Solved: Re: MTA block mail from top domain

NorthernNetGuy · ‎2019-12-17

We've been receiving a lot of spam mail from the .icu domain. The MTA is only catchign some of the spam while 100% of the mail received from them is spam.

I know I can block "@domain.icu" but is it possible to block "@*.icu"

we've identified several thousand unique icu subdomains that are hitting us, and would like to just block all of .icu.

HeikoAnkenbrand · ‎2019-12-17

Hi @NorthernNetGuy,

Use the postfix config files to block domains:-)

Postfix generally accepts all sender addresses. It might be needed in some rare cases to reject one sender addresses for some reason.

With postfix, there is the possibility to use the “check_sender_access” to set individual actions per sender address. For the list of recipients and their action, a mapping needs to be created in the form of a hash database file. First you need to create a text file. The name here is chosen based on the name of the setting but can also be named differently.

$ vi $FWDIR/conf/sender_access

Inside the file, the senders and actions are configured. The mapping table will match the “address pattern” to an “action”. The address pattern can be a full email address like user@example.com, a domain like “example.com” or even just the user part like “user@”. The second column in the file is the action.

# ADDRESS PATTERNS         # ACTION
sender@example.com         550 Blacklisted
domain.com                 REJECT
user@                      REJECT

The action can simply be REJECT or an SMTP error code followed by the text delivered back with the error code. More details about the possible actions can be found in the postfix man page under the section “REJECT ACTIONS”.

$ postmap $FWDIR/conf/sender_access

To create the database file from the text file, the postmap command is used. The command above creates a database file with the same name and a .db extension from the text file with the given name .

$ ls -1 $FWDIR/conf/sender_access*
$FWDIR/conf/sender_access
$FWDIR/conf/sender_access.db

With the access table in place, the sender check needs to be enabled in the smtpd part of postfix. This is done in the $FWDIR/conf/mta_postfix_options.cfconfiguration file.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access,..

The configuration item “smtpd_recipient_restrictions” defines the incoming restrictions for smtpd, which is the daemon listening for incoming connections. The “check_sender_access” option should be defined followed by the filename chosen for the database (without the .db extension). The above configuration example show only the config required for blocking of sender addresses. In the real “smtpd_recipient_restrictions” configuration line there are very likely a lot of other options as well.

Create the $FWDIR/conf/mta_postfix_options.cf file:

# touch $FWDIR/conf/mta_postfix_options.cf

Edit the $FWDIR/conf/mta_postfix_options.cf file:

# vi $FWDIR/conf/mta_postfix_options.cf

Add the desired parameters and read refer to official Postfix Configuration Parameters page.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access

In Smart Console install the Threat Prevention policy.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand · ‎2019-12-17

Hi @NorthernNetGuy,

Use the postfix config files to block domains:-)

Postfix generally accepts all sender addresses. It might be needed in some rare cases to reject one sender addresses for some reason.

With postfix, there is the possibility to use the “check_sender_access” to set individual actions per sender address. For the list of recipients and their action, a mapping needs to be created in the form of a hash database file. First you need to create a text file. The name here is chosen based on the name of the setting but can also be named differently.

$ vi $FWDIR/conf/sender_access

Inside the file, the senders and actions are configured. The mapping table will match the “address pattern” to an “action”. The address pattern can be a full email address like user@example.com, a domain like “example.com” or even just the user part like “user@”. The second column in the file is the action.

# ADDRESS PATTERNS         # ACTION
sender@example.com         550 Blacklisted
domain.com                 REJECT
user@                      REJECT

The action can simply be REJECT or an SMTP error code followed by the text delivered back with the error code. More details about the possible actions can be found in the postfix man page under the section “REJECT ACTIONS”.

$ postmap $FWDIR/conf/sender_access

To create the database file from the text file, the postmap command is used. The command above creates a database file with the same name and a .db extension from the text file with the given name .

$ ls -1 $FWDIR/conf/sender_access*
$FWDIR/conf/sender_access
$FWDIR/conf/sender_access.db

With the access table in place, the sender check needs to be enabled in the smtpd part of postfix. This is done in the $FWDIR/conf/mta_postfix_options.cfconfiguration file.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access,..

The configuration item “smtpd_recipient_restrictions” defines the incoming restrictions for smtpd, which is the daemon listening for incoming connections. The “check_sender_access” option should be defined followed by the filename chosen for the database (without the .db extension). The above configuration example show only the config required for blocking of sender addresses. In the real “smtpd_recipient_restrictions” configuration line there are very likely a lot of other options as well.

Create the $FWDIR/conf/mta_postfix_options.cf file:

# touch $FWDIR/conf/mta_postfix_options.cf

Edit the $FWDIR/conf/mta_postfix_options.cf file:

# vi $FWDIR/conf/mta_postfix_options.cf

Add the desired parameters and read refer to official Postfix Configuration Parameters page.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access

In Smart Console install the Threat Prevention policy.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

NorthernNetGuy · ‎2019-12-18

First of all, thank you for the super in depth response @HeikoAnkenbrand , this is great!

I'll regurgitate some of what you've said as it helps me understand better.

Sounds like I'll be creating a text file, with vi, and adding an address pattern of:

.icu REJECT

I will then run postmap, referencing the newly edited/created file to create a db version of it.

After that, I will then need to edit/create the mta_postfix_options.cf file, and add in :

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access

with the rest of the smtpd_recipient_restirictions items. I've not used 'touch' before, but looks like it allows modifying of files, differently than just using vi.

after that, install the threat prevention policy, and keep my fingers crossed.

Is that the jist of it?

Cem_Yilmaz · ‎2019-12-18

Nice solution🍾.

Are you a member of CheckMates?

MTA block mail from top domain