Reject reception from unknown SMTP servers

I have this setup:

1) INET -> MX-other -> mailserver-own
2) INET -> MX-own -> mailserver-own

For the 1) setup, I have this domain, 1.xyz
For the 2) setup, I have this domain, 2.xyz

How do I setup Postfix 2.3.3 (on RHEL5), so it will only allow mail to 1.xyz
to come from MX-other?
Mails to 1.xyz that is not coming from the MX-other servers must be
rejected.
Mails to 2.xyz must still accept mail from any SMTP servers.

The 1) MX scans my email for spam and virusses but I handle my own domain,
2.xyz but it is the same recepient mailserver.

>I have this setup:
>
> 1) INET -> MX-other -> mailserver-own
> 2) INET -> MX-own -> mailserver-own
>
> For the 1) setup, I have this domain, 1.xyz
> For the 2) setup, I have this domain, 2.xyz
>
> How do I setup Postfix 2.3.3 (on RHEL5), so it will only allow mail to
> 1.xyz to come from MX-other?
> Mails to 1.xyz that is not coming from the MX-other servers must be
> rejected.
> Mails to 2.xyz must still accept mail from any SMTP servers.
>
> The 1) MX scans my email for spam and virusses but I handle my own domain,
> 2.xyz but it is the same recepient mailserver.

Does no one really have any help to setup this?

Hans J wrote:
>> I have this setup:
>>
>> 1) INET -> MX-other -> mailserver-own
>> 2) INET -> MX-own -> mailserver-own
>>
>> For the 1) setup, I have this domain, 1.xyz
>> For the 2) setup, I have this domain, 2.xyz
>>
>> How do I setup Postfix 2.3.3 (on RHEL5), so it will only allow mail to
>> 1.xyz to come from MX-other?
>> Mails to 1.xyz that is not coming from the MX-other servers must be
>> rejected.
>> Mails to 2.xyz must still accept mail from any SMTP servers.
>>
>> The 1) MX scans my email for spam and virusses but I handle my own domain,
>> 2.xyz but it is the same recepient mailserver.
>
> Does no one really have any help to setup this?
>
>
Do both MX records point directly at your Postfix server or does one or
both route mail to you via a third party MTA?


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

>>> I have this setup:
>>>
>>> 1) INET -> MX-other -> mailserver-own
>>> 2) INET -> MX-own -> mailserver-own
>>>
>>> For the 1) setup, I have this domain, 1.xyz
>>> For the 2) setup, I have this domain, 2.xyz
>>>
>>> How do I setup Postfix 2.3.3 (on RHEL5), so it will only allow mail to
>>> 1.xyz to come from MX-other?
>>> Mails to 1.xyz that is not coming from the MX-other servers must be
>>> rejected.
>>> Mails to 2.xyz must still accept mail from any SMTP servers.
>>>
>>> The 1) MX scans my email for spam and virusses but I handle my own
>>> domain, 2.xyz but it is the same recepient mailserver.
>>
>> Does no one really have any help to setup this?
>>
>>
> Do both MX records point directly at your Postfix server or does one or
> both route mail to you via a third party MTA?

1.xyz MX points to MX-other (spam relay)
2.xyz MX points to MX-own (my own server)

I do get a lot of emails to 1.xyz users sent directly to my own mailserver
(not passing through MX-other). This is because the spammers uses every
single IP address they can find and see if it accepts email or they lookup
the A-record for 1.xyz and delivers directly to this IP address.

Hans J wrote:
>>>> I have this setup:
>>>>
>>>> 1) INET -> MX-other -> mailserver-own
>>>> 2) INET -> MX-own -> mailserver-own
>>>>
>>>> For the 1) setup, I have this domain, 1.xyz
>>>> For the 2) setup, I have this domain, 2.xyz
>>>>
>>>> How do I setup Postfix 2.3.3 (on RHEL5), so it will only allow mail to
>>>> 1.xyz to come from MX-other?
>>>> Mails to 1.xyz that is not coming from the MX-other servers must be
>>>> rejected.
>>>> Mails to 2.xyz must still accept mail from any SMTP servers.
>>>>
>>>> The 1) MX scans my email for spam and virusses but I handle my own
>>>> domain, 2.xyz but it is the same recepient mailserver.
>>> Does no one really have any help to setup this?
>>>
>>>
>> Do both MX records point directly at your Postfix server or does one or
>> both route mail to you via a third party MTA?
>
> 1.xyz MX points to MX-other (spam relay)
> 2.xyz MX points to MX-own (my own server)
>
> I do get a lot of emails to 1.xyz users sent directly to my own mailserver
> (not passing through MX-other). This is because the spammers uses every
> single IP address they can find and see if it accepts email or they lookup
> the A-record for 1.xyz and delivers directly to this IP address.
>
If 1.xyz is really a separate domain as you said, that why does it
contain an A record for your postfix server? That just tells the world
that the two domains are related.

Remove all references to the 2.xyz domain from the 1.xyz zone file so
DNS queries can't see any connection between the two.

Then configure the 1.xyz mail server to deliver mail to your 2.xyz
Postfix server by using its fully qualified domain name: that will force
the 1.xyz to do a DNS lookup for the 2.xyz MX record and will keep the
relationship between the two invisible to the outside world because the
only place it appears is in the MTA configuration file, which is private.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

>> 1.xyz MX points to MX-other (spam relay)
>> 2.xyz MX points to MX-own (my own server)
>>
>> I do get a lot of emails to 1.xyz users sent directly to my own
>> mailserver (not passing through MX-other). This is because the spammers
>> uses every single IP address they can find and see if it accepts email or
>> they lookup the A-record for 1.xyz and delivers directly to this IP
>> address.
>>
> If 1.xyz is really a separate domain as you said, that why does it contain
> an A record for your postfix server? That just tells the world that the
> two domains are related.

