Re: How to prevent being a 'bouncer' of evil mail? (RESOLVED?)
Hi all,
(Chris Covington, thanks for the tool! Please read a few notes about
getadsmtp.pl below)
I've made some deep research after I've written that e-mail to this
debian-isp list asking how could I stop bouncing all those fake
messages to "innocent" other servers. With the help of google and the
community, I've found at least two possible solutions, and I'd like to
share it with you, as others could be interested.
First, the problem could be resolved if the mail gateway, in this case
a Postfix server, were aware of the accounts available in the domains
whose final server it is relaying to. I could happily make that
possible in cases where Exchange is the final MTA, with a dumb NAV
in-between, using a nice tool I've read about in the postfix user
list. It is developed by Chris Covington, and uses LDAP queries to
generate a database of available accounts, and then use that as
relay_recipient_maps. You can find it at:
http://www.plusone.com/gaptuning/postfix/
For sharing my experience, I should say that, to ease your life, when
specifying the $user value in the script, you could use
$user="user\@example.com"; # notice the escaped @
instead of the complicated full object name in AD. (for example,
"cn=user,cn=Users,dc=example,dc=com"). In this case, example.com is
the Active Directory domain we are querying (not necessarily the
domain we are relaying to!).
Another information that I think it is interesting to share, since
it's not avaliable in the source, is to use a filter for the LDAP
query that ignore disabled accounts. I used:
filter => "(&(sAMAccountName=*)(mail=*) (!(msExchUserAccountControl=2)))",
control => [ $page ],
attrs => "proxyAddresses");
as my filter.
getadsmtp is a really clever and useful software. Thanks Cris.
The second technique is a bit drastic, and has some obvious drawbacks.
Also, it doesn't need to be used when the first technique - or a
similar - is used.
I've followed the instructions specified in
http://mail.teamdelsol.com/popauth3/#Installpopauth3 (look for
"freemail").
The idea is to block all mails whose sender e-mail is @freemail.com
and IP of the client does not resolve back to *.freemail.com.
"freemail" should be substitued for list of big servers, of free mail
hosts, like yahoo, hotmail, etc. See popauth3 page for a suggestion
of a few.
It is clear that you could loose e-mail here, but it's up to the admin
decide that. I've seen at least three big threads about rejecting
valid mails here and at bugtraq this weekend, but I don't want to
start another war.
popauth3 presents a solution for postfix, but I'm sure people already
use it in other MTA's.
popauth3 is a very powerful tool. I invite other readers to take a
look at it, specially those looking for a way to block automatically
insistent abusers in the firewall. (RFC guardians: I don't like this
either, but some really need it).
Compared to most people here, I am a mail server newbie, so please
forgive me if I said something stupid. Also please notice that I've
not tested the "freemail" check technique, so I am not sure if one
would black too many valid mails. For my personal experience, reading
my logs, I think most blocked ones would be spam.
Despite my excessive talk, the bad english and lack of deeper
experience, I hope this could be of use to somebody. Anybody has any
notes about it?
- Yves Junqueira
Reply to: