This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2019-12-17 07:57 AM
Jump to solution

MTA block mail from top domain

We've been receiving a lot of spam mail from the .icu domain. The MTA is only catchign some of the spam while 100% of the mail received from them is spam.

I know I can block "@domain.icu" but is it possible to block "@*.icu"

we've identified several thousand unique icu subdomains that are hitting us, and would like to just block all of .icu.

 

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-12-17 12:19 PM
Jump to solution

Hi @NorthernNetGuy,

Use the postfix config files to block domains:-) 

Postfix generally accepts all sender addresses. It might be needed in some rare cases to reject one sender addresses for some reason.

With postfix, there is the possibility to use the “check_sender_access” to set individual actions per sender address. For the list of recipients and their action, a mapping needs to be created in the form of a hash database file. First you need to create a text file. The name here is chosen based on the name of the setting but can also be named differently.


$ vi $FWDIR/conf/sender_access

Inside the file, the senders and actions are configured. The mapping table will match the “address pattern” to an “action”. The address pattern can be a full email address like user@example.com, a domain like “example.com” or even just the user part like “user@”. The second column in the file is the action.

# ADDRESS PATTERNS         # ACTION
sender@example.com         550 Blacklisted
domain.com                 REJECT
user@                      REJECT

The action can simply be REJECT or an SMTP error code followed by the text delivered back with the error code. More details about the possible actions can be found in the postfix man page under the section “REJECT ACTIONS”.

$ postmap $FWDIR/conf/sender_access

To create the database file from the text file, the postmap command is used. The command above creates a database file with the same name and a .db extension from the text file with the given name .

$ ls -1 $FWDIR/conf/sender_access*
$FWDIR/conf/sender_access
$FWDIR/conf/sender_access.db

With the access table in place, the sender check needs to be enabled in the smtpd part of postfix. This is done in the $FWDIR/conf/mta_postfix_options.cfconfiguration file.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access,..

The configuration item “smtpd_recipient_restrictions” defines the incoming restrictions for smtpd, which is the daemon listening for incoming connections. The “check_sender_access” option should be defined followed by the filename chosen for the database (without the .db extension). The above configuration example show only the config required for blocking of sender addresses. In the real “smtpd_recipient_restrictions” configuration line there are very likely a lot of other options as well.

Create the $FWDIR/conf/mta_postfix_options.cf file:

# touch $FWDIR/conf/mta_postfix_options.cf

Edit the $FWDIR/conf/mta_postfix_options.cf file:

# vi $FWDIR/conf/mta_postfix_options.cf

Add the desired parameters and read refer to official Postfix Configuration Parameters page.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access

In Smart Console install the Threat Prevention policy.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2019-12-17 12:19 PM
Jump to solution

Hi @NorthernNetGuy,

Use the postfix config files to block domains:-) 

Postfix generally accepts all sender addresses. It might be needed in some rare cases to reject one sender addresses for some reason.

With postfix, there is the possibility to use the “check_sender_access” to set individual actions per sender address. For the list of recipients and their action, a mapping needs to be created in the form of a hash database file. First you need to create a text file. The name here is chosen based on the name of the setting but can also be named differently.


$ vi $FWDIR/conf/sender_access

Inside the file, the senders and actions are configured. The mapping table will match the “address pattern” to an “action”. The address pattern can be a full email address like user@example.com, a domain like “example.com” or even just the user part like “user@”. The second column in the file is the action.

# ADDRESS PATTERNS         # ACTION
sender@example.com         550 Blacklisted
domain.com                 REJECT
user@                      REJECT

The action can simply be REJECT or an SMTP error code followed by the text delivered back with the error code. More details about the possible actions can be found in the postfix man page under the section “REJECT ACTIONS”.

$ postmap $FWDIR/conf/sender_access

To create the database file from the text file, the postmap command is used. The command above creates a database file with the same name and a .db extension from the text file with the given name .

$ ls -1 $FWDIR/conf/sender_access*
$FWDIR/conf/sender_access
$FWDIR/conf/sender_access.db

With the access table in place, the sender check needs to be enabled in the smtpd part of postfix. This is done in the $FWDIR/conf/mta_postfix_options.cfconfiguration file.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access,..

The configuration item “smtpd_recipient_restrictions” defines the incoming restrictions for smtpd, which is the daemon listening for incoming connections. The “check_sender_access” option should be defined followed by the filename chosen for the database (without the .db extension). The above configuration example show only the config required for blocking of sender addresses. In the real “smtpd_recipient_restrictions” configuration line there are very likely a lot of other options as well.

Create the $FWDIR/conf/mta_postfix_options.cf file:

# touch $FWDIR/conf/mta_postfix_options.cf

Edit the $FWDIR/conf/mta_postfix_options.cf file:

# vi $FWDIR/conf/mta_postfix_options.cf

Add the desired parameters and read refer to official Postfix Configuration Parameters page.

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access

In Smart Console install the Threat Prevention policy.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
NorthernNetGuy
Advisor
‎2019-12-18 05:58 AM
In response to HeikoAnkenbrand
Jump to solution

First of all, thank you for the super in depth response @HeikoAnkenbrand , this is great!

 

I'll regurgitate some of what you've said as it helps me understand better.

Sounds like I'll be creating a text file, with vi, and adding an address pattern of:

.icu      REJECT

 

I will then run postmap, referencing the newly edited/created file to create a db version of it.

After that, I will then need to edit/create the mta_postfix_options.cf file, and add in :

 

smtpd_recipient_restrictions = check_sender_access hash:$FWDIR/conf/sender_access 

 with the rest of the smtpd_recipient_restirictions items. I've not used 'touch' before, but looks like it allows modifying of files, differently than just using vi.

 

after that, install the threat prevention policy, and keep my fingers crossed.

 

Is that the jist of it?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top