Loading ...
Sorry, an error occurred while loading the content.
 

Re: Sender verification for all domain *excepted* some domains

Expand Messages
  • mouss
    ... new is an ambiguous term. SAV is being decried since some time now. if you connect to a server to do SAV, you do a transaction without mail, which looks
    Message 1 of 5 , Apr 28, 2008
      Xavier Beaudouin wrote:
      > Hello,
      >
      > Le 28 avr. 08 à 17:43, Charles Marcus a écrit :
      >> On 4/28/2008, Xavier Beaudouin (kiwi@...) wrote:
      >>> Seems that some french ISP don't like sender verification because
      >>> their anti-spam system is treating that as dictionnary attacks...
      >>
      >> Do NOT perform SAV on domains that you don't have an agreement in
      >> place ahead of time to do so.
      >>
      >> Blanket SAV WILL get you blacklisted...
      >
      > This is quite new. Now we have to have agreement with all the world ?
      > Mail is open system.


      new is an ambiguous term. SAV is being decried since some time now. if
      you connect to a server to do SAV, you do a transaction without mail,
      which looks like a dictionary attack, and it can even be a real
      dictionary attack (done by a spammer using your server as a "proxy").

      if you want to do SAV, you need a great care:
      - you must eliminate as much spam as possible before doing the SAV.
      - you must ensure that you won't generate too much SAV calls (both per
      target domain and globally). either throttling or a "reactive" log
      parser that disables SAV (and/or updates the ACL that triggers SAV).


      an alternative is to do SAV for specific domains.

      >
      > But this doesn't reply to my question IMHO.

      here are 5 ways to do what you want.

      1) the simplest way is to put your SAV check at the end, so that you can
      whitelist some domains:

      smtpd_recipient_restrictions =
      ...
      reject_unauth_destination
      #eliminate as much spam as possible
      reject_....
      reject_...
      check_sender_access hash:/etc/postfix/sender_no_sav
      reject_unverified_sender

      == sender_no_sav
      netoyen.net OK
      ...


      2) you can use pcre, mysql, ... when you can specify "exceptions".

      3) if this is not desirable, you can use restriction classes:

      smtpd_recipient_restrictions =
      ...
      reject_unauth_destination
      #eliminate as much spam as possible
      reject_....
      reject_...
      check_sender_access hash:/etc/postfix/sender_no_sav
      reject_unverified_sender
      check_recipient_access static:other_restrictions


      other_restrictions =
      #put your "las"t restrictions here
      check_sender_access hash:/etc/postfix/access
      ...


      == sender_no_sav:
      netoyen.net other_restrictions

      4) you can use a policy service.

      5) A convoluted method is to run an smtpd that accepts any address and use
      http://www.postfix.org/postconf.5.html#address_verify_transport_maps
      to direct verification to this "dummy" smtpd for the domains you want to
      exclude from SAV.
    Your message has been successfully submitted and would be delivered to recipients shortly.