Block A Sender in Postfix

Discussion:

(too old to reply)

Carlos Mennens

2010-11-19 14:02:04 UTC

So I have a company that I've regretfully registered my email address
with and they wont stop sending me messages. I've tried over and over and they
tell me they don't recognize my email address but clearly they're
sending me promotional messages daily. I'm running Postfix 2.7.1 and
would like to know what's the best recommended way to block them?
Should I block them by IP or should I block them via domain name?
Obviously the domain is easily forged in mail headers so I am guessing
an IP range or specific IP would be the best, no?

Below are headers:

Return-Path: <***@returnpath.bluehornet.com>
X-Original-To: ***@iamghost.com
Delivered-To: ***@iamghost.com
Received: from smtp.burketown.bluehornet.com
(smtp.burketown.bluehornet.com [67.216.225.254])
by mail.iamghost.com (Postfix) with ESMTP id 5CDF81405D7
for <***@iamghost.com>; Thu, 18 Nov 2010 17:39:26 -0500 (EST)
X-MSFBL: Y2FybG9zQGlhbXVuaXguY29tQGJ1cmtldG93bkJpbmRpbmdAbmV3dG9uQmluZGlu
Z0Bib3VuY2UtdXNlPU09MjUwNDQ0OTU2Nj1lY2hvMj1ERTNDRTZDN0VCQkU4RkQy
MkE2N0Y0NDc1MzJEMUYyMA==
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=bluehornet-1.bh; d=mailer.chemistry.com;
h=From:X-Outgoing;
b=XB079zenpkN7EkeIbHZNEUhoxgE33hSy0GN1+Ww2IqeJN3XdbxSSx9Uz40v5/HCn
oHJR5hmgchQ0OPgMT+r6IjboHfMJhaV32qxDXXWIJnyJNOPlX7AFbvypR/eoExUR
DKIM-Signature: v=1; a=rsa-sha1; d=mailer.chemistry.com;
s=bluehornet-1.bh; c=simple/simple;
q=dns/txt; i=@mailer.chemistry.com; t=1290119966;
h=From:Subject:Date:To:Mime-Version:Content-Type;
bh=Yq4YUDkjwBwEe9Qzfe8Cc7T0DFQ=;
b=GLIlDMP7Zd1THzZ9WDmxNF5BOZQev2lIVo1LzcbtcHG4M6M2FzcYhDlAndLnP6Ji
r6vLdcVa4wUKnFDGc1Q9Od/Ia7y9HQTf7vfxP7gtABrdqi/Nk2wLzjHhmwSB3ikU;
DKIM-Signature: v=1; a=rsa-sha1; d=bluehornet.com; s=bluehornet-1.bh;
c=simple/simple;
q=dns/txt; i=@bluehornet.com; t=1290119966;
h=From:Subject:Date:To:Mime-Version:Content-Type;
bh=Yq4YUDkjwBwEe9Qzfe8Cc7T0DFQ=;
b=O890TqwDj8ttlGoTsEV+D0QEi0Xdx2dtotG6cTY0rYdUipReJuzX9rOyqK9UuUjq
A3EXqGLgH1uKBJb5exiHWXycGC0mt0OAtgxZ6QG2i4+MSpQNG5bbgoA3cpGEhp6u;
Received: from [10.64.22.22] ([10.64.22.22:44409] helo=localhost.localdomain)
by dc1bhmta02 (envelope-from
<bounce-use=M=2504449566=echo2=***@returnpath.bluehornet.com>)
(ecelerity 3.0.22.35831 r(35835)) with ESMTP
id 1C/9C-29605-E1BA5EC4; Thu, 18 Nov 2010 14:39:26 -0800
Message-ID: <***@dc1bhmta02>

Now above in the headers there are to 'Received' sections with what I
think are called 'Client IP's', right? There are two different IP's
and I would like to know if it is recommended I block via IP, which
one and how would I configure Postfix to do this via some kind of
check so it can deny messages from this sender.

Thanks for any assistance!

