Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

From adress must match the smtp clients DNS domain

13 views
Skip to first unread message

Gerhard Rappenecker

unread,
Jun 16, 2016, 8:19:08 AM6/16/16
to
Hi all,

I want to reject mails from some smtp clients specified by IP or subnet, if the from address don't match the clients DNS Domain.
Can anyone help me?

My environment:
postfix 2.11.6
amavisd-new-2.8.1

I allready posted this message yesterday but it seems something went wrong

Regards
Gerhard

Robert Schetterer

unread,
Jun 16, 2016, 2:48:03 PM6/16/16
to
i dont know if amavis has options for that

you may have a look at

https://github.com/croessner/vrfydmn

to use it with postfix/submission

perhaps ask the author to integrate ip/subnet matches or combine it
in milter-manager with a ip/subnet filter

http://milter-manager.sourceforge.net/reference/configuration.html

never tested...

Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Gerhard Rappenecker

unread,
Jun 20, 2016, 10:07:44 AM6/20/16
to
Hi Robert,

thanks a lot for your answer. Unfortunately I'm not familiar with
milters, so I would prefer an amavis option to achiev this objective. I
seem to remember such a solution few month ago anywhere.

Appreciating any further idea

Regards
Gerhard


>>> Robert Schetterer <r...@sys4.de> schrieb am Donnerstag, 16. Juni 2016
um 20:46 in
Nachricht <5762F3FE...@sys4.de>:

Curtis Maurand

unread,
Jun 21, 2016, 7:24:19 AM6/21/16
to
On my system this is done with postfix.

smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination,
                               reject_invalid_hostname,
                               ...


smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
                          reject_invalid_helo_hostname,
                          reject_non_fqdn_helo_hostname,
                          reject_unknown_helo_hostname
                                                     


Statistics since Sunday.

104 messages blocked by rbl zen.spamhaus.org

33 messages blocked by rbl  bl.spamcop.net

21 messages blocked by rbl  b.barracudacentral.org

211 messages quarantined by amavis

210 messages blocked by amavis

3635 blocked by no reverse DNS


Hope this helps,
Curtis


On 6/16/2016 8:18 AM, Gerhard Rappenecker wrote:
Hi all,

I want to reject mails from some smtp clients specified by IP or subnet, if the from address don't match the clients DNS Domain.
Can anyone help me?

My environment:
postfix 2.11.6
amavisd-new-2.8.1

I allready posted this message yesterday but it seems something went wrong

Regards
Gerhard




Gerhard Rappenecker

unread,
Jun 22, 2016, 9:12:23 AM6/22/16
to
Hi Curtis,

thanks for your suggestion but it seems not to realize my idea. I'll try to describe it better:

When a smtp client with the IP address 1.2.3.4 and the DNS hostname host1.mydomain delivers messages to my postfix/amavis MTA with tcp/25, all the messages must have from-headers and envelope-from-addresses of the form any_...@host1.mydomain. I want to configure my MTA to apply this policy only to the IP 1.2.3.4 or the subnet 1.2.3.0/24

Is there any other advice?

Best regards
Gerhard Rappenecker



>>> Curtis Maurand <cur...@maurand.com> schrieb am Dienstag, 21. Juni 2016 um 13:16
in Nachricht <2e13bd11-2637-8415...@maurand.com>:
> cur...@maurand.com <mailto:cur...@maurand.com>
> 207-252-7748

Gregory Sloop

unread,
Jun 22, 2016, 11:13:32 AM6/22/16
to
GR> Hi Curtis,

GR> thanks for your suggestion but it seems not to realize my idea. I'll try to describe it better:

GR> When a smtp client with the IP address 1.2.3.4 and the DNS
GR> hostname host1.mydomain delivers messages to my postfix/amavis MTA
GR> with tcp/25, all the messages must have from-headers and
GR> envelope-from-addresses of the form any_...@host1.mydomain. I
GR> want to configure my MTA to apply this policy only to the IP 1.2.3.4 or the subnet 1.2.3.0/24

GR> Is there any other advice?

GR> Best regards
GR> Gerhard Rappenecker

You do realize that this will cause you a LOT of pain, unless your inbound mail is incredibly unusual, right?

For example - the reverse on my VPS server is, say, mail.xyz.com. But I host mail for many domains - like abc.com, def.com ghi.com etc. [Not to mention, the mail server will likely identify as mail.xyz.com - but my mail will be from the 2nd level domain, xyz.com - and you'd block that too!]

So, if you implement [at least what I think I understand] what you're trying to do you'll block all mail that isn't from xyz.com coming from my VPS, even though there could be many, many legitimate other domains.

If you don't care about blocking mail in those conditions, or if you don't get mail from most of the real world, then I suppose what you want works. But I suspect that's not the case - and implementing your design will break email for your entire server. [And I'm not aware of any way any MTA would implement this "out-of-the-box" anyway.]

What I think you want is more likely to be accomplished with SPF. SPF certainly isn't universally used, so it's of limited utility. But it's the closest workable concept to what you put forward above that's likely to not break/cripple your mail server.

But to reiterate - what you've described above [at least how I read it] is so completely unworkable, if you accept mail from the rest of the world, it's simply going to block a vast amount of legitimate mail.

-Greg

Gerhard Rappenecker

unread,
Jun 23, 2016, 6:21:15 AM6/23/16
to
In fact, its an unusual environment: In our university there are some hosts in our dmz managed by students and reachable from the internet for testing. I look at those hosts as "untrusted smtp clients" because sometimes they are compromised and try to deliver spam using my MTA. Instead of blocking all messages I'd like to permit administrative messages coming from some services like cron or www. Those messages have to use from adresses with the clients domain and are forwarded on my MTA only to the postfix mynetworks.

These policy should be used for all IPs in the dmz except some whitelisted IPs which should be handled in normal way. Is there any better idea to manage this?

Regards Gerhard


>>> Gregory Sloop <gr...@sloop.net> schrieb am Mittwoch, 22. Juni 2016 um 16:48 in
Nachricht <218269559.20...@sloop.net>:

Jari Fredriksson

unread,
Jun 28, 2016, 12:42:22 PM6/28/16
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerhard Rappenecker kirjoitti 16.6.2016 15:18:
> Hi all,
>
> I want to reject mails from some smtp clients specified by IP or
> subnet, if the from address don't match the clients DNS Domain.
> Can anyone help me?
>
> My environment:
> postfix 2.11.6
> amavisd-new-2.8.1
>
> I allready posted this message yesterday but it seems something went wrong
>
> Regards
> Gerhard

You might want to take a look on mail security solutions like DKIM, SPF
and DMARC. These are de facto standards for this kind of stuff, and all
can be implemented into Postfix with FOSS components.

- --
ja...@iki.fi
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAldypwkACgkQKL4IzOyjSrYPUQCfT6nNxWs5CeVPOEoQ60J6oiE6
ODAAn3soV5obwV7bISU/aPdUFvdkuFyH
=AwnP
-----END PGP SIGNATURE-----

0 new messages