Loading ...
Sorry, an error occurred while loading the content.

Accept external SMTP traffic only from MX hosts

Expand Messages
  • James B. Byrne
    I am in the process of debugging an application to Postfix error and thus have occasion to have the maillog tailed in a session window. The vast, vast
    Message 1 of 7 , Apr 23, 2014
    • 0 Attachment
      I am in the process of debugging an application to Postfix error and thus have
      occasion to have the maillog tailed in a session window. The vast, vast
      majority of the traffic I see is spam and attempted spam most of which is
      being handled by amavis-new and spamassasin.

      Does the idea of configuring Postfix so that external (to our network) smtp
      connections are only accepted from servers identified with MX records for the
      connecting IP address make any sense? Is it possible?


      --
      *** E-Mail is NOT a SECURE channel ***
      James B. Byrne mailto:ByrneJB@...
      Harte & Lyne Limited http://www.harte-lyne.ca
      9 Brockley Drive vox: +1 905 561 1241
      Hamilton, Ontario fax: +1 905 561 0757
      Canada L8E 3C3
    • Larry Stone
      ... No, it makes no sense at all. MX records define what hosts RECEIVE mail for a domain. They say nothing about what hosts should be SENDING mail for a
      Message 2 of 7 , Apr 23, 2014
      • 0 Attachment
        On Wed, 23 Apr 2014, James B. Byrne wrote:

        > Does the idea of configuring Postfix so that external (to our network) smtp
        > connections are only accepted from servers identified with MX records for the
        > connecting IP address make any sense? Is it possible?

        No, it makes no sense at all. MX records define what hosts RECEIVE mail
        for a domain. They say nothing about what hosts should be SENDING mail for
        a domain. Many large ISPs use separate systems for receiving and sending
        mail. What you want to do will reject large quantities of legitimate mail.

        -- Larry Stone
        lstone19@...
      • Ron Wheeler
        Another approach to reduce SPAM would be to use fail2ban for a reasonable period to shut out IP addresses for a reasonable period that are sending a lot
        Message 3 of 7 , Apr 23, 2014
        • 0 Attachment
          Another approach to reduce SPAM would be to use fail2ban for a
          "reasonable" period to shut out IP addresses for a "reasonable" period
          that are sending a "lot" of SPAM in a "short" period.

          Ron

          On 23/04/2014 3:56 PM, Larry Stone wrote:
          > On Wed, 23 Apr 2014, James B. Byrne wrote:
          >
          >> Does the idea of configuring Postfix so that external (to our
          >> network) smtp
          >> connections are only accepted from servers identified with MX records
          >> for the
          >> connecting IP address make any sense? Is it possible?
          >
          > No, it makes no sense at all. MX records define what hosts RECEIVE
          > mail for a domain. They say nothing about what hosts should be SENDING
          > mail for a domain. Many large ISPs use separate systems for receiving
          > and sending mail. What you want to do will reject large quantities of
          > legitimate mail.
          >
          > -- Larry Stone
          > lstone19@...
          >


          --
          Ron Wheeler
          President
          Artifact Software Inc
          email: rwheeler@...
          skype: ronaldmwheeler
          phone: 866-970-2435, ext 102
        • Ron Wheeler
          1) I am blocking sites that: a) send SPAM to addresses in our domain b) have broken one of our e-mail passwords and try to send bulk mail through our server by
          Message 4 of 7 , Apr 23, 2014
          • 0 Attachment
            1) I am blocking sites that:
            a) send SPAM to addresses in our domain
            b) have broken one of our e-mail passwords and try to send bulk mail
            through our server by faking an Artifact Software user.
            If postfix or spamassassin detects this behaviour, it blocks it as best
            as it can (without making legitimate e-mail hard to send) and creates
            log events which fail2ban picks up and blocks the offending IP for a while.


            2) We block relaying of mail by unauthenticated users. Any employee who
            is not on a local network must use a username and password to send a
            mail. Postfix supports this easily and is the way to close an open
            relay. I am often out of the office as are most of the employees and
            this works fine.

            If you are using Postfix, you will find the recipes in "The Book of
            Postfix" which is worth buying.
            What e-mail client are you using? I use Thunderbird but others use
            Outlook and it all works with a simple set up.

            I hope that this helps.

            Ron

            On 23/04/2014 7:43 PM, John Griessen wrote:
            > On 04/23/2014 04:07 PM, Ron Wheeler wrote:
            >> Another approach to reduce SPAM would be to use fail2ban for a
            >> "reasonable" period to shut out IP addresses for a "reasonable"
            >> period that are sending a "lot" of SPAM in a "short" period.
            >
            >
            > Hi,
            >
            > Are you meaning to allow relaying that way, or just for mail that has
            > a destination
            > at your server?
            >
            > I've been trying to figure how to get my mail server to do TLS, but
            > then found my idea
            > of do TLS was about sealing off any but a whitelist of senders, and
            > the list folk think differently,
            > but then my wife wanted it on a trip, and it became too complicated to
            > do with my old setup.
            >
            > So now, I'm planing to switch to dovecot for IMAP mail, and not sure
            > what security for
            > on the road uses, and not sure at all what is practical for
            > smart-phone uses,
            > and the list folk seem to hate OT anything, and howto a complete
            > server setup
            > they definitely put in OT category.
            >
            > So, if you've found a limiting way that doesn't get you blacklisted,
            > I'm all ears.
            >
            > John Griessen
            >
            > Already blacklisted for no discernible reason by yahoo.com for bounces
            > from a mailman list
            > I run...
            >


            --
            Ron Wheeler
            President
            Artifact Software Inc
            email: rwheeler@...
            skype: ronaldmwheeler
            phone: 866-970-2435, ext 102
          • Joey J
            You can not try to start figuring out who is legit or not, it s a never ending task and will cause you nothing but a headache. Use SPF, DKIM and other
            Message 5 of 7 , Apr 23, 2014
            • 0 Attachment
              You can not try to start figuring out who is legit or not, it's a never ending task and will cause you nothing but a headache.
              Use SPF, DKIM and other traditional methods, utilize some RBL's.