Carlos Mennens

2010-11-19 14:36:29 UTC

Permalink

On Fri, Nov 19, 2010 at 9:27 AM, Jacqui Caren-home

Post by Carlos Mennens
(smtp.burketown.bluehornet.com [67.216.225.254])
by mail.iamghost.com (Postfix) with ESMTP id 5CDF81405D7

Is the important line.
They are "snowshoing" across the 67.216.224.0/23 range - nasty!

What is "snowshoing" and can I simply just block the range if IP's?

Also try contacting
OrgAbuseHandle: ABUSE358-ARIN
OrgAbuseName: ABUSE
OrgAbusePhone: +1-952-540-3023
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE358-ARIN
If you are in the US then the CAN-SPAM act is your friend :-)

I am in the U.S. & I can try contacting that number but is that a
number affiliated with the spammer or is this an independent
organization of sorts? Sorry but I'm trying to understand.

Carlos Mennens

2010-11-20 15:57:58 UTC

Permalink

On Fri, Nov 19, 2010 at 5:46 PM, Jacqui Caren-home

However I took a peek at the digitalriver.com website and from the content
it does not look promising. From thier product literature, I suspect they
have
provided the facilities (and technology) to allow bluehornet to keep
spamming you.
Not sure if this makes them at least partially liable for the spam though.
Nice thing is digitalriver is a multinational so have a lot to lose :-)

So I'm done trying to ask nicely and it doesn't seem like I'm going to
get any results so now I'd like to get back to my original question,
what's the best way via Postfix to stop them from sending mail to my
Postfix server? How can I block them so their mail is rejected? I'd
like to have a method in '/etc/postfix/' that I can block specific
clients (I'm assuming "clients" is the proper name for servers that
try and communicate with my SMTP server) basic on IP(s).

Can someone please tell me the recommended way to do this in Postfix?
I'm sure most of you veterans have had a time where you had to stop a
specific server from sending your Postfix server email. How do I go
about this?

Pete

2010-11-20 17:35:11 UTC

Permalink

On Sat, Nov 20, 2010 at 10:57:58AM -0500, Carlos Mennens wrote:

[snip]

Post by Carlos Mennens
So I'm done trying to ask nicely and it doesn't seem like I'm going to
get any results so now I'd like to get back to my original question,
what's the best way via Postfix to stop them from sending mail to my
Postfix server? How can I block them so their mail is rejected? I'd
like to have a method in '/etc/postfix/' that I can block specific
clients (I'm assuming "clients" is the proper name for servers that
try and communicate with my SMTP server) basic on IP(s).
Can someone please tell me the recommended way to do this in Postfix?
I'm sure most of you veterans have had a time where you had to stop a
specific server from sending your Postfix server email. How do I go
about this?

Hello,

Apologies if I've missed the point of your question but here's how I
successfully do what I *think* you're trying to do :

Here's my /etc/postfix/main.cf :

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/smtp_client_access,
check_sender_access hash:/etc/postfix/smtp_sender_access,
reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_invalid_hostname

For the 'smtp_client_access' and 'smtp_sender_access' references to work you
first need to create them using a text editor (mine's Vim) and then run as
root :

postmap hash:smtp_client_access

With the same applying for the 'smtp_sender_access' file. That command
assumes you're in the /etc/postfix directory. Restart Postfix after applying
the command/s.

The format of my smtp_client_access file is like so :

.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld REJECT Spam sewer.

The format of my smtp_sender_access file is like so :

barrelshoot.tld REJECT No thanks.
***@example.tld OK
example.tld REJECT No thanks.
freespam.tld REJECT Go away.
interesting101@ OK

HTH.

Regards,

Pete.

Noel Jones

2010-11-20 23:53:40 UTC

Permalink

Post by Pete
[snip]

Hello,
Apologies if I've missed the point of your question but here's how I
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/smtp_client_access,
check_sender_access hash:/etc/postfix/smtp_sender_access,
reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_invalid_hostname
For the 'smtp_client_access' and 'smtp_sender_access' references to work you
first need to create them using a text editor (mine's Vim) and then run as
postmap hash:smtp_client_access
With the same applying for the 'smtp_sender_access' file. That command
assumes you're in the /etc/postfix directory.

OK so far...

Post by Pete
Restart Postfix after applying
the command/s.

