FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 12-22-2009, 12:19 PM
Carlos Acedo
 
Default Avoid not authenticated forged mail

Hi,

Once in a while I receive spam "from my own" mail address, many users
send mails to themselfs, so what I would like is to allow only
authenticated mail to be able to send mails to themselfs. Is that possible?


Thank you in advance.

--
Carlos.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-22-2009, 12:39 PM
Yves Junqueira
 
Default Avoid not authenticated forged mail

2009/12/22 Carlos Acedo <carlos@pangea.org>
>
> Hi,
>
> Once in a while I receive spam "from my own" mail address, many users send mails to themselfs, so what I would like is to allow only authenticated mail to be able to send mails to themselfs. Is that possible?

Yes. You probably need a mix of strict SPF records in your domain,
employ SPF checking in your MTA and accept authenticated only SMTP
deliveries.

This has the positive side effect of other mail systems being able to
use these SPF records to check if they people are pretending to be
you.

When using SPF, it's also a good idea to use DKIM too.

> Thank you in advance.
>
> --
> Carlos.
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>



--
Yves Junqueira <http://cetico.org/about>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-22-2009, 12:45 PM
Adrian Minta
 
Default Avoid not authenticated forged mail

Carlos Acedo wrote:

Hi,

Once in a while I receive spam "from my own" mail address, many users
send mails to themselfs, so what I would like is to allow only
authenticated mail to be able to send mails to themselfs. Is that
possible?


Thank you in advance.


Create a file /etc/postfix/filters/sender_checks.pcre like this:
#check the From field
/^(.*)pangea.org$/ 550 please login first
/^(.*)smothersrealty.com$/ 554 known spammer domain

Edit smtpd_recipient_restrictions from /etc/postfix/main.cf like this:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_unauth_pipelining,
#this is the LINE
check_sender_access regexp:/etc/postfix/filters/sender_checks.pcre,
#RBL balcklists
reject_rbl_client zen.spamhaus.org

Also make sure that mynetworks is more restrictive.

--
Best regards,
Adrian Minta MA3173-RIPE, MA314-ROTLD
tel. 0212.022.660 0726.110.369




--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-22-2009, 02:14 PM
Thomas Goirand
 
Default Avoid not authenticated forged mail

Yves Junqueira wrote:
> 2009/12/22 Carlos Acedo <carlos@pangea.org>
>> Hi,
>>
>> Once in a while I receive spam "from my own" mail address, many users send mails to themselfs, so what I would like is to allow only authenticated mail to be able to send mails to themselfs. Is that possible?
>
> Yes. You probably need a mix of strict SPF records in your domain,
> employ SPF checking in your MTA and accept authenticated only SMTP
> deliveries.
>
> This has the positive side effect of other mail systems being able to
> use these SPF records to check if they people are pretending to be
> you.
>
> When using SPF, it's also a good idea to use DKIM too.

I do agree that DKIM would solve this issue nicely. Since we implemented
it, this kind of issue are gone. If I may suggest you, you can use
dkimproxy 1.2 that I maintain and that has just been uploaded to SID (it
also works for Lenny out of the box without the need to backport as its
arch indep.).

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-23-2009, 08:47 AM
Carlos Acedo
 
Default Avoid not authenticated forged mail

On 22/12/09 16:14, Thomas Goirand wrote:

Yves Junqueira wrote:


2009/12/22 Carlos Acedo<carlos@pangea.org>


Hi,

Once in a while I receive spam "from my own" mail address, many users send mails to themselfs, so what I would like is to allow only authenticated mail to be able to send mails to themselfs. Is that possible?


Yes. You probably need a mix of strict SPF records in your domain,
employ SPF checking in your MTA and accept authenticated only SMTP
deliveries.

This has the positive side effect of other mail systems being able to
use these SPF records to check if they people are pretending to be
you.

When using SPF, it's also a good idea to use DKIM too.


