1

Topic: Blacklisting all mail servers on sub-domains of example.com

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer?: Installer
- Linux/BSD distribution name and version: CentOS 7.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi Zhang,

I can use iRedAPD (through System -> Anti Spam -> Greylisting) to remove greylisting for all mail servers on certain domains that are listed in the SPF or MX records for that domain.

Is there an equivalent ability to blacklist all mail servers identifying themselves as (for example) mailserver1.example.com, mailserver2.exmple.com, etc.?

In other words, the "received" header on an email might look like this:

Received: from mailserver1.example.com (mailserver1.example.com [1.2.3.4])
    by myserver.net (Postfix) with ESMTPS id 1BGB124C1A2
    for <me@mydomain.com>; Tue,  3 Mar 2020 18:17:08 +0000 (UTC)

So seeing that header, is there a way for me to block mail from all servers that are named as sub-domains of example.com?

Thanks.


Craig

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Blacklisting all mail servers on sub-domains of example.com

Blacklist "@.example.com" then.
Note: there's a dot after @, which means all sub-domains of example.com.

3

Re: Blacklisting all mail servers on sub-domains of example.com

Thanks, but I think you misunderstood my question. I am looking for a way to block server names, not email addresses. Blocking "@.example.com" will block an email from someone@mailserver1.example.com, but spammer@spammer.com also sends email through mailserver1.example.com, but his email address is not on example.com or any sub-domain of example.com.

Thanks.

4

Re: Blacklisting all mail servers on sub-domains of example.com

Where does this sub-domain name appear? is it a rDNS name?
Please show me related Postfix log lines.

5

Re: Blacklisting all mail servers on sub-domains of example.com

I gave a sample header in my original post. The sample header closely resembles the lines I would see in the Postfix logs, which I would say would look like this:

Mar 19 09:34:26 victim postfix/postscreen[2135]: CONNECT from [1.2.3.4]:57118 to [99.88.77.66]:25
Mar 19 09:34:26 victim postfix/postscreen[2135]: PASS OLD [1.2.3.4]:57118
Mar 19 09:34:26 victim postfix/smtpd[18586]: connect from mailserver1.example.com[1.2.3.4]
Mar 19 09:34:26 victim postfix/smtpd[18586]: Anonymous TLS connection established from mailserver1.example.com[1.2.3.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 19 09:34:27 victim postfix/smtpd[18586]: 0E36DC582AF: client=mailserver1.example.com[1.2.3.4]
Mar 19 09:34:27 victim postfix/cleanup[30062]: 0E36DC582AF: message-id=<1584610455.9060.13.camel@wrathall>
Mar 19 09:34:27 victim postfix/qmgr[2020]: 0E36DC582AF: from=<spammer@spammer.com>, size=2260, nrcpt=1 (queue active)
Mar 19 09:34:27 victim postfix/10025/smtpd[26542]: 57B07C582B1: client=victim.mailserver.com[127.0.0.1]
Mar 19 09:34:27 victim postfix/cleanup[26265]: 57B07C582B1: message-id=<1584610455.9060.13.camel@wrathall>
Mar 19 09:34:27 victim postfix/qmgr[2020]: 57B07C582B1: from=<spammer@spammer.com>, size=2810, nrcpt=1 (queue active)
Mar 19 09:34:27 victim amavis[28546]: (28546-19) Passed CLEAN {RelayedInbound}, [1.2.3.4]:57118 [24.85.25.245] <spammer@spammer.com> -> <victim@victim.com>, Queue-ID: 0E36DC582AF, Message-ID: <1584610455.9060.13.camel@wrathall>, mail_id: W0hORtXVZTGW, Hits: -, size: 2260, queued_as: 57B07C582B1, dkim_sd=dkim:mailserver1.example.com, 126 ms
Mar 19 09:34:27 victim amavis[28546]: (28546-19) Passed CLEAN, <spammer@spammer.com> -> <victim@victim.com>, Hits: -, tag=-100, tag2=3.5, kill=3.5, queued_as: 57B07C582B1, L/Y/0/0
Mar 19 09:34:27 victim postfix/amavis/smtp[29650]: 0E36DC582AF: to=<victim@victim.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.34, delays=0.21/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 57B07C582B1)
Mar 19 09:34:27 victim postfix/qmgr[2020]: 0E36DC582AF: removed
Mar 19 09:34:27 victim postfix/smtpd[18586]: disconnect from mailserver1.example.com[1.2.3.4]
Mar 19 09:34:27 victim postfix/pipe[26103]: 57B07C582B1: to=<victim@victim.com>, relay=dovecot, delay=0.12, delays=0.01/0/0/0.11, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 19 09:34:27 victim postfix/qmgr[2020]: 57B07C582B1: removed

However, these are made up log lines based on sending an email from one server to another and then replacing email addresses and server names with examples:

* spammer@spammer.com: The spammer, of course.
* victim@victim.com: The target of the spam.
* mailserver1.example.com: The mail server that the spammer is using. This is what I want to block, but I also want to block *.example.com ... if it's possible to do so in this way.
* victim.mailserver.com: My iRedAdmin-Pro server.
* The IP addresses are all fake, of course.

Hope that makes it clearer.

6

Re: Blacklisting all mail servers on sub-domains of example.com

If you’re talking about the hostname in3rd line of pasted log, that’s rDNS, you can block it with iRedAPD plugin “wblist_rdns”, and its managed with iRedAdmin-Pro.

If you’re aiming at the hostname a in mail header, please use Postfix header_checks parameter to match it.

7 (edited by craig 2020-03-19 20:05:32)

Re: Blacklisting all mail servers on sub-domains of example.com

Hi Zhang,

OK, I do understand that I can block mailserver1.example.com, but I don't know how I can block all mail servers on sub-domains of example.com (i.e., *.example.com) from connecting to my server or delivering email to it.

I do have "wblist_rdns.py" on my server (and various other "wblist_rdns" files), but I don't know where I would configure this in Pro.

Holy crap! For the first time in seven years I've seen the "Reverse DNS Name" button at System -> Whitelists & Blacklists! (I searched the page for "reverse".) So I just add ".example.com" (without the quotes, of course) to the "Blacklists" box?

Is command line usage of "wblist_rdns.py" documented somewhere? Or do I just follow the "sample usages" documented in the file and directly modify the database? (This question about the GPL version of course.)


Craig

8

Re: Blacklisting all mail servers on sub-domains of example.com

craig wrote:

So I just add ".example.com" (without the quotes, of course) to the "Blacklists" box?

Yes.

craig wrote:

Is command line usage of "wblist_rdns.py" documented somewhere? Or do I just follow the "sample usages" documented in the file and directly modify the database? (This question about the GPL version of course.)

- Better use iRedAdmin-Pro to manage it.
- You can check sample SQL commands used to add new whitelist or blacklist in file /opt/iredapd/SQL/wblist_rdns.sql.

9

Re: Blacklisting all mail servers on sub-domains of example.com

Thanks Zhang. I can't believe I never noticed that setting before. That will help.