It is not necessary to restart postfix after rebuilding a
hash: file; postfix will notice the changes and reload the
modified file.

http://www.postfix.org/DATABASE_README.html#detect

Postfix should be restarted after editing main.cf or master.cf.

Post by Pete
.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld REJECT Spam sewer.

The default setting of parent_domain_matches_subdomains
includes smtpd_access_maps.

That means the above must not have a leading dot unless you've
changed the defaults. (your entries won't break anything, but
they will never match)

See the table search order documented in:
http://www.postfix.org/access.5.html

Post by Pete
barrelshoot.tld REJECT No thanks.
example.tld REJECT No thanks.
freespam.tld REJECT Go away.

OK.

-- Noel Jones

Pete

2010-11-21 00:14:58 UTC

Permalink

Post by Noel Jones

Post by Pete

Post by Carlos Mennens
Can someone please tell me the recommended way to do this in Postfix?
I'm sure most of you veterans have had a time where you had to stop a
specific server from sending your Postfix server email. How do I go
about this?

[snip]

Post by Noel Jones

Post by Pete
.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld REJECT Spam sewer.

The default setting of parent_domain_matches_subdomains
includes smtpd_access_maps.
That means the above must not have a leading dot unless you've
changed the defaults. (your entries won't break anything, but
they will never match)
http://www.postfix.org/access.5.html

Noel,

Thanks very much for that. I've rebuilt my smtp_client_access file, without
restarting Postfix.

Regards,

Pete.

Carlos Mennens

2010-11-22 17:51:36 UTC

Permalink

.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld REJECT Spam sewer.
barrelshoot.tld REJECT No thanks.
example.tld REJECT No thanks.
freespam.tld REJECT Go away.

Just so I'm clear as I tried to search "The Book of Postfix" for this
answer and it was clearly specificed:

smtp_sender_access = restrictions on what domains I can send mail to?

smtp_client_access = restrictions on what domains can send mail to my
Postfix server?

Both client_access & sender_access appear to have the same formatting:

some.domain.tld REJECT
another.domain.tld REJECT

Am I correct or have I missed something?

Rich Shepard

2010-11-22 18:00:19 UTC

Permalink

Post by Carlos Mennens
some.domain.tld REJECT
another.domain.tld REJECT
Am I correct or have I missed something?

Carlos,

I use a badaddr file that lists domains from whom I will not accept
messages. The content looks like these:

hostforreal.com 550 Rejected domain D23
nasty-mailings.com 550 Rejected domain D24

In the UCE section of /etc/postfix/main.cf I have this line:

check_client_access hash:/etc/postfix/badaddr,

and it kicks back messages from the listed domains.

Also, I use a badip file for specific IP addresses and address blocks.

HTH,

Rich

Carlos Mennens

2010-11-22 19:04:32 UTC

Permalink

Post by Rich Shepard
Carlos,
I use a badaddr file that lists domains from whom I will not accept
hostforreal.com 550 Rejected domain D23
nasty-mailings.com 550 Rejected domain D24

I've done the same and mine looks simular:

[***@mail postfix]# cat client_access
bluehornet.com REJECT Rejected Domain

But my confusion with Postfix has always been where to add then map
check under which specific smtpd_*_restriction(s). According to "The
Book of Postfix" I am still very confused:

- smtpd_client_restrictions = applies to the client's IP address or
its hostname or both.
- smtpd_recipient_restrictions = applies to the envelope recipient(s),
the envelope sender, the HELO/EHLO argument, and client IP / hostname
or both.
- smtpd_sender_restrictions = This is the 1st trigger set that
restricts parts of the envelope. Postfix applies to the envelope
sender, the HELO/EHLO argument, and the client.

So with that defined above, how am I to understand or determine where
I would add my 'client_access' check in my main.cf? According to the
definitions above, the 'smtpd_recipient_restirctions' looks like it
runs the specific map against every aspect of the sender rather than
the other two. It seems like the logical choice, no? I apologize if
I'm just dumb when it comes to Postfix but I'm really putting time and
effort in to trying to understand this so I wont have to annoy most
with my ignorance.

