[Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation

IVO GELOV (CRM) ivo at crm.walltopia.com
Mon Jan 16 11:48:11 EET 2012 

On Sun, 15 Jan 2012 14:33:24 +0200, Charles Marcus <CMarcus at media-brokers.com> wrote:

> On 2012-01-14 12:23 PM, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
>> I have downloaded the latest version 4.0 - but it seems there is no
>> way to prevent spammers to use forged email addresses. I decided to
>> remove the vacation feature from our corporate mail server, because
>> it actually opens a backdoor (even though only when someone decides
>> to activate his vacation auto-reply) for spammers and puts a risk on
>> the company (our server can be blacklisted).
>
> Sorry, I misread your message...
>
> However, (I *think*) there *is* a simple solution to your problem, if I
> now understand it correctly...
>
> Simply disallow anyone sending from an email address in your domain from
> sending without SASL_AUTHing...
>
> The way I do this is:
>
> in main.cf (I put all of my restrictions in
> smtpd_recipient_restrictions) add:
>
> check_sender_access ${hash}/nospoof,
>
> somewhere after reject_unauth_destination *but before any RBL checks)
>
> where nospoof contains:
>
> # Prevent spoofing from domains that we own
> allowed_address1 at example.com OK
> allowed_address2 at example.com OK
> example.com  REJECT You must use sasl_auth to send from one of our
> example.com email addresses...
>
> and of course be sure to postmap the nospoof database after making any
> changes...
>

These are the restrictions I apply (or had been applying for some time). Anyway, for now I simply disabled the vacation plugin.

smtpd_client_restrictions = permit_mynetworks, check_client_access mysql:/etc/postfix/sender_ip, permit_sasl_authenticated, reject_unknown_client
#reject_rhsbl_client blackhole.securitysage.com, reject_rbl_client opm.blitzed.org,
#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access mysql:/etc/postfix/client_sql, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org, permit
#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access mysql:/etc/postfix/client_ok, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org, reject_unknown_client
###, check_policy_service inet:127.0.0.1:10040, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org
#,reject_rbl_client opm.blitzed.org,  reject_rbl_client relays.ordb.org, reject_rbl_client dun.dnsrbl.net

#REJECT_NON_FQDN_HOSTNAME - proverka dali HELO e pylno Domain ime (sus suffix)
#smtpd_helo_restrictions =  check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_helo_restrictions =  reject_invalid_hostname

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org
#reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender opm.blitzed.org,
#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access mysql:/etc/postfix/sender_sql, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_sender block.rhs.mailpolice.com, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender dsn.rfc-ignorant.org, permit
#, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender relays.ordb.org, reject_rhsbl_sender dun.dnsrbl.net

#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_recipient_access regexp:/etc/postfix/dspam_incoming
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining
smtpd_data_restrictions =  reject_unauth_pipelining

More information about the dovecot mailing list