block connections from dial in accounts

Hi everybody,

how to block connections from dial-in accounts?

When I read the documentation I only find the following:


---snipp---

"It is relatively safe to turn on sender address verification for specific
domains that often appear in forged email.

/etc/postfix/main.cf:
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
unverified_sender_reject_code = 550
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
address_verify_map = btree:/var/mta/verify

/etc/postfix/sender_access:
aol.com reject_unverified_sender
hotmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
... etcetera ..."

--- snapp ---

My interpretaion is that the above mentioned mechanism "only" works for the
MAIL FROM directive.

This is usefull of course but I want to deny all mails from dial-in accounts
(when they are not allready verified users) to stop incoming worms, viruses
etc.
OK, this wouldn't prevent me from all the rubbish sent by "real" mail
servers but it would help a lot.

--
with kind regards

Sven Putze
http://my-bluetooth.de
-------------------------------------------------------------------
If liberty means anything at all, it means the right to tell people
what they do not want to hear. (George Orwell)
Who controls the past controls the future. Who controls the present
controls the past. (George Orwell)
-------------------------------------------------------------------

Sven Putze ha scritto:
[cut...]
> I want to deny all mails from dial-in accounts

....and I don't know how...

> (when they are not allready verified users) to stop incoming worms, viruses...

OK, if you want to avoid viruses infections on windows clients, you can
use procmail;
You have to write this recepie in your .procmailrc to delete immediately
every message with .exe .com .pif .bat .scr .vbs attachments, often
infected by viruses.

:0 HB
* ^Content-Type:.*(application|multipart)
* name=.*\.(exe|com|bat|pif|scr|vbs)
/dev/null

bye,
Manuel

> OK, if you want to avoid viruses infections on windows clients, you can
> use procmail;
> You have to write this recepie in your .procmailrc to delete immediately
> every message with .exe .com .pif .bat .scr .vbs attachments, often
> infected by viruses.

Thanx, but I allready knew that one. My intention is to close the door
before the mail gets queued.



Regards
Sven

Hi Sven!

Sven Putze wrote:
> how to block connections from dial-in accounts?

There are several lines in my config that avoids me from many UBEs, see
below.

You may like to check wether the RBLs are suitable for your needs, many RBLs
are very restrictive.

Two links:
http://www.bez.tedesca.net/homeoff/a...tml#Spamfilter (German)
http://www.stahl.bau.tu-bs.de/~hildeb/postfix/

Greetings, Michael.


#delivery controls - UCE blocking
unknown_local_recipient_reject_code = 550
unknown_hostname_reject_code = 550
unknown_address_reject_code = 550
unverified_sender_reject_code = 550
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
reject_unknown_sender_domain,
reject_rhsbl_sender rhsbl.sorbs.net,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit
smtpd_client_restrictions =
reject_invalid_hostname,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit