Loading ...
Sorry, an error occurred while loading the content.

smtpd_client_restrictions

Expand Messages
  • Rod G
    Hello, If I m using check_client_access hash:/etc/postfix/access in smtpd_client_restrictions should I add a permit line after the access map statement?
    Message 1 of 19 , Mar 24 7:48 AM
    • 0 Attachment
      Hello,

      If I'm using "check_client_access hash:/etc/postfix/access" in
      smtpd_client_restrictions should I add a "permit" line after the
      access map statement?

      Thanks!
    • Victor Duchovni
      ... No, but don t take my word for it, read some good descriptions of how restriction processing works, and understand why this is or is not the right answer.
      Message 2 of 19 , Mar 24 8:00 AM
      • 0 Attachment
        On Fri, Mar 24, 2006 at 10:48:27AM -0500, Rod G wrote:

        > If I'm using "check_client_access hash:/etc/postfix/access" in
        > smtpd_client_restrictions should I add a "permit" line after the
        > access map statement?

        No, but don't take my word for it, read some good descriptions of how
        restriction processing works, and understand why this is or is not the
        right answer.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Rod G
        ... Would you place check_client_access hash:/etc/postfix/access in maybe smtpd_recipient_restrictions instead?
        Message 3 of 19 , Mar 24 8:15 AM
        • 0 Attachment
          On 3/24/06, Victor Duchovni <Victor.Duchovni@...> wrote:
          > On Fri, Mar 24, 2006 at 10:48:27AM -0500, Rod G wrote:
          >
          > > If I'm using "check_client_access hash:/etc/postfix/access" in
          > > smtpd_client_restrictions should I add a "permit" line after the
          > > access map statement?
          >
          > No, but don't take my word for it, read some good descriptions of how
          > restriction processing works, and understand why this is or is not the
          > right answer.

          Would you place "check_client_access hash:/etc/postfix/access" in
          maybe smtpd_recipient_restrictions instead?
        • Victor Duchovni
          ... Up to you, but don t take my word for it, read some good descriptions of how restriction processing works, and understand why this is or is not the right
          Message 4 of 19 , Mar 24 8:33 AM
          • 0 Attachment
            On Fri, Mar 24, 2006 at 11:15:35AM -0500, Rod G wrote:

            > On 3/24/06, Victor Duchovni <Victor.Duchovni@...> wrote:
            > > On Fri, Mar 24, 2006 at 10:48:27AM -0500, Rod G wrote:
            > >
            > > > If I'm using "check_client_access hash:/etc/postfix/access" in
            > > > smtpd_client_restrictions should I add a "permit" line after the
            > > > access map statement?
            > >
            > > No, but don't take my word for it, read some good descriptions of how
            > > restriction processing works, and understand why this is or is not the
            > > right answer.
            >
            > Would you place "check_client_access hash:/etc/postfix/access" in
            > maybe smtpd_recipient_restrictions instead?

            Up to you, but don't take my word for it, read some good descriptions
            of how restriction processing works, and understand why this is or is
            not the right answer.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • vtzan
            Hello all, I need to reject smtp connection from certain ip inside my network (SPAMMER). I have configured the following according
            Message 5 of 19 , Dec 11, 2009
            • 0 Attachment
              Hello all,

              I need to reject smtp connection from certain ip inside my network
              (SPAMMER).
              I have configured the following according
              http://www.postfix.org/access.5.html
              and it doesn't work.

              I just want to deny an ip address to send mails to the outside world!


              smtpd_client_restrictions =
              check_client_access
              hash:/etc/postfix/access,
              permit_mynetworks,
              permit_sasl_authenticated


              access
              ===========
              ipaddress REJECT


              Thanks in advance
              Bill
            • Stan Hoeppner
              ... If this is the case, it may be more effective and expedient to drop _all_ his traffic inbound to your Postfix host. iptables -I INPUT -s xxx.xxx.xxx.xxx -j
              Message 6 of 19 , Dec 11, 2009
              • 0 Attachment
                vtzan put forth on 12/11/2009 5:26 AM:
                > Hello all,
                >
                > I need to reject smtp connection from certain ip inside my network
                > (SPAMMER).

