Loading ...
Sorry, an error occurred while loading the content.

Rejecting mail based on destination MX records

Expand Messages
  • Jon A.
    I ve seen an increased number of issues with some domains that use fakemx.net to deny mail and am looking for some advice on how to best reject email for
    Message 1 of 6 , Aug 28, 2012
    • 0 Attachment
      I've seen an increased number of issues with some domains that use fakemx.net to deny mail and am looking for some advice on how to best reject email for domains that only have one MX record that points to fakemx.net servers.

      While I question the effectiveness, I have no problem with someone trying to detect bad mail senders.   Unfortunately, my server finds itself trying to do legit business and being "seen" by fakemx.net and having messages back up in my queue and continually retry doesn't make me happy.

      I'd like to immediately reject mail for all destinations with ONLY a fakemx.net record.  While I could block these as I find them, I'd prefer to detect it if possible.

      One such:

      hitmail.com mail is handled by 0 mx.fakemx.net.

      My thought is to use the transports mechanism and BOUNCE the message... I could scrape the logs and update transports with something like:
      .example.com     error:mail not deliverable (only destination is fakemx.net)
      but as we know, over time systems get fixed.  I'd prefer to do this detection on the fly as part of the delivery attempt.

      Can someone provide a suggestion on how to best accomplish this?

      Thanks
      jon

    • Gábor Lénárt
      ... I am not sure what you mean, but probably check_recipient_mx_access can help with rejecting mails targeting RCPT addresses where MX is a given host (here:
      Message 2 of 6 , Aug 28, 2012
      • 0 Attachment
        On Tue, Aug 28, 2012 at 04:33:16PM -0400, Jon A. wrote:
        > I'd like to immediately reject mail for all destinations with ONLY a
        > fakemx.net record. While I could block these as I find them, I'd prefer to
        > detect it if possible.
        > One such:
        >
        > hitmail.com mail is handled by 0 mx.fakemx.net.

        I am not sure what you mean, but probably check_recipient_mx_access can
        help with rejecting mails targeting RCPT addresses where MX is a given host
        (here: fakemx's).

        http://www.postfix.org/postconf.5.html#check_recipient_mx_access
      • Noel Jones
        ... Be aware the postfix built-in check_*_mx_access will match if ANY of the MX records match. To reject domains with ONLY fakemx MX records, you ll need to
        Message 3 of 6 , Aug 28, 2012
        • 0 Attachment
          On 8/28/2012 3:38 PM, Gábor Lénárt wrote:
          > On Tue, Aug 28, 2012 at 04:33:16PM -0400, Jon A. wrote:
          >> I'd like to immediately reject mail for all destinations with ONLY a
          >> fakemx.net record. While I could block these as I find them, I'd prefer to
          >> detect it if possible.
          >> One such:
          >>
          >> hitmail.com mail is handled by 0 mx.fakemx.net.
          >
          > I am not sure what you mean, but probably check_recipient_mx_access can
          > help with rejecting mails targeting RCPT addresses where MX is a given host
          > (here: fakemx's).
          >
          > http://www.postfix.org/postconf.5.html#check_recipient_mx_access
          >

          Be aware the postfix built-in check_*_mx_access will match if ANY of
          the MX records match.

          To reject domains with ONLY fakemx MX records, you'll need to use an
          external policy service.
          http://www.postfix.org/SMTPD_POLICY_README.html



          -- Noel Jones
        • Ralf Hildebrandt
          ... You d have to use a policy daemon linke postfwd for that. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin
          Message 4 of 6 , Aug 28, 2012
          • 0 Attachment
            * Jon A. <continualuse2u@...>:
            > I've seen an increased number of issues with some domains that use
            > fakemx.net to deny mail and am looking for some advice on how to best
            > reject email for domains that only have one MX record that points to
            > fakemx.net servers.

            You'd have to use a policy daemon linke postfwd for that.

