Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

rejecting UCE to postmaster (was: HELO/rDNS Checking Policy)

0 views
Skip to first unread message

John Peach

unread,
Jan 6, 2004, 3:43:25 PM1/6/04
to
On Tue, 06 Jan 2004 11:07:17 -0500 pos...@johnpeach.com (John Peach)
said:
> On Sat, 3 Jan 2004 11:02:26 -0500 (EST) jsey...@LinxNet.com (Jim
> Seymour)
> said:
> [snip]
> > One might argue that desparate times call for desparate measures. I
> > just this morning finally, reluctantly, made two changes to my mail
> > server at home. I added dul.dnsbl.sorbs.net to my DNSbl list and I
> > removed the anti-UCE bypass for "postmaster," "abuse" and several other
> > admin role accounts. This was prompted by the fact that 66% of the
> > spam that made it past my already-Draconian anti-UCE checks in the last
> > two days was from dynamic IP addresses (probably 0wn3d 'doze PeeCees)
> > and that a goodly amount of it was addressed to "postmaster."
> >
> I *thought* I had done the same thing - I was just seeing too much spam
> for postmaster and abuse.
> HOWEVER, while I can verify that spam to abuse is being rejected, the
> same is not happening for postmaster, even when I can see quite clearly
> that it's a dialup and that it's in the sorbs dialup list....
> I have always had a recipient access map allowing mail to postmaster@
> and abuse@; I just moved some of my RBL lists above it in main.cf.
> Is mail to postmaster@ automatically accepted somehow or am I missing
> something else fundamental?
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
> reject_non_fqdn_sender
> reject_unauth_pipelining
> permit_mynetworks
> reject_unauth_destination
> reject_unknown_sender_domain
> reject_rbl_client list.dsbl.org
> reject_rbl_client dul.dnsbl.sorbs.net
> reject_rbl_client xbl.spamhaus.org
> check_recipient_access dbm:/usr/local/postfix/etc/access_recipie
> nt
>
> ...and in access_recipient:
>
> abuse@ OK
> postmaster@ OK
> etc.

To follow up to my own posting. A bit more investigation shows that the
above only seems to hold true for postmaster@$mydomain. Any other
domains in $mydestination exhibit the behaviour I'm looking for - the
mail is rejected whether or not it is to postmaster@.....


Wietse Venema

unread,
Jan 6, 2004, 4:07:06 PM1/6/04
to
John Peach:

Postfix 2.x makes an exception for the "bare" postmaster address
only, that is, postmaster without domain, because that form is
explicitly allowed by RFC 2821. For everything else, RFC 2821
requires user@fully-qualified-domain-name.

Because of this inconsistency, the bare postmaster is excluded from
all the UCE junk so that people don't have to jump hoops to avoid
rejecting it by accident.

Otherwise, the SMTP server does nothing special with postmasters.

Wietse

John Peach

unread,
Jan 6, 2004, 4:35:21 PM1/6/04
to
On Tue, 6 Jan 2004 16:06:50 -0500 (EST) wie...@porcupine.org (Wietse
Venema)
said:

> >
> > To follow up to my own posting. A bit more investigation shows that the
> > above only seems to hold true for postmaster@$mydomain. Any other
> > domains in $mydestination exhibit the behaviour I'm looking for - the
> > mail is rejected whether or not it is to postmaster@.....
>
> Postfix 2.x makes an exception for the "bare" postmaster address
> only, that is, postmaster without domain, because that form is
> explicitly allowed by RFC 2821. For everything else, RFC 2821
> requires user@fully-qualified-domain-name.
>
> Because of this inconsistency, the bare postmaster is excluded from
> all the UCE junk so that people don't have to jump hoops to avoid
> rejecting it by accident.
>
> Otherwise, the SMTP server does nothing special with postmasters.
That's what I had thought. I was sure I had originally had to
explicitly allow postmaster mail through.

However what I see now (testing this from home before I go anyplace
close to implementing it at work.....):

Jan 6 16:16:19 homer postfix/smtpd[1239]: input attribute name: (end)
Jan 6 16:16:19 homer postfix/smtpd[1239]: resolve_clnt:
`postm...@peachfamily.net' -> transp=`local' host=`mail.peachfamily.ne
t' rcpt=`postm...@peachfamily.net' flags= class=local
Jan 6 16:16:19 homer postfix/smtpd[1239]: ctable_locate: install entry
key postm...@peachfamily.net
Jan 6 16:16:19 homer postfix/smtpd[1239]: extract_addr: result:
postm...@peachfamily.net
Jan 6 16:16:19 homer postfix/smtpd[1239]: send attr request = rewrite
Jan 6 16:16:19 homer postfix/smtpd[1239]: send attr rule = canonicalize
Jan 6 16:16:19 homer postfix/smtpd[1239]: send attr address =
postmaster
Jan 6 16:16:19 homer postfix/smtpd[1239]: private/rewrite socket:
wanted attribute: address


Jan 6 16:16:39 homer postfix/smtpd[1239]: input attribute name: (end)
Jan 6 16:16:39 homer postfix/smtpd[1239]: resolve_clnt:
`postmaster@johnpeach.c
om' -> transp=`local' host=`mail.peachfamily.net' rcpt=`postmaster@johnp
each.com
' flags= class=local
Jan 6 16:16:39 homer postfix/smtpd[1239]: ctable_locate: install entry
key post
mas...@johnpeach.com
Jan 6 16:16:39 homer postfix/smtpd[1239]: extract_addr: result:
postmaster@john
peach.com
Jan 6 16:16:39 homer postfix/smtpd[1239]: >>> START Recipient address
RESTRICTI
ONS <<<
Jan 6 16:16:39 homer postfix/smtpd[1239]: generic_checks:
name=reject_non_fqdn_
sender

For some reason, postm...@peachfamily.net is bypassing the
restrictions.

$mydomain = peachfamily.net
and johnpeach.com being in $mydestination.

mail_version = 2.0.16-20031231

0 new messages