Postfix: Rejecting emails based on envelope sender requires "check_sender_access"

Submitted by Locutus on Fri, 03/07/2014 - 09:20

Webmin uses the Postfix directive "check_client_access" in "smtpd_client_restrictions" in the "SMTP Client Restrictions" dialog.

Problem is: To block incoming mail based on envelope sender address, you need "check_sender_access" in "smtpd_sender_restrictions". In "client_access", only rejection based on IP address and hostnames is possible.

The Webmin help text says though that I can also put email addresses in the client_access hash map, which does not work -- I just tested that.

So Webmin should have an option to edit a sender_access map, and the proper map should be used for IP addresses, hostnames and email addresses.

Status: 
Active

Comments

Submitted by JamieCameron on Fri, 03/07/2014 - 19:25

That sounds do-able. But just to make sure I am on the right track, can you post the specific Postfix directives you would use to set this up?

Submitted by Locutus on Sat, 03/08/2014 - 01:32

Yes certainly, will post them as soon as I'm on my PC! I set up a proper map for that and added it to Postfix manually, I'll post the directives shortly.

Submitted by Locutus on Sat, 03/08/2014 - 10:30

Okay here's what I did.

I created a file /etc/postfix/sender-reject with the contents

user@domain.tld REJECT Blacklisted - UCE sender address

I ran postmap hash:sender-reject and added this to main.cf:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender-reject

Submitted by JamieCameron on Sun, 03/09/2014 - 00:59

Ok .. and so presumably you add known spammer addresses to that blacklist map?

Submitted by Locutus on Sun, 03/09/2014 - 05:15

Yes that's right... on the rather rare occasion when a "mild spammer" always uses the same sender address, I'd like to be able to block them this way.

And of course I reported this because the present information In Webmin is incorrect, since it says I can put addresses in check_client_access.

Submitted by JamieCameron on Sun, 03/09/2014 - 19:08

Where exactly are you seeing that incorrect doc in Webmin?

Submitted by Locutus on Mon, 03/10/2014 - 07:33

The help text reachable via the link "SMTP Client Restrictions: Click on any mapping to edit its properties: What format should I use?" says that I can add "Email address mappings" to that map.

Since that map is added as check_client_access though, that does not work. You need check_sender_access to do email address mapping.

In check_client_access, the "user@domain" and "user@" formats are ignored, and "domain.tld" is interpreted as the delivering host, as opposed to the domain of the envelope sender.

Coming to think of it, this makes perfect sense. How should Postfix know if by "domain.tld" in that map you mean a hostname, or an envelope sender domain? :) That's why you need different maps for that.