                If this is the case, it may be more effective and expedient to drop
                _all_ his traffic inbound to your Postfix host.

                iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

                That works for Linux, not sure about *BSD.

                This is what I would do if someone in my network was spamming. Cut him
                off at the knees, and prevent him from attacking your system's other
                service ports.

                --
                Stan
              • Eero Volotinen
                ... Well, why not just drop that user out of network due to tos violations? He might also abuse other services too? -- Eero
                Message 7 of 19 , Dec 11, 2009
                • 0 Attachment
                  Quoting Stan Hoeppner <stan@...>:

                  > vtzan put forth on 12/11/2009 5:26 AM:
                  >> Hello all,
                  >>
                  >> I need to reject smtp connection from certain ip inside my network
                  >> (SPAMMER).
                  >
                  > If this is the case, it may be more effective and expedient to drop
                  > _all_ his traffic inbound to your Postfix host.
                  >
                  > iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
                  >
                  > That works for Linux, not sure about *BSD.
                  >
                  > This is what I would do if someone in my network was spamming. Cut him
                  > off at the knees, and prevent him from attacking your system's other
                  > service ports.

                  Well, why not just drop that user out of network due to tos
                  violations? He might also abuse other services too?


                  --
                  Eero
                • Stan Hoeppner
                  ... Hay Bill, First off, please keep all replies on the postfix-users list. 2nd, send your postconf -n output and the relevant contents of
                  Message 8 of 19 , Dec 11, 2009
                  • 0 Attachment
                    vtzan put forth on 12/11/2009 5:46 AM:

                    > thanks for your fast reply. But that was my PLAN B ;-)
                    > any idea for PLAN A?
                    >
                    > thanks alot
                    > Bill

                    Hay Bill,

                    First off, please keep all replies on the postfix-users list. 2nd, send
                    your 'postconf -n' output and the relevant contents of
                    /etc/postfix/access. 3rd, it might be tricky doing what you are asking
                    because, if I understand you correctly, the IP you want to block with
                    smtpd is within mynetworks.

                    --
                    Stan
                  • Noel Jones
                    ... http://www.postfix.org/postconf.5.html#mynetworks It s easy enough to exclude the IP from mynetworks, just use something like: mynetworks =
                    Message 9 of 19 , Dec 11, 2009
                    • 0 Attachment
                      On 12/11/2009 7:02 AM, Stan Hoeppner wrote:
                      > vtzan put forth on 12/11/2009 5:46 AM:
                      >
                      >> thanks for your fast reply. But that was my PLAN B ;-)
                      >> any idea for PLAN A?
                      >>
                      >> thanks alot
                      >> Bill
                      >
                      > Hay Bill,
                      >
                      > First off, please keep all replies on the postfix-users list. 2nd, send
                      > your 'postconf -n' output and the relevant contents of
                      > /etc/postfix/access. 3rd, it might be tricky doing what you are asking
                      > because, if I understand you correctly, the IP you want to block with
                      > smtpd is within mynetworks.
                      >
                      > --
                      > Stan
                      >

                      http://www.postfix.org/postconf.5.html#mynetworks
                      It's easy enough to exclude the IP from mynetworks, just use
                      something like:
                      mynetworks =
                      !192.168.1.not-this-host
                      192.168.1.0/24

                      Although if there is a machine in mynetworks sending out spam
                      (virus zombie?) I think I would just firewall it until I could
                      identify it and either 2x4 the user or fix the PC (or maybe
                      both if I'm in a mood).

                      -- Noel Jones
                    • mouss
                      ... # cat /etc/pf.conf ... discard= block drop quick int_if= re0 ... table persist file /etc/pf/banned.net ... $discard on $int_if from
                      Message 10 of 19 , Dec 11, 2009
                      • 0 Attachment
                        Stan Hoeppner a écrit :
                        > vtzan put forth on 12/11/2009 5:26 AM:
                        >> Hello all,
                        >>
                        >> I need to reject smtp connection from certain ip inside my network
                        >> (SPAMMER).
                        >
                        > If this is the case, it may be more effective and expedient to drop
                        > _all_ his traffic inbound to your Postfix host.
                        >
                        > iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
                        >
                        > That works for Linux, not sure about *BSD.
                        >

                        # cat /etc/pf.conf
                        ...
                        discard="block drop quick"
                        int_if="re0"
                        ...
                        table <banned> persist file "/etc/pf/banned.net"
                        ...
                        $discard on $int_if from <banned> to any label "banned"


                        isn't it nice?