            --
            Ralf Hildebrandt
            Geschäftsbereich IT | Abteilung Netzwerk
            Charité - Universitätsmedizin Berlin
            Campus Benjamin Franklin
            Hindenburgdamm 30 | D-12203 Berlin
            Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
            ralf.hildebrandt@... | http://www.charite.de
          • Robert Schetterer
            ... you might use check_recipient_mx_access type:table Search the specified access(5) database for the MX hosts for the RCPT TO domain, and execute the
            Message 5 of 6 , Aug 29, 2012
            • 0 Attachment
              Am 28.08.2012 22:33, schrieb Jon A.:
              > I've seen an increased number of issues with some domains that use
              > fakemx.net <http://fakemx.net> to deny mail and am looking for some
              > advice on how to best reject email for domains that only have one MX
              > record that points to fakemx.net <http://fakemx.net> servers.
              >
              > While I question the effectiveness, I have no problem with someone
              > trying to detect bad mail senders. Unfortunately, my server finds
              > itself trying to do legit business and being "seen" by fakemx.net
              > <http://fakemx.net> and having messages back up in my queue and
              > continually retry doesn't make me happy.
              >
              > I'd like to immediately reject mail for all destinations with ONLY a
              > fakemx.net <http://fakemx.net> record. While I could block these as I
              > find them, I'd prefer to detect it if possible.
              >
              > One such:
              >
              > hitmail.com <http://hitmail.com> mail is handled by 0 mx.fakemx.net
              > <http://mx.fakemx.net>.
              >
              > My thought is to use the transports mechanism and BOUNCE the message...
              > I could scrape the logs and update transports with something like:
              >
              > *.example.com <http://example.com> error <http://www.postfix.org/error.8.html>:mail not deliverable (only destination is fakemx.net <http://fakemx.net>)*
              >
              > but as we know, over time systems get fixed. I'd prefer to do this
              > detection on the fly as part of the delivery attempt.
              >
              > Can someone provide a suggestion on how to best accomplish this?
              >
              > Thanks
              > jon
              >

              you might use

              check_recipient_mx_access type:table
              Search the specified access(5) database for the MX hosts for the
              RCPT TO domain, and execute the corresponding action. Note: a result of
              "OK" is not allowed for safety reasons. Instead, use DUNNO in order to
              exclude specific hosts from blacklists. This feature is available in
              Postfix 2.1 and later

              as alternative to error, but there is nothing you can do about changing
              mx record in dns, you might want to monitor them, or/and perhaps better,
              give an support mail address in the reject reason, for postmasters
              contact you which have changed from fakemx to real mailservers

              there may be some policy services which may handle this better, but at
              recent i dont know some

              --
              Best Regards
              MfG Robert Schetterer
            • Sahil Tandon
              ... The OP could also query, via check_recipient_access, a spawn(8)-managed TCP table; I do not know how well that would scale. An untested code snippet that
              Message 6 of 6 , Sep 2, 2012
              • 0 Attachment
                On Tue, 2012-08-28 at 15:53:28 -0500, Noel Jones wrote:

                > On 8/28/2012 3:38 PM, Gábor Lénárt wrote:
                > > On Tue, Aug 28, 2012 at 04:33:16PM -0400, Jon A. wrote:
                > >> I'd like to immediately reject mail for all destinations with ONLY a
                > >> fakemx.net record. While I could block these as I find them, I'd prefer to
                > >> detect it if possible.
                > >> One such:
                > >>
                > >> hitmail.com mail is handled by 0 mx.fakemx.net.
                > ...
                > Be aware the postfix built-in check_*_mx_access will match if ANY of
                > the MX records match.
                >
                > To reject domains with ONLY fakemx MX records, you'll need to use an
                > external policy service.

                The OP could also query, via check_recipient_access, a spawn(8)-managed
                TCP table; I do not know how well that would scale. An untested code
                snippet that requires the external dnspython module is below. Please do
                not use it in production; it is just to illustrate the approach.

                #!/usr/local/bin/python

                import os, sys, dns.resolver

                # autoflush STDOUT
                sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)

                # initialize a resolver with 2s timeout
                resolver = dns.resolver.Resolver()
                resolver.lifetime = 2

                while True:
                try:
                fakemx = 0
                domain = raw_input().lstrip('get ').lower().rsplit('@', 1)[1]
                answer = resolver.query(domain, 'MX')
                for mx in answer:
                if 'mx.fakemx.net' in mx.to_text(): fakemx += 1
                if fakemx == len(answer):
                print('200 REJECT mail not deliverable (only destination is fakemx.net)')
                else:
                print('200 DUNNO')
                except:
                print('200 DUNNO')

                --
                Sahil Tandon
              Your message has been successfully submitted and would be delivered to recipients shortly.