex

                      smtpd_recipient_restrictions =
                         check_client_access hash:/etc/postfix/msex_acl

                      catch_broken_msex =
                         check_recipient_access hash:/etc/postfix/msex_domains

                      == catch_broken_msex
                      10.1.2.3      catch_broken_msex

                      where 10.1.2.3 is the IP of the exchange box. duplicate the line if it uses multiple IPs.

                      == msex_domains
                      mydomain.example      REJECT

                      if REJECT causes trouble, try DISCARD, but I don't like discarding mail...
                    Your message has been successfully submitted and would be delivered to recipients shortly.