[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MX accept policy: problem



> Hi all,
> 
> I use ZMailer 2.99.50-s5 on Sparc Solaris 2.6 and i maintain smtp policy
> to prevent SPAM. I currently maintain my smtp-policy.mx table but this table
> has grown *huge* and i need to give up maintaining it, i would like to
> use the smtp-policy.src boilerplate to allow some friendly network(s) use my
> zmailer servers as MX backup
> 
> I have been testing something like this in my smtp-policy.src:
> 
> # this is for protection
> .                       relaycustomer - acceptifmx - senderokwithdns +
> [0.0.0.0]/0             relaycustomer - acceptifmx - senderokwithdns +

	Yes, this is what for example  nic.funet.fi  runs with.
	This is all that an inbound MX processing is accepted.
	(recipient MX processing means testing for *domains*,
	 e.g. the last resort key will be '.')

> # this is my 'friendly' network
> [161.132.5.0/24]	rejectnet - relaycustnet - relaycustomer + relaytarget + acceptifmx +

No, that is WRONG syntax:
   [161.132.5.0]/24

All messages coming from that address space will be treated friendly.

The use of those attributes ...
	"rejectnet -"	- Connection and EHLO/HELO parameter analysis only,
			  '+' causes rejection of the session
	"relaycustnet -" - A '+' would accept all traffic in from that IP-
			  address space without doing any policy checks at it.
	"relaycustomer +" - Eh, DON'T USE THAT!  Anybody giving a MAIL FROM
			    which yields this token will get everything
			    sent thru your server without further checks
			   (Whoops, my boiler-plate still has it used..)
	"relaytarget +" - This is RCPT TO domain tested attribute, and does
			  not work for IP addresses..
	"acceptifmx +"  - This is RCPT TO domain tested attribute
	
My current  smtp-policy.mx  file usage rule is such that you would just
list the domain suffixes for which you allow the inbound smtp relaying,
e.g.:
	.friendly.domain

you don't need to list *every* machine under that suffix!
I have, slightly dangerously, at nic.funet.fi:

	.bitnet
	.csc.fi
	.funet.fi
	.minedu.fi
	.uucp

These in addition to the general rule of MX relay acceptance.


For the  smtp-policy.relay  the rules are a bit different.
It would be the best if you could just use IP addresses there:

	#vger.rutgers.edu - high-speed injection
	[128.6.190.2]/32 fulltrustnet +
	#.funet.fi
	[127.0.0.0]/8 fulltrustnet +
	[128.214.248.6]/32 fulltrustnet +
	[193.166.3.23]/32 fulltrustnet +
	[128.214.0.0]/16

These allow emails from those address spaces to be injected into
nic.funet.fi for outbound relaying.

> After execution of policy-builder and restarting my server i try to send mail
> from some untrusted network thru my zmailer server to one email address in
> that friendly network and i get this after RCPT TO: <someone@friendly.domain>
> 
> 553-5.7.1 This target address is not our MX service
> 553-5.7.1 client, nor you are connecting from address
> 553-5.7.1 that is allowed to openly use us to relay
> 553-5.7.1 to any arbitary address thru us.
> 553 5.7.1 We don't accept this recipient.
> 
> What should i do? i have tried some other combinations and i have failed to 
> send mail to such friendly network, or, i have been able to send mail to
> ANYONE, then my spam protection was disabled..

	Seeing what the smtpserver log file contains with these
	examples (it prints some comments there which it does not
	show out) would help a bit more.

> Any suggestions?
> Enrique-
>  RCP - Internet Peru      Tel: +51 1 422-4848 
>  Dpto de Operaciones      Fax: +51 1 421-8086

/Matti Aarnio <mea@nic.funet.fi>