Loading ...
Sorry, an error occurred while loading the content.

Stop spammers sending us spam from users in our domain...

Expand Messages
  • Nick Sharp
    Hi all, I am new to this list, so forgive me if I am not up with your current level of etiquette, I do tune in pretty quickly.. so starting with a long email..
    Message 1 of 14 , Jul 29, 2009
    • 0 Attachment
      Hi all,

      I am new to this list, so forgive me if I am not up with your current level
      of etiquette, I do tune in pretty quickly.. so starting with a long email..

      Been trying to stop people sending email to us setting FROM as a user in our
      domains. Seems basic enough spam limitation.

      It seems if I configure reject_unauthenticated_sender_login_mismatch in
      smtp_sender_restrictions all email gets rejected (with my config below)
      (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed -
      seems ok) or if the client is not sasl auth'd (smtp ok again in this
      situation)

      So email to somevaliduser@... from
      someotheruser@... (external domain) not sasl auth'd gets
      rejected with 'not logged in' - now I know that we shouldn't use
      $mydestination with virtual domains, so should it be looking at
      virtual_mailbox_domains? (which appears to be mysql mapped ok)

      I would presume the default is to always accept email to our domains and the
      reject_unauthenticated_sender_login part just says if FROM matches our
      domain maps, then you must be authenticated to send it? (this is mainly what
      I want to confirm)

      Or am I missing something obvious? (its not unknown :)


      #some conf stuff..
      mydestination =
      relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
      smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sender_login_maps.cf
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
      smtpd_sender_restrictions = permit_sasl_authenticated,

      permit_mynetworks,reject_unauthenticated_sender_login_mismatch,
      reject_non_fqdn_sender,
      reject_unauth_pipelining, permit


      /etc/postfix/mysql_sender_login_maps.cf
      <User/Pass/DB/host/table stuff removed>
      select_field=id #which is the email address in full
      where_field='%s'
      additional_conditions = and enabled = 1

      /etc/postfix/mysql_domains.cf
      <removed connection stuff>
      select_field=domain
      where_field=domain
      additional_conditions = and enabled = 1

      Let me know if you want some more config/info to help you help me?

      TIA

      Nick
    • Brian Evans - Postfix List
      ... Welcome to the list. Unfortunately, you seem to have missed the important line in the Welcome Message: TO REPORT A PROBLEM SEE:
      Message 2 of 14 , Jul 29, 2009
      • 0 Attachment
        Nick Sharp wrote:
        > Hi all,
        >
        > I am new to this list, so forgive me if I am not up with your current level
        > of etiquette, I do tune in pretty quickly.. so starting with a long email..
        >

        Welcome to the list.
        Unfortunately, you seem to have missed the important line in the Welcome
        Message:
        "TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail"

        I'll muddle through, but without 'postconf -n', I can only guess.
        > Been trying to stop people sending email to us setting FROM as a user in our
        > domains. Seems basic enough spam limitation.
        >
        > It seems if I configure reject_unauthenticated_sender_login_mismatch in
        > smtp_sender_restrictions all email gets rejected (with my config below)
        > (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed -
        > seems ok) or if the client is not sasl auth'd (smtp ok again in this
        > situation)
        >

        Using a jack-hammer won't let you drive a nail.
        A simpler solution is:
        smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_unauth_destination,
        check_sender_access hash:/path/to/file

        /path/to/file:
        #Using example.com as your domain here
        #This can be a mysql map if you like. It is hash to show simplicity.
        #You may customize the REJECT message as you see fit of course. See
        'man 5 access'
        example.com REJECT We do not accept sending from ourselves without
        authentication
        .example.com REJECT We do not accept sending from ourselves without
        authentication
        #covering both cases since you did not show postconf -n..

        Please understand that Postfix checks envelope senders this way. Header
        From is a bad measure in many cases to block.

        Brian
      • Clunk Werclick
        ... This is how I block those pesky spoof mail spams; EDIT main.cf smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
        Message 3 of 14 , Jul 29, 2009
        • 0 Attachment
          On Wed, 2009-07-29 at 22:22 +0930, Nick Sharp wrote:
          > Hi all,
          >
          > I am new to this list, so forgive me if I am not up with your current level
          > of etiquette, I do tune in pretty quickly.. so starting with a long email..
          >
          > Been trying to stop people sending email to us setting FROM as a user in our
          > domains. Seems basic enough spam limitation.
          >
          > It seems if I configure reject_unauthenticated_sender_login_mismatch in
          > smtp_sender_restrictions all email gets rejected (with my config below)
          > (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed -
          > seems ok) or if the client is not sasl auth'd (smtp ok again in this
          > situation)
          >
          > So email to somevaliduser@... from
          > someotheruser@... (external domain) not sasl auth'd gets
          > rejected with 'not logged in' - now I know that we shouldn't use
          > $mydestination with virtual domains, so should it be looking at
          > virtual_mailbox_domains? (which appears to be mysql mapped ok)
          >
          > I would presume the default is to always accept email to our domains and the
          > reject_unauthenticated_sender_login part just says if FROM matches our
          > domain maps, then you must be authenticated to send it? (this is mainly what
          > I want to confirm)
          >
          > Or am I missing something obvious? (its not unknown :)
          >
          >
          > #some conf stuff..
          > mydestination =
          > relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
          > smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sender_login_maps.cf
          > virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
          > smtpd_sender_restrictions = permit_sasl_authenticated,
          >
          > permit_mynetworks,reject_unauthenticated_sender_login_mismatch,
          > reject_non_fqdn_sender,
          > reject_unauth_pipelining, permit
          >
          >
          > /etc/postfix/mysql_sender_login_maps.cf
          > <User/Pass/DB/host/table stuff removed>
          > select_field=id #which is the email address in full
          > where_field='%s'
          > additional_conditions = and enabled = 1
          >
          > /etc/postfix/mysql_domains.cf
          > <removed connection stuff>
          > select_field=domain
          > where_field=domain
          > additional_conditions = and enabled = 1
          >
          > Let me know if you want some more config/info to help you help me?
          >
          > TIA
          >
          > Nick
          >
          This is how I block those pesky spoof mail spams;

          EDIT main.cf
          smtpd_recipient_restrictions =
          permit_mynetworks
          permit_sasl_authenticated
          reject_unauth_destination
          ....
          check_sender_access hash:/etc/postfix/spoofprotection


          CREATE /etc/postfix/spoofprotection
          #spoof protection
          domain1.com REJECT we dont mail ourselves
          domain2.com REJECT we dont mail ourselves

          BUILD MAP TO IT
          postmap /etc/postfix/spoofprotection

          RELOAD
          postfix reload

          Caveats;
          Breaks forwarding (where this is relevant)
          Other caveats may exist too and someone else may point out a better way
          or other issues. This has worked for me and I am very happy with it.

          --
          -----------------------------------------------------------
          C Werclick .Lot
          Technical incompetent
          Loyal Order Of The Teapot.

          This e-mail and its attachments is intended only to be used as an e-mail
          and an attachment. Any use of it for other purposes other than as an
          e-mail and an attachment will not be covered by any warranty that may or
          may not form part of this e-mail and attachment.
        • Nick Sharp
          Thanks Brian, looks like a positive answer.. I will respond to the list to Clunk as his caveats may have an affect on my configuration.. Wanted to thank you
          Message 4 of 14 , Jul 29, 2009
          • 0 Attachment
            Thanks Brian,

            looks like a positive answer.. I will respond to the list to Clunk as his
            caveats may have an affect on my configuration..

