Loading ...
Sorry, an error occurred while loading the content.

Re: spam from valid accounts on our domain / require smtp auth

Expand Messages
  • Noel Jones
    ... Yes, you can reject mail to local domains from outside/unauthenticated clients. Note some legit mail arrives this way, so be prepared for some false
    Message 1 of 2 , Dec 1, 2008
    • 0 Attachment
      J.P. Trosclair wrote:
      > For the past couple of weeks we've been getting a lot of spam from valid
      > mail accounts on our domain. The spam gets automatically white listed
      > since it's from our domain. Short of removing our own domain from our
      > white lists, I'm looking for a way to put an end to this. Our server
      > already requires smtp auth for relaying. Is it possible to apply the
      > same idea to local accounts trying to deliver mail back to local
      > accounts? I.E., if the sender claims to be joeuser@... and
      > wants to email joeuser or janedoe on ourdomain.com, require them to
      > authenticate with the server first. Most of the spam is being forged as
      > webmaster or postmaster which are both accounts I need to keep intact.

      Yes, you can reject mail to local domains from
      outside/unauthenticated clients. Note some legit mail arrives
      this way, so be prepared for some false positives.

      # main.cf
      smtpd_recipient_restrictions =
      permit_sasl_authenticated
      permit_mynetworks
      reject_unauth_destination
      reject_unlisted_recipient
      # add this here:
      check_sender_access hash:/etc/postfix/mydomains
      # consider adding:
      reject_unlisted_sender
      reject_rbl_client zen.spamhaus.org

      # mydomains
      example.org REJECT sender not allowed
      ...other local domains... REJECT your message here


      --
      Noel Jones

      >
      > postconf -n:
      >
      > alias_database = hash:/etc/aliases
      > alias_maps = hash:/etc/aliases
      > broken_sasl_auth_clients = yes
      > command_directory = /usr/sbin
      > config_directory = /etc/postfix
      > content_filter = smtp-amavis:[127.0.0.1]:10024
      > daemon_directory = /usr/libexec/postfix
      > debug_peer_level = 2
      > disable_vrfy_command = yes
      > html_directory = no
      > inet_interfaces = all
      > mail_owner = postfix
      > mailbox_size_limit = 0
      > mailq_path = /usr/bin/mailq.postfix
      > manpage_directory = /usr/share/man
      > mydestination = judelawfirm.com, mail1.judelawfirm.com, mail1.jude,
      > localhost, localhost.localdomain, localhost.judelawfirm.com
      > mydomain = judelawfirm.com
      > myhostname = mail1.judelawfirm.com
      > mynetworks = 127.0.0.0/8, 192.168.1.0/24
      > myorigin = mail1.judelawfirm.com
      > newaliases_path = /usr/bin/newaliases.postfix
      > queue_directory = /var/spool/postfix
      > readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
      > sample_directory = /usr/share/doc/postfix-2.4.5/samples
      > sender_bcc_maps = hash:/etc/aliases_bcc
      > sender_canonical_classes = header_sender
      > sendmail_path = /usr/sbin/sendmail.postfix
      > setgid_group = postdrop
      > smtp_tls_note_starttls_offer = yes
      > smtp_use_tls = yes
      > smtpd_banner = $myhostname ESMTP
      > smtpd_data_restrictions = reject_unauth_pipelining
      > smtpd_helo_required = yes
      > smtpd_helo_restrictions = reject_invalid_hostname
      > smtpd_recipient_restrictions = permit_sasl_authenticated
      > permit_mynetworks reject_unauth_destination
      > reject_unlisted_recipient reject_non_fqdn_recipient
      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_local_domain =
      > smtpd_sasl_security_options = noanonymous
      > smtpd_sender_restrictions = reject_non_fqdn_sender
      > reject_unknown_sender_domain
      > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
      > smtpd_tls_auth_only = no
      > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
      > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
      > smtpd_tls_loglevel = 1
      > smtpd_tls_received_header = yes
      > smtpd_tls_session_cache_timeout = 3600s
      > smtpd_use_tls = yes
      > tls_random_source = dev:/dev/urandom
      > unknown_local_recipient_reject_code = 550
    Your message has been successfully submitted and would be delivered to recipients shortly.