On 09.06.23 00:36, Richard Troy wrote:
OH, sure, I got it down to a trickle, but these few Russian sites always managed to get their spam through and
(FWIW, if you can characterize the offenders by country, trying a GeoIP filter as a stop-gap measure sounds rather promising.)
Give me a white-list of the ONLY accounts that can relay; NOTHING ELSE can relay. ... THAT would do it! But no! Neither in Postfix nor dovecot is there such a thing!
I'm afraid that that's not *entirely* true ... :
/etc/postfix# grep senderauth main.cf smtpd_sender_login_maps = hash:/etc/postfix/senderauth
/etc/postfix# head -2 senderauth ; grep bern senderauth | sed -e 's/[-a-z\.]*'"$DOMAIN/DOMAIN/g" # Envelope Sender: Requires SMTP AUTH as one of: # actual.address@dom.ain user.1@dom.ain, another@else.where jochen.bern@DOMAIN.pawisda.de jochen.bern@DOMAIN.de
(Also works with unspecified local part, i.e., "@some.dom.ain" for the left-hand side.)
Combine that with a greylist type function where the usual IP addresses for particular users were let through, and new ones delayed, THAT would be awesome, too!
Please define "delayed". The kind where you tell the client to retry later and then close the connection is available for postfix under the name of postgrey, but is probably quite disruptive when used with an M*S*A port; same caveat for mechanisms that prevent the connection altogether, like one could build with iptables. The search keyword for the kind where "the server is just deeaaaaaaadddd slllooooowwwww" would be "Teergrube".
[Yes, I'm German, so I capitalize German nouns like German does. :-> ]
None of those are *built right into* postfix or dovecot, likely because it's too much complexity to maintain for a huge user base that doesn't use the functionality all too often.
And if someone tells me I'm wrong and points me at how to do these things, I'll fall out of my damned chair!
[promptly invents the sport of Comfy Cushion Curling]
IF we had an IMAP supported password CHANGING scheme, we'd gladly run encrypted passwords, but there isn't, and we haven't invented (finished inventing!) our own web-way to change 'em and so we're stuck with plain text until one of these things changes.
Your server is Linux and SSH client software has become quite available (PuTTY on Windows). For OS-based users who don't need *shell* access to the server, I've had some success just setting the "passwd" command as their login "shell" (in /etc/passwd . Plus adding it to /etc/shells if necessary.) Dunno how readily you could find an equivalent for the *virtual* accounts' password backend ...
(Yes, it'd be better to have it seamlessly integrated into the IMAP protocol, but don't forget that you'd need the *MUAs* to start supporting it as well before the general public will ever even learn about the new feature ...)
Kind regards,
Jochen Bern Systemingenieur
Binect GmbH