            Wanted to thank you directly since its a good solution (and education on
            postfix etiquette :)

            Cheers
            Nick

            > -----Original Message-----
            > From: owner-postfix-users@... [mailto:owner-postfix-
            > users@...] On Behalf Of Brian Evans - Postfix List
            > Sent: Wednesday, July 29, 2009 11:06 PM
            > To: Postfix users
            > Subject: Re: Stop spammers sending us spam from users in our domain...
            >
            > Nick Sharp wrote:
            > > Hi all,
            > >
            > > I am new to this list, so forgive me if I am not up with your current
            > level
            > > of etiquette, I do tune in pretty quickly.. so starting with a long
            > email..
            > >
            >
            > Welcome to the list.
            > Unfortunately, you seem to have missed the important line in the
            > Welcome
            > Message:
            > "TO REPORT A PROBLEM SEE:
            > http://www.postfix.org/DEBUG_README.html#mail"
            >
            > I'll muddle through, but without 'postconf -n', I can only guess.
            > > Been trying to stop people sending email to us setting FROM as a user
            > in our
            > > domains. Seems basic enough spam limitation.
            > >
            > > It seems if I configure reject_unauthenticated_sender_login_mismatch
            > in
            > > smtp_sender_restrictions all email gets rejected (with my config
            > below)
            > > (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth
            > needed -
            > > seems ok) or if the client is not sasl auth'd (smtp ok again in this
            > > situation)
            > >
            >
            > Using a jack-hammer won't let you drive a nail.
            > A simpler solution is:
            > smtpd_recipient_restrictions = permit_mynetworks,
            > permit_sasl_authenticated, reject_unauth_destination,
            > check_sender_access hash:/path/to/file
            >
            > /path/to/file:
            > #Using example.com as your domain here
            > #This can be a mysql map if you like. It is hash to show simplicity.
            > #You may customize the REJECT message as you see fit of course. See
            > 'man 5 access'
            > example.com REJECT We do not accept sending from ourselves without
            > authentication
            > .example.com REJECT We do not accept sending from ourselves without
            > authentication
            > #covering both cases since you did not show postconf -n..
            >
            > Please understand that Postfix checks envelope senders this way.
            > Header
            > From is a bad measure in many cases to block.
            >
            > Brian
          • Nick Sharp
            ... Thanks Clunk, This looks like the way to go, both Brian and yourselves concur.. Just about to test this, but wanted to confirm your breaks forwarding
            Message 5 of 14 , Jul 29, 2009
            • 0 Attachment
              > >
              > This is how I block those pesky spoof mail spams;
              >
              > EDIT main.cf
              > smtpd_recipient_restrictions =
              > permit_mynetworks
              > permit_sasl_authenticated
              > reject_unauth_destination
              > ....
              > check_sender_access hash:/etc/postfix/spoofprotection
              >
              >
              > CREATE /etc/postfix/spoofprotection
              > #spoof protection
              > domain1.com REJECT we dont mail ourselves
              > domain2.com REJECT we dont mail ourselves
              >
              > BUILD MAP TO IT
              > postmap /etc/postfix/spoofprotection
              >
              > RELOAD
              > postfix reload
              >
              > Caveats;
              > Breaks forwarding (where this is relevant)
              > Other caveats may exist too and someone else may point out a better way
              > or other issues. This has worked for me and I am very happy with it.
              >

              Thanks Clunk,
              This looks like the way to go, both Brian and yourselves concur..

              Just about to test this, but wanted to confirm your 'breaks forwarding'
              caveat, I do have some transports configured, and internal filters (amavis
              and procmail) but it sounds like these should be ok, can you elaborate a
              little? (the mail serve is stupid busy at around 15000 mails a day - thats
              delivered mail!! So want to be sure.. 1 min of problems means a lot of mail
              to find/verify :)

