Mailing List Archive: Qmail: users

Block Incoming from my Domain that is not local

Index | Next | Previous | View Threaded

marria at redcoyote

Feb 5, 2010, 3:51 PM

Post #1 of 6 (1931 views)
Permalink

Block Incoming from my Domain that is not local

Hey All,
It seems I should be able to dump, not accept or some way
eliminate mail from "mydomain.com" that is not originated from my server.

Thus, email to my clients from support [at] mydomain should actually be
from me, my server and I.

Is there any easy way to divert this?

Michael

root at letinet

Feb 6, 2010, 12:53 AM

Post #2 of 6 (1835 views)
Permalink

Re: Block Incoming from my Domain that is not local [In reply to]

Michael R Marria wrote:
> Hey All,
> It seems I should be able to dump, not accept or some way
> eliminate mail from "mydomain.com" that is not originated from my server.

Hi Michael!

Please have a look at qmail-smtpd man page:

badmailfrom
Unacceptable envelope sender addresses. qmail-smtpd will
reject
every recipient address for a message if the envelope
sender
address is listed in badmailfrom. A line in badmailfrom
may be of
the form @host, meaning every address at host.

--
Best, Roman.

marria at redcoyote

Feb 6, 2010, 9:45 AM

Post #3 of 6 (1840 views)
Permalink

Re: Block Incoming from my Domain that is not local [In reply to]

Roman Levitsky wrote:
> Michael R Marria wrote:
>> Hey All,
>> It seems I should be able to dump, not accept or some way
>> eliminate mail from "mydomain.com" that is not originated from my
>> server.
>
> Hi Michael!
>
> Please have a look at qmail-smtpd man page:
>
> badmailfrom
> Unacceptable envelope sender addresses. qmail-smtpd
> will reject
> every recipient address for a message if the envelope
> sender
> address is listed in badmailfrom. A line in badmailfrom
> may be of
> the form @host, meaning every address at host.
>
>
> --
> Best, Roman.
>
Thanks but I still need to send email between local "@mydomain.com"
users. This blocks everything.
I want to allow private IP email from mydomain.com and block public IP
from my domain.com.

Michael

hugo.monteiro at fct

Feb 6, 2010, 10:22 AM

Post #4 of 6 (1828 views)
Permalink

Re: Block Incoming from my Domain that is not local [In reply to]

On 02/06/2010 05:45 PM, Michael R Marria wrote:
> Roman Levitsky wrote:
>> Michael R Marria wrote:
>>> Hey All,
>>> It seems I should be able to dump, not accept or some way
>>> eliminate mail from "mydomain.com" that is not originated from my
>>> server.
>>
>> Hi Michael!
>>
>> Please have a look at qmail-smtpd man page:
>>
>> badmailfrom
>> Unacceptable envelope sender addresses. qmail-smtpd
>> will reject
>> every recipient address for a message if the
>> envelope sender
>> address is listed in badmailfrom. A line in badmailfrom
>> may be of
>> the form @host, meaning every address at host.
>>
>>
>> --
>> Best, Roman.
>>
> Thanks but I still need to send email between local "@mydomain.com"
> users. This blocks everything.
> I want to allow private IP email from mydomain.com and block public IP
> from my domain.com.
>
> Michael
>
>

Hello Michael,

from what i know, what you propose is not possible with stock qmail.

I do know that qmail-ldap implements senderchecking, but i'm not aware
of any patches that implement that in stock qmail. If there are, it
would be fairly easy to change the code to provide what you want.

It would basically be something like this:
- Senderchecking would have to be enabled.
- If sender didn't match na existing user, message gets rejected.
- If sender matched and existing user but relayclient was not set,
message still gets rejected.
- If sender matched and relayclient was set, message gets accepted.

Anyone knows of any qmail pacth that implements senderchecking, besides
the qmail-ldap one?

R's,

Hugo Monteiro.

--
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email : hugo.monteiro [at] fct
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net

Divis�o de Inform�tica
Faculdade de Ci�ncias e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.ci.fct.unl.pt apoio [at] fct

fct.unl.pt:~# _

mbhangui at gmail

Feb 6, 2010, 10:42 AM

Post #5 of 6 (1833 views)
Permalink

Re: Block Incoming from my Domain that is not local [In reply to]

On Sat, Feb 6, 2010 at 11:15 PM, Michael R Marria <marria [at] redcoyote> wrote:
>>
> Thanks but I still need to send email between local "@mydomain.com" users.
> This blocks everything.
> I want to allow private IP email from mydomain.com and block public IP from
> my domain.com.
>
If you are ok with patching, there is a patch which allows a different
badmailfrom for the outside network and a different badmailfrom for
internal network. The patch uses RELAYCLIENT environment variable to
use a different badmailfrom.
The patch by Joerg Backschues has this

http://www.backschues.net/backschues.net/know-how/qmail/aio-patch-usage.htm

jms1 at jms1

Feb 11, 2010, 7:58 AM

Post #6 of 6 (1602 views)
Permalink

Re: Block Incoming from my Domain that is not local [In reply to]

On 2010-02-05, at 1851, Michael R Marria wrote:
>
> It seems I should be able to dump, not accept or some way
> eliminate mail from "mydomain.com" that is not originated from my server.
>
> Thus, email to my clients from support [at] mydomain should actually be from me, my server and I.
>
> Is there any easy way to divert this?

this sounds like the problem that SPF tries to solve. i say "tries" to solve, because it's not a perfect solution... although it's a lot better than nothing.

(1) make sure all of your users are using your server, with AUTH, in order to send their outbound mail.

(2) make sure your qmail is patched with something which includes SPF functionality, so you can do SPF checks on the incoming messages.

(3) set up an SPF record (which is a TXT record in your DNS data) which lists your server's IP as the only place from which your domain's mail should originate (i.e. make sure it ends with "-all".)

(4) configure your qmail-smtpd service with "SPFBEHAVIOR=3", so any messages with "fail" results (i.e. the DNS record contains "-all" and the sending IP isn't listed in the record) will be rejected.

if your users will always be coming from a specific IP range, you can also set up a tcpserver access control rule for that IP range which sets SPFBEHAVIOR="2" for that range, and the users won't need to do AUTH. this sill does the SPF checks and adds the headers to the messages, but it won't actually reject any messages, regardless of the result of the test.

this is how i've been doing email for my own domain for several years, with good results (i no longer get spam with my own domain forged in the sender address, and anybody else in the world who does SPF checking and rejects messages with "fail" will also reject spam which claims to be from my domain.) of course it means i have to use my own server (or another machine listed in the SPF record) for my outbound mail, but to be honest i was doing that anyway, so it's not any great inconvenience for me.

----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1 [at] jms1> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------

Attachments:

PGP.sig (0.19 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads