[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MX accept policy: problem
> Hi all,
>
> I use ZMailer 2.99.50-s5 on Sparc Solaris 2.6 and i maintain smtp policy
> to prevent SPAM. I currently maintain my smtp-policy.mx table but this table
> has grown *huge* and i need to give up maintaining it, i would like to
> use the smtp-policy.src boilerplate to allow some friendly network(s) use my
> zmailer servers as MX backup
>
> I have been testing something like this in my smtp-policy.src:
>
> # this is for protection
> . relaycustomer - acceptifmx - senderokwithdns +
> [0.0.0.0]/0 relaycustomer - acceptifmx - senderokwithdns +
Yes, this is what for example nic.funet.fi runs with.
This is all that an inbound MX processing is accepted.
(recipient MX processing means testing for *domains*,
e.g. the last resort key will be '.')
> # this is my 'friendly' network
> [161.132.5.0/24] rejectnet - relaycustnet - relaycustomer + relaytarget + acceptifmx +
No, that is WRONG syntax:
[161.132.5.0]/24
All messages coming from that address space will be treated friendly.
The use of those attributes ...
"rejectnet -" - Connection and EHLO/HELO parameter analysis only,
'+' causes rejection of the session
"relaycustnet -" - A '+' would accept all traffic in from that IP-
address space without doing any policy checks at it.
"relaycustomer +" - Eh, DON'T USE THAT! Anybody giving a MAIL FROM
which yields this token will get everything
sent thru your server without further checks
(Whoops, my boiler-plate still has it used..)
"relaytarget +" - This is RCPT TO domain tested attribute, and does
not work for IP addresses..
"acceptifmx +" - This is RCPT TO domain tested attribute
My current smtp-policy.mx file usage rule is such that you would just
list the domain suffixes for which you allow the inbound smtp relaying,
e.g.:
.friendly.domain
you don't need to list *every* machine under that suffix!
I have, slightly dangerously, at nic.funet.fi:
.bitnet
.csc.fi
.funet.fi
.minedu.fi
.uucp
These in addition to the general rule of MX relay acceptance.
For the smtp-policy.relay the rules are a bit different.
It would be the best if you could just use IP addresses there:
#vger.rutgers.edu - high-speed injection
[128.6.190.2]/32 fulltrustnet +
#.funet.fi
[127.0.0.0]/8 fulltrustnet +
[128.214.248.6]/32 fulltrustnet +
[193.166.3.23]/32 fulltrustnet +
[128.214.0.0]/16
These allow emails from those address spaces to be injected into
nic.funet.fi for outbound relaying.
> After execution of policy-builder and restarting my server i try to send mail
> from some untrusted network thru my zmailer server to one email address in
> that friendly network and i get this after RCPT TO: <someone@friendly.domain>
>
> 553-5.7.1 This target address is not our MX service
> 553-5.7.1 client, nor you are connecting from address
> 553-5.7.1 that is allowed to openly use us to relay
> 553-5.7.1 to any arbitary address thru us.
> 553 5.7.1 We don't accept this recipient.
>
> What should i do? i have tried some other combinations and i have failed to
> send mail to such friendly network, or, i have been able to send mail to
> ANYONE, then my spam protection was disabled..
Seeing what the smtpserver log file contains with these
examples (it prints some comments there which it does not
show out) would help a bit more.
> Any suggestions?
> Enrique-
> RCP - Internet Peru Tel: +51 1 422-4848
> Dpto de Operaciones Fax: +51 1 421-8086
/Matti Aarnio <mea@nic.funet.fi>