Loading ...
Sorry, an error occurred while loading the content.

Re: dictionary-attack

Expand Messages
  • Matthew Hall
    I altered the restrictions according to the new advice: relay_restrictions - removed smtpd_recipient_restrictions = permit_mynetworks,
    Message 1 of 48 , Mar 27, 2013
    • 0 Attachment
      I altered the restrictions according to the new advice:

      relay_restrictions - removed

      smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination,
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      check_client_access hash:/etc/postfix/client_checks,
      check_client_access pcre:/etc/postfix/client_checks.pcre,
      check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
      check_helo_access hash:/etc/postfix/helo_checks,
      check_sender_access hash:/etc/postfix/sender_checks,
      check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
      reject_unknown_sender_domain,
      reject_rbl_client zen.spamhaus.org,
      # reject_rbl_client cbl.abuseat.org,
      # reject_rbl_client list.dsbl.org,
      # reject_rbl_client sbl.spamhaus.org,
      # reject_rbl_client pbl.spamhaus.org
      permit

      Now, with everything in one list, all of the trivial RFC-ish checks
      come first, then client access (to allow whitelisting), then
      fqrdns.pcre, then special HELO, From, and To checks, then we go to the
      more expensive ones that use DNS.

      Does this make more sense than what I did before? Or am I still off base.

      Thanks for your help.

      Matthew.
    • Benny Pedersen
      ... add permit_sasl_authenticated before fqrdns.pcre testing -- senders that put my email into body content will deliver it to my own trashcan, so if you like
      Message 48 of 48 , Apr 7, 2013
      • 0 Attachment
        On 2013-03-27 23:11, Matthew Hall wrote:

        > I ran into a bit of an issue trying out fqrdns.pcre as recommended
        > here in this thread. The header in the file recommended adding it
        > into
        > smtpd_client_restrictions. However if I place it there, I end up
        > rejecting mail even from SASL authenticated client devices, if they
        > also match a rule in fqrdns.pcre.

        add permit_sasl_authenticated before fqrdns.pcre testing

        --
        senders that put my email into body content will deliver it to my own
        trashcan, so if you like to get reply, dont do it
      Your message has been successfully submitted and would be delivered to recipients shortly.