              Thanks Again.
              Nick
            • Clunk Werclick
              ... My apologies for the terse caveat. As I understand it, there are some external mail services that roaming users may use that forward mail into your Postfix
              Message 6 of 14 , Jul 29, 2009
              • 0 Attachment
                On Wed, 2009-07-29 at 23:26 +0930, Nick Sharp wrote:
                > > >
                > > This is how I block those pesky spoof mail spams;
                > >
                > > EDIT main.cf
                > > smtpd_recipient_restrictions =
                > > permit_mynetworks
                > > permit_sasl_authenticated
                > > reject_unauth_destination
                > > ....
                > > check_sender_access hash:/etc/postfix/spoofprotection
                > >
                > >
                > > CREATE /etc/postfix/spoofprotection
                > > #spoof protection
                > > domain1.com REJECT we dont mail ourselves
                > > domain2.com REJECT we dont mail ourselves
                > >
                > > BUILD MAP TO IT
                > > postmap /etc/postfix/spoofprotection
                > >
                > > RELOAD
                > > postfix reload
                > >
                > > Caveats;
                > > Breaks forwarding (where this is relevant)
                > > Other caveats may exist too and someone else may point out a better way
                > > or other issues. This has worked for me and I am very happy with it.
                > >
                >
                > Thanks Clunk,
                > This looks like the way to go, both Brian and yourselves concur..
                >
                > Just about to test this, but wanted to confirm your 'breaks forwarding'
                > caveat, I do have some transports configured, and internal filters (amavis
                > and procmail) but it sounds like these should be ok, can you elaborate a
                > little? (the mail serve is stupid busy at around 15000 mails a day - thats
                > delivered mail!! So want to be sure.. 1 min of problems means a lot of mail
                > to find/verify :)
                >
                > Thanks Again.
                > Nick
                >
                >
                My apologies for the terse caveat. As I understand it, there are some
                external mail services that roaming users may use that forward mail into
                your Postfix claiming to be from your domain. Myself I do not use this.
                Relations in England talk of this with Blackberry and O2 when using
                IPhone but these are far too modern for me to understand.

                Please hope an expert comes along and soon with a fuller answer, but I
                think you will be mostly safe with that. If there should be a problem
                your sender will no right away in most cases.
                --
                -----------------------------------------------------------
                C Werclick .Lot
                Technical incompetent
                Loyal Order Of The Teapot.

                This e-mail and its attachments is intended only to be used as an e-mail
                and an attachment. Any use of it for other purposes other than as an
                e-mail and an attachment will not be covered by any warranty that may or
                may not form part of this e-mail and attachment.
              • Nick Sharp
                ... Ahh I have both and iphone and users with blackberry, and with the current configuration they should have sasl configured or they could only email our own
                Message 7 of 14 , Jul 29, 2009
                • 0 Attachment
                  > -----Original Message-----
                  > From: Clunk Werclick [mailto:clunk.werclick@...]
                  > Sent: Wednesday, July 29, 2009 11:34 PM
                  > To: Nick Sharp
                  > Cc: 'postfix-users'
                  > Subject: RE: Stop spammers sending us spam from users in our domain...
                  >
                  > On Wed, 2009-07-29 at 23:26 +0930, Nick Sharp wrote:
                  > > > >
                  > > > This is how I block those pesky spoof mail spams;
                  > > >
                  > > > EDIT main.cf
                  > > > smtpd_recipient_restrictions =
                  > > > permit_mynetworks
                  > > > permit_sasl_authenticated
                  > > > reject_unauth_destination
                  > > > ....
                  > > > check_sender_access hash:/etc/postfix/spoofprotection
                  > > >
                  > > >
                  > > > CREATE /etc/postfix/spoofprotection
                  > > > #spoof protection
                  > > > domain1.com REJECT we dont mail ourselves
                  > > > domain2.com REJECT we dont mail ourselves
                  > > >
                  > > > BUILD MAP TO IT
                  > > > postmap /etc/postfix/spoofprotection
                  > > >
                  > > > RELOAD
                  > > > postfix reload
                  > > >
                  > > > Caveats;
                  > > > Breaks forwarding (where this is relevant)
                  > > > Other caveats may exist too and someone else may point out a better
                  > way
                  > > > or other issues. This has worked for me and I am very happy with
                  > it.
                  > > >
                  > >
                  > > Thanks Clunk,
                  > > This looks like the way to go, both Brian and yourselves concur..
                  > >
                  > > Just about to test this, but wanted to confirm your 'breaks
                  > forwarding'
                  > > caveat, I do have some transports configured, and internal filters
                  > (amavis
                  > > and procmail) but it sounds like these should be ok, can you
                  > elaborate a
                  > > little? (the mail serve is stupid busy at around 15000 mails a day -
                  > thats
                  > > delivered mail!! So want to be sure.. 1 min of problems means a lot
                  > of mail
                  > > to find/verify :)
                  > >
                  > > Thanks Again.
                  > > Nick
                  > >
                  > >
                  > My apologies for the terse caveat. As I understand it, there are some
                  > external mail services that roaming users may use that forward mail
                  > into
                  > your Postfix claiming to be from your domain. Myself I do not use this.
                  > Relations in England talk of this with Blackberry and O2 when using
                  > IPhone but these are far too modern for me to understand.
                  >
                  > Please hope an expert comes along and soon with a fuller answer, but I
                  > think you will be mostly safe with that. If there should be a problem
                  > your sender will no right away in most cases.
                  > --

