postovni server na lokalni siti
Peter Mann
Peter.Mann na tuke.sk
Úterý Září 23 07:21:07 CEST 2003
On Fri, Sep 19, 2003 at 09:51:02AM +0200, Lubos Kaspar wrote:
> > > >>> <Kostel.J na seznam.cz> 18.09.03 08:33 >>>
> > > Nechci aby mohla nastat situace, ze uzivatel s kontem
> > > xy na nas_lokalni_server.nic, ktery nema skutecnou adresu
> > > xy na firma.cz , tak on bude moct poslat email ven na ktery nikdo nebude
> > > moct odpovedet,protoze adresa nebude existovat.
> >
> > ale to je problem pouzivatela, ci nie??? treba ho s touto skutocnostou
> > oboznamit a nebude nic posielat
>
> Takovy uzivatel by mohl byt idealnim spammerem. :-) Nevim jak v postfixu
> nebo eximu, ale v sendmailu se da snadno priradit seznam spammeru do souboru.
> Pokud by meli byt v seznamu naopak ti "vyvoleni" (co smeji posilat), stacilo
> by prislusne pravidlo v Scheck_mail logicky obratit.
v postfixe to ide jednoducho ... v subore mozu byt napr. nasledovne
riadky:
user1 na domena.sk OK
user2 na domena.sk REJECT
user3 na domena.sk 554 Neposielajte nam SPAMy!!!
@domena2.sk REJECT
atd. atd.
volakedy davnejsie schvalne nebolo mozne uviest v takychto access listoch top
level domenu (neviem ako je to teraz)
> > na druhej strane, napr. nas mail server kontroluje DNS zaznamy pre domeny
> > prijemcu aj odosielatela, takze takyto mail by u nas nemal sancu
>
> Zajimalo by me, jak a co presne se v DNS ocmuchava: co kdyz domena sice
> existuje, ale jako takova nema ani MX ani A (a je tedy pro postu
> nepouzitelna)?
http://www.postfix.org/uce.html#smtpd_sender_restrictions
reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX
record.
> A co kdyz nastane vypadek DNS? To by se melo vyhodnodtit jako docasna chyba,
> jinak by to bylo spatne.
The unknown_address_reject_code parameter specifies the response code
for rejected requests (default: 450). The response is always 450 in case
of a temporary DNS error.
> > > nechci, protoze je to zbytecny a nepotrebujeme to. Lokalni posta by samozrejme mela chodit vsem.
> > > Nevite jestli tohle vubec exim umoznuje a jak to mam udelat?
> >
> > v postfixe by som na to pouzil napr. header_checks - uviedol by som
> > povolene e-mail adresy - OK, zvysok by bol REJECT
>
> Pracuje se v "header_checks" se SMTP-obalkovymi adresami? Nazev
> navozuje spis dojem, ze se zabyva hlavickovymi adresami, podle
> kterych se vsak nedorucuje (ani neposila DSN).
http://www.postfix.org/uce.html#header_checks
s obalkovymi sa nepracuje, na tie sluzia [helo|client|sender|recipient]
restrictions
BTW - cerstva novinka v postfixe je Postfix blacklist by MX or NS host
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.0-ns-mx-acl-patch.gz
New check_{helo,sender,recipient}_{ns,mx}_access maptype:mapname
restriction that applies the specified access table to the NS or
MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
TO commands.
This can be used to block mail from so-called spammer havens, or
from sender addresses that resolve to Verisign's wild-card mail
responder, currently at IP address 64.94.110.11.
/etc/postfix/main.cf:
smtpd_mumble_restrictions =
...
reject_unknown_sender_domain
check_sender_mx_access hash:/etc/postfix/mx_access
...
/etc/postfix/mx_access:
spammer.haven.tld reject spammer mx host
64.94.110.11 reject verisign wild-card domain
Note: OK actions are not allowed for security reasons. Instead of
OK, use DUNNO in order to exclude specific hosts from blacklists.
If an OK result is found for an NS or MX host, Postfix rejects the
SMTP command with "451 Server configuration error".
--
5o Peter.Mann at tuke.sk
KLFMANiK ICQ 12491471
PM2185-RIPE
Další informace o konferenci Sendmail