              I do block them using fail2ban for long periods of time, if someone is identified as sending spam, there is no reason to allow them to continue.
              I have done extreme types of things like this to slow spam down, and really haven't been burned by it.
              I created my own set of rules to match different types of rejections and made the fail2ban filter postfix policy to include the types of rejetions like, RBL, bad user ( dictionary attack ) and other such rejections so they can be blocked at the firewall level and not postfix which has a higher resource cost.

              How many users do you have?
              How much spam are you rejecting daily?




              On Wed, Apr 23, 2014 at 5:07 PM, Ron Wheeler <rwheeler@...> wrote:
              Another approach to reduce SPAM would be to use fail2ban for a "reasonable" period to shut out IP addresses for a "reasonable" period that are sending a "lot" of SPAM in a "short" period.

              Ron

              On 23/04/2014 3:56 PM, Larry Stone wrote:
              On Wed, 23 Apr 2014, James B. Byrne wrote:

              Does the idea of configuring Postfix so that external (to our network) smtp
              connections are only accepted from servers identified with MX records for the
              connecting IP address make any sense?  Is it possible?

              No, it makes no sense at all. MX records define what hosts RECEIVE mail for a domain. They say nothing about what hosts should be SENDING mail for a domain. Many large ISPs use separate systems for receiving and sending mail. What you want to do will reject large quantities of legitimate mail.

              -- Larry Stone
                 lstone19@...



              --
              Ron Wheeler
              President
              Artifact Software Inc
              email: rwheeler@...
              skype: ronaldmwheeler
              phone: 866-970-2435, ext 102




              --
              Thanks!
              Joey

            • Lewin Bormann
              It sounds as if you want something like SPF and a policy daemon. Just google it.
              Message 6 of 7 , Apr 24, 2014
              • 0 Attachment
                It sounds as if you want something like SPF and a policy daemon. Just
                google it.
              • Ron Wheeler
                ... We do not allow relaying from any unauthenticated user. I want to prevent legitimate users (our staff) from sending SPAM. This prevents a hacked account
                Message 7 of 7 , Apr 24, 2014
                • 0 Attachment
                  On 23/04/2014 7:43 PM, John Griessen wrote:
                  > On 04/23/2014 04:07 PM, Ron Wheeler wrote:
                  >> Another approach to reduce SPAM would be to use fail2ban for a
                  >> "reasonable" period to shut out IP addresses for a "reasonable"
                  >> period that are sending a "lot" of SPAM in a "short" period.
                  >
                  >
                  > Hi,
                  >
                  > Are you meaning to allow relaying that way, or just for mail that has
                  > a destination
                  > at your server?

                  We do not allow relaying from any unauthenticated user.

                  I want to prevent legitimate users (our staff) from sending SPAM.
                  This prevents a hacked account from being used.

                  We use Spamassassin to detect and kill incoming SPAM.
                  We could block the source of these but are too small to differentiate
                  between legitimate e-mail addressed to most of the staff
                  and spam to everyone.
                  >
                  > I've been trying to figure how to get my mail server to do TLS, but
                  > then found my idea
                  > of do TLS was about sealing off any but a whitelist of senders, and
                  > the list folk think differently,
                  > but then my wife wanted it on a trip, and it became too complicated to
                  > do with my old setup.
                  >

                  You need clients that can authenticate which is pretty common and you
                  need to set up Postfix to authenticate a user before accepting SMTP
                  messages that need to be relayed out of your network.

                  > So now, I'm planing to switch to dovecot for IMAP mail, and not sure
                  > what security for
                  > on the road uses, and not sure at all what is practical for
                  > smart-phone uses,
                  > and the list folk seem to hate OT anything, and howto a complete
                  > server setup
                  > they definitely put in OT category.
                  >
                  We use dovecot. You need to use fail2ban to prevent dovecot from
                  dictionary attacks or other probing to break passwords.

                  > So, if you've found a limiting way that doesn't get you blacklisted,
                  > I'm all ears.
                  >

                  There is no guarantee since hackers are always finding new things to try.
                  I have tried to stop anyone from mounting attacks or sneaking into our
                  Postfix but I still monitor the message queue for evidence that someone
                  has got in.


                  > John Griessen
                  >
                  > Already blacklisted for no discernible reason by yahoo.com for bounces
                  > from a mailman list
                  > I run...
                  >
                  Getting off blacklists is possible but takes time.


                  Ron

                  --
                  Ron Wheeler
                  President
                  Artifact Software Inc
                  email: rwheeler@...
                  skype: ronaldmwheeler
                  phone: 866-970-2435, ext 102
                Your message has been successfully submitted and would be delivered to recipients shortly.