                  Ahh I have both and iphone and users with blackberry, and with the current
                  configuration they should have sasl configured or they could only email our
                  own domains.. this will weed out those who don't have the right setup on
                  their client :)

                  Thanks again.

                  Fire in the hole, fire in the hole, fire in the hole!!

                  Nick
                • Brian Evans - Postfix List
                  ... This should only be a real issue with poorly configured clients or poorly written web scripts. Those that use the envelope sender as something besides what
                  Message 8 of 14 , Jul 29, 2009
                  • 0 Attachment
                    Clunk Werclick wrote:
                    > My apologies for the terse caveat. As I understand it, there are some
                    > external mail services that roaming users may use that forward mail into
                    > your Postfix claiming to be from your domain. Myself I do not use this.
                    > Relations in England talk of this with Blackberry and O2 when using
                    > IPhone but these are far too modern for me to understand.
                    >
                    > Please hope an expert comes along and soon with a fuller answer, but I
                    > think you will be mostly safe with that. If there should be a problem
                    > your sender will no right away in most cases.
                    >

                    This should only be a real issue with poorly configured clients or
                    poorly written web scripts.
                    Those that use the envelope sender as something besides what is in the
                    From header will work properly.

                    SASL clients will also bypass the check so "forwarding" from such
                    clients will be a non-issue.
                  • Nick Sharp
                    ... And as my_networks also covers all our servers which may email, then we should be ok.. Its in and running and rejecting some already :) Thanks to all
                    Message 9 of 14 , Jul 29, 2009
                    • 0 Attachment
                      > -----Original Message-----
                      > From: owner-postfix-users@... [mailto:owner-postfix-
                      > users@...] On Behalf Of Brian Evans - Postfix List
                      > Sent: Wednesday, July 29, 2009 11:46 PM
                      > To: Postfix users
                      > Subject: Re: Stop spammers sending us spam from users in our domain...
                      >
                      > Clunk Werclick wrote:
                      > > My apologies for the terse caveat. As I understand it, there are some
                      > > external mail services that roaming users may use that forward mail
                      > into
                      > > your Postfix claiming to be from your domain. Myself I do not use
                      > this.
                      > > Relations in England talk of this with Blackberry and O2 when using
                      > > IPhone but these are far too modern for me to understand.
                      > >
                      > > Please hope an expert comes along and soon with a fuller answer, but
                      > I
                      > > think you will be mostly safe with that. If there should be a problem
                      > > your sender will no right away in most cases.
                      > >
                      >
                      > This should only be a real issue with poorly configured clients or
                      > poorly written web scripts.
                      > Those that use the envelope sender as something besides what is in the
                      > From header will work properly.
                      >
                      > SASL clients will also bypass the check so "forwarding" from such
                      > clients will be a non-issue.

                      And as my_networks also covers all our servers which may email, then we
                      should be ok..

                      Its in and running and rejecting some already :) Thanks to all
                    • Matthew D. Fuller
                      On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of ... The problem doesn t come from what you use, but from what any of your users may somewhere
                      Message 10 of 14 , Jul 29, 2009
                      • 0 Attachment
                        On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of
                        Clunk Werclick, and lo! it spake thus:
                        >
                        > My apologies for the terse caveat. As I understand it, there are
                        > some external mail services that roaming users may use that forward
                        > mail into your Postfix claiming to be from your domain. Myself I do
                        > not use this.

                        The problem doesn't come from what you use, but from what any of your
                        users may somewhere use.

                        Imagine you are example.com, and have two users, a@..., and
                        b@.... a@... sends mail to b@... (which
                        you don't control, and know nothing about, short of looking up its MX
                        record and sending the mail on its way). But b@... is
                        just a forwarder and forwards the mail on to b@.... That
                        forwarder won't (and quite probably _shouldn't_) change the envelope
                        sender. Suddenly, you have mail from "outside", with an envelope
                        sender that's you, but is perfectly legitimate. And pretty common.

                        If you know all your users and know none of them do any such thing,
                        filtering it works great. But if you're not absolutely sure, you
                        could be setting out landmines.


                        --
                        Matthew Fuller (MF4839) | fullermd@...
                        Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
                        On the Internet, nobody can hear you scream.
                      • Sahil Tandon
                        ... Much less common is a@example.org sending to a@someother.domain which forwards back to a@example.org. The OP might consider blocking messages where both
                        Message 11 of 14 , Jul 29, 2009
                        • 0 Attachment
                          On Wed, 29 Jul 2009, Matthew D. Fuller wrote:

                          > On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of
                          > Clunk Werclick, and lo! it spake thus:
                          > >
                          > > My apologies for the terse caveat. As I understand it, there are
                          > > some external mail services that roaming users may use that forward
                          > > mail into your Postfix claiming to be from your domain. Myself I do
                          > > not use this.
                          >
                          > The problem doesn't come from what you use, but from what any of your
                          > users may somewhere use.
                          >
                          > Imagine you are example.com, and have two users, a@..., and
                          > b@.... a@... sends mail to b@... (which
                          > you don't control, and know nothing about, short of looking up its MX
                          > record and sending the mail on its way). But b@... is
                          > just a forwarder and forwards the mail on to b@.... That
                          > forwarder won't (and quite probably _shouldn't_) change the envelope
                          > sender. Suddenly, you have mail from "outside", with an envelope
                          > sender that's you, but is perfectly legitimate. And pretty common.

                          Much less common is a@... sending to a@... which
                          forwards back to a@.... The OP might consider blocking messages
                          where both envelope sender and recipient == foo@... when originating
                          from an untrusted source.

                          --
                          Sahil Tandon <sahil@...>
                        • Charles Sprickman
                          ... Thanks for the real-life example. We see lots of spam like this here, and often they ll set the envelope from to our support address, which is on
                          Message 12 of 14 , Jul 29, 2009
                          • 0 Attachment
                            On Wed, 29 Jul 2009, Matthew D. Fuller wrote:

                            > On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of
                            > Clunk Werclick, and lo! it spake thus:
                            >>
                            >> My apologies for the terse caveat. As I understand it, there are
                            >> some external mail services that roaming users may use that forward
                            >> mail into your Postfix claiming to be from your domain. Myself I do
                            >> not use this.
                            >
                            > The problem doesn't come from what you use, but from what any of your
                            > users may somewhere use.
                            >
                            > Imagine you are example.com, and have two users, a@..., and
                            > b@.... a@... sends mail to b@... (which
                            > you don't control, and know nothing about, short of looking up its MX
                            > record and sending the mail on its way). But b@... is
                            > just a forwarder and forwards the mail on to b@.... That
                            > forwarder won't (and quite probably _shouldn't_) change the envelope
                            > sender. Suddenly, you have mail from "outside", with an envelope
                            > sender that's you, but is perfectly legitimate. And pretty common.
                            >
                            > If you know all your users and know none of them do any such thing,
                            > filtering it works great. But if you're not absolutely sure, you
                            > could be setting out landmines.

                            Thanks for the real-life example. We see lots of spam like this here, and
                            often they'll set the envelope from to our support address, which is on
                            spamassassin's global whitelist.