                        > This is what I would do if someone in my network was spamming. Cut him
                        > off at the knees, and prevent him from attacking your system's other
                        > service ports.

                        agreed.

                        now, OP configuration should work. but he didn't show logs and he didn't
                        show the actual configuration (at least, we can doubt his config matches
                        his claim).
                      • vtzan
                        ... Hello Stan, 1.sorry forgot to reply-all . Yes this that is true, the IP i want to block is withing $mynetworks. ;-) here is the postconf -n (XXXX was
                        Message 11 of 19 , Dec 13, 2009
                        • 0 Attachment
                          Stan Hoeppner wrote:
                          vtzan put forth on 12/11/2009 5:46 AM:
                          
                            
                          thanks for your fast reply. But that was my PLAN B ;-)
                          any idea for PLAN A?
                          
                          thanks alot
                          Bill
                              
                          Hay Bill,
                          
                          First off, please keep all replies on the postfix-users list.  2nd, send
                          your 'postconf -n' output and the relevant contents of
                          /etc/postfix/access.  3rd, it might be tricky doing what you are asking
                          because, if I understand you correctly, the IP you want to block with
                          smtpd is within mynetworks.
                          
                          --
                          Stan
                          
                          
                            
                          Hello Stan,

                          1.sorry forgot to "reply-all".
                          Yes this that is true, the IP i want to block is withing $mynetworks. ;-)

                          here is the postconf -n (XXXX was replaced for obvious reasons.)

                          alias_maps = hash:/etc/aliases
                          broken_sasl_auth_clients = yes
                          command_directory = /usr/sbin
                          config_directory = /etc/postfix
                          daemon_directory = /usr/libexec/postfix
                          data_directory = /var/lib/postfix
                          default_destination_concurrency_limit = 50
                          default_process_limit = 200
                          disable_vrfy_command = no
                          html_directory = /usr/share/doc/postfix-2.5.4-documentation/html
                          inet_interfaces = all
                          local_destination_concurrency_limit = 50
                          local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
                          mail_owner = postfix
                          mailbox_size_limit = 0
                          mailq_path = /usr/bin/mailq.postfix
                          manpage_directory = /usr/share/man
                          mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, $transport_maps
                          mydomain = XXXX.gr
                          myhostname = mail.XXXX.gr
                          mynetworks = 1X0.1X0.0.0/16, 127.0.0.0/8
                          myorigin = $mydomain
                          newaliases_path = /usr/bin/newaliases.postfix
                          queue_directory = /var/spool/postfix
                          readme_directory = /usr/share/doc/postfix-2.5.4-documentation/readme
                          recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
                          recipient_delimiter = +
                          relayhost = [XXXX.XXXX.gr]
                          relocated_maps = hash:/etc/postfix/relocated
                          sample_directory = /usr/share/doc/postfix-2.3.3/samples
                          sendmail_path = /usr/sbin/sendmail.postfix
                          setgid_group = postdrop
                          smtpd_banner = $myhostname mail.XXXX.gr
                          smtpd_client_connection_count_limit = 50
                          smtpd_client_restrictions = permit_mynetworks,                                permit_sasl_authenticated
                          smtpd_delay_reject = yes
                          smtpd_hard_error_limit = ${stress?1}${stress:20}
                          smtpd_helo_required = no
                          smtpd_helo_restrictions = warn_if_reject,                                reject_invalid_helo_hostname,                                warn_if_reject,                                reject_non_fqdn_helo_hostname,                                warn_if_reject,                                reject_unknown_helo_hostname
                          smtpd_recipient_restrictions = permit_mynetworks,                                permit_sasl_authenticated,                                check_relay_domains
                          smtpd_sasl_auth_enable = yes
                          smtpd_sasl_local_domain = $myhostname
                          smtpd_sasl_path = smtpd
                          smtpd_sasl_security_options = noanonymous
                          smtpd_sasl_type = cyrus
                          smtpd_sender_login_maps = $virtual_alias_maps
                          smtpd_sender_restrictions = permit_mynetworks,                          permit_sasl_authenticated,                                reject_unknown_sender_domain,                                warn_if_reject,                                reject_sender_login_mismatch,                                warn_if_reject, reject_unauthenticated_sender_login_mismatch
                          smtpd_timeout = ${stress?10}${stress:300}
                          smtpd_tls_CAfile = /etc/postfix/certs/ipsCA.pem
                          smtpd_tls_cert_file = /etc/postfix/certs/mail.pem
                          smtpd_tls_key_file = /etc/postfix/certs/mail.key
                          smtpd_tls_loglevel = 1
                          smtpd_tls_security_level = may
                          smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
                          transport_maps = hash:/etc/postfix/transport
                          virtual_alias_maps = hash:/etc/postfix/virtual, proxy:ldap:/etc/postfix/ldap/ldapmailfwonly.cf, proxy:ldap:/etc/postfix/ldap/ldapalias.cf
                          virtual_gid_maps = static:102
                          virtual_mailbox_base = /
                          virtual_mailbox_limit = 0
                          virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/ldapaccounts.cf
                          virtual_minimum_uid = 100
                          virtual_uid_maps = static:103


