0

We run a small courier mail server (courier-esmtpd). It is configured to accept mail from authenticated clients without recipient restrictions and mail from everywhere to local addresses: *(at)mydomain.tld. Now we get some spam mails where the from-address is set to something like info(at)mydomain.tld and another local mail address as recipient. I'd like to block those mails. Yes, most of the time SpamAssassin marks them as spam but I think the better way would be to directly reject mails with spoofed sender addresses.

Is it possible to configure courier-esmtpd to block mails sent by an unauthenticated client from an external IP address and a local from-address?

It is important that authenticated (legitimate) users are able to send mail using any from-address like user(at)mydomain.tld even from an external IP address (PC at home, etc.).

Edit: I tried to set the configuration option badfrom (at)mydomain.tld in file /etc/courier/bofh, but then all mails with corresponding return addresses are blocked, authenticated user or not...

Jens Berger
  • 1
  • 3
  • Can't you just ignore authentication (or lack thereof) and block any Internet-sourced mail with your domain in the "from" field? – RainyRat Jun 24 '09 at 22:41
  • 1
    You'll need to be careful with this, as it has the possibility to block legitimate mail. For example, many of our users have separate email accounts with their home ISPs, but they often use our email domain as the from/reply-to address on both accounts. – Josh Steadmon Jun 24 '09 at 22:48

2 Answers2

1

The short answer is yes. The way to do it is to enable esmtpd-msa.

Courier supports a Mail Submission Agent (MSA) which is just like a Mail Transport Agent but is intended for non-local mail injection. MSA servers not only listen on different ports (587), but are capable of correcting minor errors in the SMTP data from the client's mailer. The other main benefit is that you can easily and simply disable relaying from external hosts on the MTA and enable authorisation on the MSA. This neatly gets around trying to authenticate from particular domains which is almost impossible because the authentication request happens before the from domain is provided.

The biggest downside is that you have to change all your clients to send mail to port 587 instead of port 25.

staticsan
  • 1,529
  • 1
  • 11
  • 14
  • Thanks, that sounds good. I configured esmtpd-msa for authenticated users only and added `badfrom (at)mydomain.tld` to `/etc/courier/bofh`. Incoming mail with a local return-address is blocked like expected for port 25, but also on port 587: "517 Sender rejected: `authenticated_user(at)mydomain.tld`". How can I tell courier-msa to ignore bofh-checks for authenticated users? – Jens Berger Jul 20 '09 at 19:57
  • I've finally realized I've not used that bofh option to do that. I'd try tinkering with the options in the estmpd-msa file, specifically BOFHCHECKDNS. Also, look at how stmpaccess is setup for each of them, as the local relay rules can do some of that filtering, too. – staticsan Jul 23 '09 at 00:14
-1

The SMTP protocol was basically designed before the internet was connected and used the way it is today. Specifying networks where you could potentially 'relay' without authorization. Unfortunately, many mail servers that are linux based still have settings in them that don't require pre-authentication to send mail when from an internal IP source or private IP's.

Most linux mail servers use a service called 'postfix' which determines these settings. Security settings such as TLS and SSL are setup and made requirements in a master.cf file. In this file you uncomment out settings like

' -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes'

to require authentication

or

'465 inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes'

to send secure mail.

Although it really depends on what is being used on that system.

Jason B Shrout
  • 394
  • 2
  • 9