Because its A-records are identical - they have the same webserver.

> Remove all references to the 2.xyz domain from the 1.xyz zone file so DNS
> queries can't see any connection between the two.

Not possible as they share the same webserver.

> Then configure the 1.xyz mail server to deliver mail to your 2.xyz Postfix
> server by using its fully qualified domain name: that will force the 1.xyz
> to do a DNS lookup for the 2.xyz MX record and will keep the relationship
> between the two invisible to the outside world because the only place it
> appears is in the MTA configuration file, which is private.

The problem is not the 1.xyz domain. The problem is my Postfix
configuration, on my own mailserver, as it accepts mail from everyone to
1.xyz. I need my Postfix to reject all emails to 1.xyz that doesn't come
from MX-other (my spam relay).

Hans J wrote:
>>> 1.xyz MX points to MX-other (spam relay)
>>> 2.xyz MX points to MX-own (my own server)
>>>
>>> I do get a lot of emails to 1.xyz users sent directly to my own
>>> mailserver (not passing through MX-other). This is because the spammers
>>> uses every single IP address they can find and see if it accepts email or
>>> they lookup the A-record for 1.xyz and delivers directly to this IP
>>> address.
>>>
>> If 1.xyz is really a separate domain as you said, that why does it contain
>> an A record for your postfix server? That just tells the world that the
>> two domains are related.
>
> Because its A-records are identical - they have the same webserver.
>
>> Remove all references to the 2.xyz domain from the 1.xyz zone file so DNS
>> queries can't see any connection between the two.
>
> Not possible as they share the same webserver.
>
>> Then configure the 1.xyz mail server to deliver mail to your 2.xyz Postfix
>> server by using its fully qualified domain name: that will force the 1.xyz
>> to do a DNS lookup for the 2.xyz MX record and will keep the relationship
>> between the two invisible to the outside world because the only place it
>> appears is in the MTA configuration file, which is private.
>
> The problem is not the 1.xyz domain. The problem is my Postfix
> configuration, on my own mailserver, as it accepts mail from everyone to
> 1.xyz. I need my Postfix to reject all emails to 1.xyz that doesn't come
> from MX-other (my spam relay).
>
>
Try setting the MX records up so that all externally originated mail is
routed through your spam relay. Remove all references to your postfix
server from externally visible DNS entries. Configure Postfix so it:

1)only accepts mail from your local network and from the spam relay
(my_networks controls this)
2)only sends outbound mail via your spam relay (relayhost sets this)
3)set up an SPF record for the spam relay

(2) is there to keep foreign hosts happy that they can find and talk to
your only externally visible mail server and (3) is to reduce backscatter.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

Hans J wrote:
> Because its A-records are identical - they have the same webserver.
>
So? What's that got to do with the price of fish?

Unless the web server is the same as the mail server thats utterly
irrelevant. If they are the same you should have said so.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

In article <46f37b1f$0$90262$14726298@news.sunsite.dk>, Hans J wrote:
>>> 1.xyz MX points to MX-other (spam relay)
>>> 2.xyz MX points to MX-own (my own server)
>
> The problem is not the 1.xyz domain. The problem is my Postfix
> configuration, on my own mailserver, as it accepts mail from everyone to
> 1.xyz. I need my Postfix to reject all emails to 1.xyz that doesn't come
> from MX-other (my spam relay).

It seems to me you are getting sidetracked into a confused discussion of
DNS records. It got even more confused by your unfortunate choice
of hostnames. These examples get *really* confusing if you don't give
everything a clear, descriptive name.
So I have to guess what you are actually asking, perhaps it's
"how do I combine a client restriction and a recipient restriction?"

See http://www.postfix.org/RESTRICTION_CLASS_README.html

Let's say MX-other sends from 192.168.1.123.
On the unfortunately named machine, MX-own, in /etc/postfix/main.cf:

smtpd_restriction_classes = spam_protected
spam_protected = check_client_access righteous_sender, reject
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_client_access hash:/etc/postfix/my_draconian_private_blocklist
reject_rbl_client zen.spamhaus.org
check_recipient_access hash:/etc/postfix/recipient_domains_we_protect
...
reject

In /etc/postfix/recipient_domains_we_protect:

neverused.example.net REJECT Go away we dont use that domain any more
1.xyz spam_protected
wideopen.example.net OK


In /etc/postfix/righteous_sender:

192.168.1.123 OK


All this says is only messages to the 1.xyz domain are checked against
the client restriction righteous_sender. But messages to any domain
are checked for unauthorized relaying and against Spamhaus.

Personally I think this particular setup is a really bad idea.
The problem is when MX-own rejects (refuses) a message that
MX-other wanted to relay to it, MX-other needs to send a
delivery status notice ("bounce") to the sender, and all he has
is the envelope-sender address. If it's spam, that address
is probably 1) fake and 2) deliverable. (The latter is an
unfortunate social consequence of Sender Address Verification.)
So MX-other is going to be sending backscatter, a type of spam.
If it happens for very long, MX-other will be listed in various
block lists. You should be doing this test on MX-other, not
on MX-own. That way MX-other can reject the spam instead of
becoming responsible for bouncing it.



Cameron