I do agree that DKIM would solve this issue nicely. Since we implemented
it, this kind of issue are gone. If I may suggest you, you can use
dkimproxy 1.2 that I maintain and that has just been uploaded to SID (it
also works for Lenny out of the box without the need to backport as its
arch indep.).

Thomas



Thank you for your replies, I was considering DKIM, but I was afraid of
the overhead, but I think it's worth after all. I will also take a look
to the SPF records as well.


Regards.



--
Carlos.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-23-2009, 08:56 AM
Carlos Acedo
 
Default Avoid not authenticated forged mail

On 22/12/09 14:45, Adrian Minta wrote:

Carlos Acedo wrote:

Hi,

Once in a while I receive spam "from my own" mail address, many users
send mails to themselfs, so what I would like is to allow only
authenticated mail to be able to send mails to themselfs. Is that
possible?

Thank you in advance.


Create a file /etc/postfix/filters/sender_checks.pcre like this:
#check the From field
/^(.*)pangea.org$/ 550 please login first
/^(.*)smothersrealty.com$/ 554 known spammer domain

Edit smtpd_recipient_restrictions from /etc/postfix/main.cf like this:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_unauth_pipelining,
#this is the LINE
check_sender_access regexp:/etc/postfix/filters/sender_checks.pcre,
#RBL balcklists
reject_rbl_client zen.spamhaus.org

Also make sure that mynetworks is more restrictive.

This is a good solution, combined with DKIM as Thomas suggested would be
perfect, Gmail is using it, so I could discard forged gmail addresses


--
Carlos.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-23-2009, 11:47 AM
Thomas Goirand
 
Default Avoid not authenticated forged mail

Carlos Acedo wrote:
> Thank you for your replies, I was considering DKIM, but I was afraid of
> the overhead, but I think it's worth after all. I will also take a look
> to the SPF records as well.
>
> Regards.

To my experience, even with EXTREMELY busy email servers (with like one
incoming per second or more), dkimproxy is performing pretty well.
Others have reported the same, and everyone is happy with it. I never
heard any complain, unlike with tumgreyspf that is having issues with
it's file system based greylisting db that has created issues.

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-26-2009, 01:27 AM
 
Default Avoid not authenticated forged mail

On 12/23/2009 10:47 AM, Carlos Acedo wrote:


Once in a while I receive spam "from my own" mail address, many
users send mails to themselfs, so what I would like is to allow only
authenticated mail to be able to send mails to themselfs. Is that
possible?

--- cut ---

Thank you for your replies, I was considering DKIM, but I was afraid of
the overhead, but I think it's worth after all. I will also take a look
to the SPF records as well.


I would like to recommend ASSP.

Apart from ASSP being perhaps the best open-source anti-spam solution on
the planet, it can block or score "spoofing" for non-authenticating users.


It does however have a bit of learning-curve in configuring it for the
first time.


http://assp.sf.net/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-28-2009, 09:18 AM
Carlos Acedo
 
Default Avoid not authenticated forged mail

On 26/12/09 03:27, aja-lists@tni.org wrote:

On 12/23/2009 10:47 AM, Carlos Acedo wrote:


Once in a while I receive spam "from my own" mail address, many
users send mails to themselfs, so what I would like is to allow only
authenticated mail to be able to send mails to themselfs. Is that
possible?

--- cut ---

Thank you for your replies, I was considering DKIM, but I was afraid of
the overhead, but I think it's worth after all. I will also take a look
to the SPF records as well.


I would like to recommend ASSP.

Apart from ASSP being perhaps the best open-source anti-spam solution
on the planet, it can block or score "spoofing" for non-authenticating
users.


It does however have a bit of learning-curve in configuring it for the
first time.


http://assp.sf.net/


At the moment I going to try dkimproxy, ASSP seems a good solution, but
I need something quicker to setup on our systems, I'll give it a try in
a VM though.


--
Carlos.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 08:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org