Post by Rich Shepard
check_client_access hash:/etc/postfix/badaddr,
and it kicks back messages from the listed domains.
Also, I use a badip file for specific IP addresses and address blocks.

Where do you have those listed under in your main.cf?

smtpd_recipient_restrictions = check_badaddr hash:/etc/postfix/badaddr ?

mouss

2010-11-23 15:45:38 UTC

Permalink

Post by Carlos Mennens

Post by Rich Shepard
Carlos,
I use a badaddr file that lists domains from whom I will not accept
hostforreal.com 550 Rejected domain D23
nasty-mailings.com 550 Rejected domain D24

bluehornet.com REJECT Rejected Domain
But my confusion with Postfix has always been where to add then map
check under which specific smtpd_*_restriction(s). According to "The
- smtpd_client_restrictions = applies to the client's IP address or
its hostname or both.
- smtpd_recipient_restrictions = applies to the envelope recipient(s),
the envelope sender, the HELO/EHLO argument, and client IP / hostname
or both.
- smtpd_sender_restrictions = This is the 1st trigger set that
restricts parts of the envelope. Postfix applies to the envelope
sender, the HELO/EHLO argument, and the client.
So with that defined above, how am I to understand or determine where
I would add my 'client_access' check in my main.cf? According to the
definitions above, the 'smtpd_recipient_restirctions' looks like it
runs the specific map against every aspect of the sender rather than
the other two. It seems like the logical choice, no? I apologize if
I'm just dumb when it comes to Postfix but I'm really putting time and
effort in to trying to understand this so I wont have to annoy most
with my ignorance.

Post by Rich Shepard
check_client_access hash:/etc/postfix/badaddr,
and it kicks back messages from the listed domains.
Also, I use a badip file for specific IP addresses and address blocks.

Where do you have those listed under in your main.cf?
smtpd_recipient_restrictions = check_badaddr hash:/etc/postfix/badaddr ?

Put all your anti-spam checks under smtpd_recipient_restrictions, but be
careful not become an open relay: for safety, put check_*_access after
reject_unauth_destination.

here is an example to get you started.
Note 1: you need to understand before use. anything you do is under your
own responsibility!

Note 2: order is important. order your checks as needed.

#db = hash:/etc/postfix/maps/hash
db = cdb:/etc/postfix/maps/cdb
pcre = pcre:/etc/postfix/maps/pcre
cidr = cidr:/etc/postfix/maps/cidr
sql = proxy:mysql:/etc/postfox/maps/mysql

smtpd_recipient_restrictions =
#reject_non_fqdn_sender
#reject_non_fqdn_recipient
#
#permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
#
reject_unlisted_recipient
reject_unlisted_sender
#
#reject_invalid_helo_hostname
#reject_non_fqdn_helo_hostname
#
#check_recipient_access ${db}/access_recipient
#
#check_client_access ${cidr}/access_client
#check_client_access ${db}/access_client
#
#check_sender_access ${db}/access_sender
#check_sender_access ${pcre}/access_sender
#
#check_helo_access ${db}/access_helo
#check_helo_access ${db}/access_host
#check_reverse_client_hostname_access ${db}/access_host
# DNSBL checks
#reject_rbl_client zen.spamhaus.org
#reject_rbl_client bl.spamcop.net
#reject_rbl_client psbl.surriel.com
#reject_rbl_client korea.services.net
#reject_rbl_client bb.barracudacentral.org

== access_recipient
***@example.com OK
***@example.com OK
#opt-out from checks
***@example.com
#reject extension
joe+***@example.com
#use a spcieific restriction class
example.net policy_dothat
.example.net policy_dothat

== access_sender
# reject a specific user
***@gooddomain.example REJECT blah blah
# reject a full domain
evil.example REJECT spammy domain
.evil.example REJECT spammy domain

== ${cidr}/access_client
#whitelist
192.0.2.0/24 OK
#blacklist
192.168.1.2/32 OK
10.1.0.0/16 REJECT blah blah

== ${db}/access_client
# whitelist
good.example OK
.good.example OK
# block
bad.example REJECT blah blah
.bad.example REJECT blah blah