1

Topic: How to block e-mail with "from=<>" ?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hi all,

How to block e-mails with "from=<>" ? I tried configuring header_checks and body_checks.pcre but it did not work.

My header_checks:
================

if /^Received:/
/^Received: +from +(mydomain\.com\.br) +/
    reject forged client name in Received: header: $1
#/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(mydomain\.com\.br)\)/
#    reject forged client name in Received: header: $2
/^Received:.* +by +(mydomain\.com\.br)\b/
    reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(mail\.mydomain\.com\.br)/
    reject forged domain name in Message-ID: header: $1

My body_checks.pcre:
===================

# Do not indent the patterns between "if" and "endif".
if /^[> ]*Received:/
/^[> ]*Received: +from +(mydomain\.com\.br) /
    reject forged client name in Received: header: $1
#/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(mydomain\.com\.br)\)/
#    reject forged client name in Received: header: $2
/^[> ]*Received:.* +by +(mydomain\.com\.br)\b/
    reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(mail\.mydomain\.com\.br)/
    reject forged domain name in Message-ID: header: $1

My mail.log example:
==================

Feb 17 15:37:30 mail postfix/10025/smtpd[83066]: 9D41438E5E7C: client=mail.mydomain.com.br[127.0.0.1]
Feb 17 15:37:30 mail postfix/cleanup[83401]: 9D41438E5E7C: message-id=<dovecot-1487353049-710484-0@mail.mydomain.com.br>
Feb 17 15:37:30 mail postfix/qmgr[174408]: 9D41438E5E7C: from=<>, size=3901, nrcpt=1 (queue active)
Feb 17 15:37:31 mail amavis[82814]: (82814-07) Passed CLEAN {RelayedInbound}, [127.0.0.1] <> -> <igorfelipeporto_9291767709@gellon.com.br>, Message-ID: <dovecot-1487353049-710484-0@mail.mydomain.com.br>, mail_id: pb9Aif5x3nhk, Hits: -0.001, size: 3372, queued_as: 9D41438E5E7C, 1007 ms, Tests: [NO_RELAYS=-0.001]
Feb 17 15:37:31 mail postfix/smtp-amavis/smtp[83046]: EADFF38E5E78: to=<igorfelipeporto_9291767709@gellon.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.24/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D41438E5E7C)
Feb 17 15:37:38 mail postfix/smtp[81946]: 9D41438E5E7C: to=<igorfelipeporto_9291767709@gellon.com.br>, relay=none, delay=7.3, delays=0.27/0/7/0, dsn=4.4.1, status=deferred (connect to mx-cloud.gellon.com.br[78.46.252.77]:25: Connection timed out)
Feb 17 15:46:48 mail postfix/qmgr[84228]: 9D41438E5E7C: from=<>, size=3901, nrcpt=1 (queue active)
Feb 17 15:47:00 mail postfix/smtp[84838]: 9D41438E5E7C: to=<igorfelipeporto_9291767709@gellon.com.br>, relay=none, delay=569, delays=557/0.02/12/0, dsn=4.4.1, status=deferred (connect to mx-cloud.gellon.com.br[78.46.252.77]:25: Connection timed out)
Feb 17 15:47:00 mail postfix/qmgr[84228]: 9D41438E5E7C: from=<>, status=expired, returned to sender
Feb 17 15:47:00 mail postfix/qmgr[84228]: 9D41438E5E7C: removed

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to block e-mail with "from=<>" ?

If this email was generated by a smtp authenticated user, iRedAPD plugin 'reject_null_sender' can correctly reject it.

You need to figure out who (or which program) generated this/similar email first.