OpenSMTPd: Block sender based on “Received” domain

emailopensmtpdspam

For OpenSMTPd, I would like to block a server from sending me mail based on the domain name of that server. It has a large number of IP addresses all over the place and blocking each individual one is far too much work especially with the massive amount of spam it sends. I would like to just outright block the server, is there a way to just silently reject all mail coming in from the mail servers at "example.com" (the "Received" contains this) for example?

Thank you!

Best Answer

The Received headers should not be used for determining the origin of the email as they can be easily spoofed. Instead, you should only trust the information your mail server can obtain by itself, such as source address, HELO hostname and MAIL FROM (tested against the SPF record of the sender domain). The last i.e. the topmost Received: header is added by your server, and this information comes from the HELO SMTP command (combined with IP address & reverse PTR).

Header content inspection would be possible with e.g. Postfix header_checks (action REJECT), but it seems OpenSMTPd has not implemented anything similar. Also, OpenSMTPd can only relay mail to external filters, making connection-stage rejection for failed SFP or DNS-based block list (DNSBL) impossible.

What OpenSMTPd can do that may help is described in smtpd.conf(5), match options reject:

  • You say there is a large number of IP addresses all over the place, but they may all actually be in the same network block. Use e.g. whois IP.ADD.RE.SS to determine the subnet as CIDR-notation, as OpenSMTPd is able to read subnets expressed in CIDR-notation, e.g. block 192.0.2.0/24 with:

    match from src 192.0.2.0/24 reject
    
  • If you want to reject all mail coming in from the mail servers at example.com and this domain is really used in the HELO hostname, it's possible to use that information for rejection. Similarly, the match has an option for that, and you can use a list table(5) file:

    match helo <rejectHeloDomains> reject
    table rejectHeloDomains file:/etc/mail/rejectHeloDomains
    

    The list file containing the domains, wildcards allowed:

    example.com
    *.example.com
    

Do not silently discard definite spam, but use the connection-stage rejection, as these examples do.

Related Topic