                            Is there any good way to block this crap without breaking things? It
                            looks like in our case I could at least restrict it to our support/role
                            addresses which should NEVER be sending from outside our network...

                            Thanks,

                            Charles

                            >
                            > --
                            > Matthew Fuller (MF4839) | fullermd@...
                            > Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
                            > On the Internet, nobody can hear you scream.
                            >
                          • Matthew D. Fuller
                            On Thu, Jul 30, 2009 at 12:33:17AM -0400 I heard the voice of ... Well, I d feel pretty safe in saying absolutely not . You ll probably always break
                            Message 13 of 14 , Jul 29, 2009
                            • 0 Attachment
                              On Thu, Jul 30, 2009 at 12:33:17AM -0400 I heard the voice of
                              Charles Sprickman, and lo! it spake thus:
                              >
                              > Is there any good way to block this crap without breaking things?

                              Well, I'd feel pretty safe in saying "absolutely not". You'll
                              probably always break _something_. Just insisting peers actually
                              speak correct SMTP breaks stuff :)

                              Theoretically, a system like DKIM could be used. Even if you can't
                              use it with assurance on random incoming mail, if you know that YOU
                              always sign messages with it, you can use it to verify messages
                              claiming to come from you. However, you still eat all the potential
                              blows from it (see <http://en.wikipedia.org/wiki/DKIM#Weaknesses> for
                              a few).


                              Leaving aside off-the-shelf and wandering more into the theoretical,
                              what you're actually trying to verify is that the incoming mail
                              claiming to be from an address you [believe you] control actually does
                              come from that address. Or, more likely, the slightly weaker
                              assertion that incoming mail claiming to be from a domain you
                              [believe] runs through this server actually came through this server.
                              This is complicated slightly by the fact that there's no persistent
                              reliable identifier for 'this email'.

                              But that aside, there are two basic divisions on that; we can store
                              state on the server describing things, or have the mail entirely
                              self-describe. DKIM (and related systems) are an attempt at the
                              latter, and so have some limitations (as mentioned above) that seem
                              nearly inherent in that sort of attempt. Storing state on the server
                              probably requires also sticking stuff in the message (since otherwise
                              you don't have a reliable id), and requires a fair bit of engineering
                              to handle questions of data retention and blah blah blah. And any
                              system would require a good hunk of thought to avoid things like
                              replay attacks.


                              Or, you could skip to the end of this mail, where I say "It's kinda
                              hard" 8-}


                              --
                              Matthew Fuller (MF4839) | fullermd@...
                              Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
                              On the Internet, nobody can hear you scream.
                            • mouss
                              ... Most sites should no more care about this issue , in these days of SASL and/or SPF...
                              Message 14 of 14 , Aug 1, 2009
                              • 0 Attachment
                                Matthew D. Fuller a écrit :
                                > On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of
                                > Clunk Werclick, and lo! it spake thus:
                                >> My apologies for the terse caveat. As I understand it, there are
                                >> some external mail services that roaming users may use that forward
                                >> mail into your Postfix claiming to be from your domain. Myself I do
                                >> not use this.
                                >
                                > The problem doesn't come from what you use, but from what any of your
                                > users may somewhere use.
                                >
                                > Imagine you are example.com, and have two users, a@..., and
                                > b@.... a@... sends mail to b@... (which
                                > you don't control, and know nothing about, short of looking up its MX
                                > record and sending the mail on its way). But b@... is
                                > just a forwarder and forwards the mail on to b@.... That
                                > forwarder won't (and quite probably _shouldn't_) change the envelope
                                > sender. Suddenly, you have mail from "outside", with an envelope
                                > sender that's you, but is perfectly legitimate. And pretty common.
                                >
                                > If you know all your users and know none of them do any such thing,
                                > filtering it works great. But if you're not absolutely sure, you
                                > could be setting out landmines.
                                >
                                >

                                Most sites should no more care about this "issue", in these days of SASL
                                and/or SPF...
                              Your message has been successfully submitted and would be delivered to recipients shortly.