[ale] Monitoring outgoing emails on Postfix, filtering incoming bounce back messages

Jeremy T. Bouse jeremy.bouse at undergrid.net
Tue Jun 26 01:12:01 EDT 2007 

Jim Popovitch wrote:
>> It's frustrating because I don't know what else I can do short of
>> filtering the messages by content. I wish there was a way to set it up
>> so that bounce messages are only delivered if you actually sent a
>> corresponding email in the first place. Stupid forged headers!
> 
> There are some ways to stem the tide.  Are you accepting inbound email
> from everywhere, or just from valid systems that have matching PTR and A
> records?  100% of blow-back that comes into my systems is dropped due to
> not accepting email from unknown hosts (a ton of Corp mail scanners
> thankfully don't have PTR records), or from rejection due to unknown
> recipient.  YMMV.
> 

	From my own server I've actually seen a noticeable drop in spam with
only a greylist daemon and a couple of good DNS blacklists. Other than
that I require SASL authentication to send message through my server,
you're server should accept email addresses for your domain but it
should only accept them if they are valid otherwise send failures when
the message is attempted to be send. I require valid HELO/EHLO, have it
follow RFC821 strictly, and disable VRFY.

	Since you're using postfix I'll include the respective lines I've added
to my main.cf:

smtpd_helo_restrictions =
        permit_sasl_authenticated,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        permit
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:2525
        reject_rbl_client ...
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
show_user_unknown_table_name = no
smtpd_helo_required = yes
smtpd_deley_reject = yes
disabled_vrfy_command = yes
strict_rfc821_envelopes = yes

	I push the permit_sasl_authenticated to the top of the restrictions as
I've found it is needed to use my Treo to send email as it uses invalid
and non-fqdn hostnames when sending but since I use SASL to authenticate
I figure this is a fair relaxing of the security.

	Regards,
	Jeremy

More information about the Ale mailing list