|
[HowTo] Block bogus sender mx in postfix...
|
| Author |
Message |
rbtux
Member
Posts: 1,200
Group: Registered
Joined: Feb 2007
Status:
Away
Reputation: 22
|
[HowTo] Block bogus sender mx in postfix...
Some Spamservers use mx records pointing to IANA reserved address ranges or wildcard addresses
This servers can be blocked by postfix with the following steps:
1. Create /etc/postfix/bogus_mx.cidr with the following content:
# Reserved Ranges
0.0.0.0/8 REJECT IP address of MX is IANA reserved range
10.0.0.0/8 REJECT IP address of MX is a RFC1918 address
127.0.0.0/8 REJECT IP address of MX is IANA reserved range
169.254.0.0/16 REJECT IP address of MX is a APIPA address
172.16.0.0/12 REJECT IP address of MX is a RFC1918 address
192.0.2.0/24 REJECT IP address of MX is IANA reserved range
192.168.0.0/16 REJECT IP address of MX is a RFC1918 address
198.18.0.0/15 REJECT IP address of MX is IANA reserved range
224.0.0.0/3 REJECT IP address of MX is IANA reserved range
240.0.0.0/12 REJECT IP address of MX is IANA reserved range
# WILDCARDS
62.4.64.119 REJECT IP address of MX host is a wild-card NU.
64.18.138.88 REJECT IP address of MX host is a wild-card CG.&RW.
64.70.19.33 REJECT IP address of MX host is a wild-card WS.
69.25.75.72 REJECT IP address of MX host is a wild-card NU.
72.20.110.8 REJECT IP address of MX host is a wild-card pjn.qsrch.net.
72.249.38.50 REJECT IP address of MX host is a wild-card MP.
72.51.36.133 REJECT IP address of MX host is a wild-card PH.
81.29.204.106 REJECT IP address of MX host is a wild-card TK.
89.255.3.140 REJECT IP address of MX host is a wild-card TK.
193.33.61.2 REJECT IP address of MX host is a wild-card TK.
193.33.61.9 REJECT IP address of MX host is a wild-card TK.
195.178.186.40 REJECT IP address of MX host is a wild-card ST.
195.7.77.20 REJECT IP address of MX host is a wild-card MUSEUM.
198.32.6.80 REJECT IP address of MX host is a wild-card UM.
202.30.50.177 REJECT IP address of MX host is a wild-card KR.
209.172.59.193 REJECT IP address of MX host is a wild-card TK.
209.85.51.245 REJECT IP address of MX host is a wild-card ET.
212.181.91.6 REJECT IP address of MX host is a wild-card NU.
213.146.149.143 REJECT IP address of MX host is a wild-card LA.
217.119.57.19 REJECT IP address of MX host is a wild-card TK.
2. Configure Postfix:
Add the following before permit_mynetworks to smtpd_sender_restrictions of your /etc/postfix/main.cf:
check_sender_mx_access cidr:/etc/postfix/bogus_mx.cidr
3. Reload Postfix:
postfix reload
4. Keep your wildcard section up to date (I do it once a week)
This can be done with the following skript (It takes a while to run...):
Thx to Uwe Driessen, Jan P. Kessler, Ralph Hildebrandt and Andreas Winkelmann from the german Postfixbuch-Mailinglist for creating this script... I hope I did not miss somebody!
#!/bin/bash
curl -s ftp://ftp.internic.net/domain/root.zone.gz | \
gunzip -c | \
awk ' / NS / {if (length($1) > 1) print "_."$1}' | \
sort -u | \
#Zum sort:
sort -b -t. -k1,1n -k2,2n -k3,3n -k4,4n| \
#sortiert IP-V4 Adressen numerisch nach 1., 2., 3. und 4. Zahl
dig -f - +noall +answer | \
awk ' $5 ~ /[0-9]+\.[0-9]+\./ {
gsub("_.","",$1);
print $5" REJECT IP address of MX host is a wild-card "$1
}' | \
sort -g | \
awk ' BEGIN{
oline=""; }
{
if (NR>1) {
if( length(oline) > 0) {
split(oline,arr);
if ($1==arr[1]) {
oline=oline"&"$11;
}
else {
print oline;
oline=$0;
}
}
else {
oline=$0;
}
}
else {
oline=$0;
}
}
END{ print oline;}'
Noticed? This was a oneliner :-)
5. Thats it
OS: Debian Lenny
ispCP Version: Trunk r1033
Activated: AWStats dynamic, Dovecot, Avelsieve, Selective Greylisting, Bogus MX Filter,
No Webtools, Roundcube, Some own modifications
This post was last modified: 12-19-2007 08:02 PM by rbtux.
|
|
| 11-13-2007 06:47 AM |
|
 |
BeNe
Moderator
Posts: 2,557
Group: Moderators
Joined: Jan 2007
Status:
Offline
Reputation: 35
|
|
| 11-13-2007 06:50 AM |
|
|
pasichnyk
Junior Member
Posts: 80
Group: Dev Team
Joined: Mar 2007
Status:
Offline
Reputation: 0
|
RE: [HowTo] Block bogus sender mx in postfix...
You have a small typo.
In one point you call the file bogus_mx.cider, and the other spot you call it bogus_mx.cidr.
Not a big issue, just figured i'd let you know.
-
Jesse
|
|
| 12-02-2007 09:28 AM |
|
|
rbtux
Member
Posts: 1,200
Group: Registered
Joined: Feb 2007
Status:
Away
Reputation: 22
|
|
| 12-02-2007 09:32 AM |
|
|
rbtux
Member
Posts: 1,200
Group: Registered
Joined: Feb 2007
Status:
Away
Reputation: 22
|
RE: [HowTo] Block bogus sender mx in postfix...
updated bogus wildcard mx list...
OS: Debian Lenny
ispCP Version: Trunk r1033
Activated: AWStats dynamic, Dovecot, Avelsieve, Selective Greylisting, Bogus MX Filter,
No Webtools, Roundcube, Some own modifications
|
|
| 12-02-2007 09:48 AM |
|
|
raphael
Member
Posts: 474
Group: Dev Team
Joined: Apr 2007
Status:
Offline
Reputation: 8
|
|
| 12-05-2007 10:44 AM |
|
|
rbtux
Member
Posts: 1,200
Group: Registered
Joined: Feb 2007
Status:
Away
Reputation: 22
|
RE: [HowTo] Block bogus sender mx in postfix...
Well the both methods does not serve the same purpose...
The way with sender-mx block addresses that must not be used as mx-hosts or addresses that are wildcards an therefore could be used by every domain...
The method you mentioned depends on third party listings which at least I would not use unscored... This purpose is well done by policyd-weight...
But every admin should know himself, howto stay speamfree (or at least nearly spamfree)
OS: Debian Lenny
ispCP Version: Trunk r1033
Activated: AWStats dynamic, Dovecot, Avelsieve, Selective Greylisting, Bogus MX Filter,
No Webtools, Roundcube, Some own modifications
This post was last modified: 12-05-2007 05:08 PM by rbtux.
|
|
| 12-05-2007 05:07 PM |
|
|
rbtux
Member
Posts: 1,200
Group: Registered
Joined: Feb 2007
Status:
Away
Reputation: 22
|
|
| 12-19-2007 08:03 PM |
|
|
Search
Member List
Calendar
Help
