From: Peter Evans on

I have an experiment I would like to perform but I am uncertain
how to do it without breaking everything else.

I would like to direct all mail from places with no reverse dns into
a big bit-bucket. Obviously something like 95% of those mails would be
going to a bogus address.


Would:

header_checks = regexp:/etc/postfix/unknown_catcher


/^Received: unknown/
REDIRECT bitbucket(a)domain.com


Be the most effective way to catch these? I have a sneaking feeling it
would trip up on multiple Received: lines as legitimate mail comes out
of corpulent networks.


P

From: Ralf Hildebrandt on
* Peter Evans <peter(a)ixp.jp>:

> I would like to direct all mail from places with no reverse dns into
> a big bit-bucket. Obviously something like 95% of those mails would be
> going to a bogus address.

reject_unknown_reverse_client_hostname

> Would:
>
> header_checks = regexp:/etc/postfix/unknown_catcher

Why header_checks?

> /^Received: unknown/
> REDIRECT bitbucket(a)domain.com
>
>
> Be the most effective way to catch these? I have a sneaking feeling it
> would trip up on multiple Received: lines as legitimate mail comes out
> of corpulent networks.

These headers may also be inserted by other systems.

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt(a)charite.de | http://www.charite.de


From: Noel Jones on
On 8/4/2010 9:33 PM, Peter Evans wrote:
>
> I have an experiment I would like to perform but I am uncertain
> how to do it without breaking everything else.
>
> I would like to direct all mail from places with no reverse dns into
> a big bit-bucket. Obviously something like 95% of those mails would be
> going to a bogus address.
>
>
> Would:
>
> header_checks = regexp:/etc/postfix/unknown_catcher
>
>
> /^Received: unknown/
> REDIRECT bitbucket(a)domain.com
>
>
> Be the most effective way to catch these? I have a sneaking feeling it
> would trip up on multiple Received: lines as legitimate mail comes out
> of corpulent networks.

Well, as written above it wouldn't match anything... but the
concept is broken. It could trigger on headers from other
systems, machines from your local network, or from SASL
authenticated users. I can't think of a way to reliably
account for all the exceptions; header_checks is not a good
tool for this.

You could use a policy service that returns "REDIRECT
bitbucket(a)example.com when rDNS == unknown. I expect postfwd
could do this pretty easily. The policy service would need to
be after any authorized relay tests so it wouldn't catch local
machines, something like:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service ...rdns_bitbucket
... other restrictions ...


If you want the bitbucket to accept mail to invalid users, you
can use
check_policy_service ...rdns_bitbucket
reject_unlisted_recipient
... other restrictions ...

and set main.cf:
smtpd_reject_unlisted_recipient = no

have fun!



-- Noel Jones

From: Peter Evans on
On Thu, Aug 05, 2010 at 09:46:44AM +0200, Ralf Hildebrandt wrote:
> * Peter Evans <peter(a)ixp.jp>:
> > I would like to direct all mail from places with no reverse dns into
> > a big bit-bucket. Obviously something like 95% of those mails would be
> > going to a bogus address.

> reject_unknown_reverse_client_hostname

Ah, but I dont want reject_foo_bar_baz
I want redirect_unknown_reverse_client_hostname_to_spamtrap

Point about the header_checks noted. The moment after I sent that
I thought "I bet it munches them all and trips up over private networks.


Someone suggested a milter in email, thanks for that, I will
give it a try next week.


P