                          thanks in advance
                          for your help.

                          Bill
                        • vtzan
                          Hello noel, thanks for you response but it didn t worked! thanks Bill
                          Message 12 of 19 , Dec 13, 2009
                          • 0 Attachment
                            Hello noel,

                            thanks for you response but it didn't worked!

                            thanks
                            Bill

                            Noel Jones wrote:
                            > On 12/11/2009 7:02 AM, Stan Hoeppner wrote:
                            >> vtzan put forth on 12/11/2009 5:46 AM:
                            >>
                            >>> thanks for your fast reply. But that was my PLAN B ;-)
                            >>> any idea for PLAN A?
                            >>>
                            >>> thanks alot
                            >>> Bill
                            >>
                            >> Hay Bill,
                            >>
                            >> First off, please keep all replies on the postfix-users list. 2nd, send
                            >> your 'postconf -n' output and the relevant contents of
                            >> /etc/postfix/access. 3rd, it might be tricky doing what you are asking
                            >> because, if I understand you correctly, the IP you want to block with
                            >> smtpd is within mynetworks.
                            >>
                            >> --
                            >> Stan
                            >>
                            >
                            > http://www.postfix.org/postconf.5.html#mynetworks
                            > It's easy enough to exclude the IP from mynetworks, just use something
                            > like:
                            > mynetworks =
                            > !192.168.1.not-this-host
                            > 192.168.1.0/24
                            >
                            > Although if there is a machine in mynetworks sending out spam (virus
                            > zombie?) I think I would just firewall it until I could identify it
                            > and either 2x4 the user or fix the PC (or maybe both if I'm in a mood).
                            >
                            > -- Noel Jones
                            >
                          • Stan Hoeppner
                            ... First, did you reload postfix after editing main.cf? If not, the change won t take effect until you reload of restart postfix. And, how do you know it
                            Message 13 of 19 , Dec 13, 2009
                            • 0 Attachment
                              vtzan put forth on 12/14/2009 1:17 AM:
                              > Hello noel,
                              >
                              > thanks for you response but it didn't worked!

                              First, did you reload postfix after editing main.cf? If not, the change
                              won't take effect until you reload of restart postfix. And, how do you
                              know it didn't work? Is he still sending spam? If so use iptables
                              _NOW_ to put a stop to it!

                              I cannot understand for the life of me why you're dicking around with
                              this instead of dropping the hammer instantly on this situation...

                              From the book of Sysadmin
                              Rule #1: Use whatever _functional_ tool you have available _right now_
                              to stop network abuse. Learn to use other tools/methods for the same
                              job _when you are not in crisis mode_.

                              There is a bear knocking down your front door intent on eating you. Are
                              you going to grab fork, then knife, then rolling pen, and realize none
                              of them work, before grabbing the gun and shooting the bear? Taking
                              this route makes you bear food...

                              --
                              Stan
                            • vtzan
                              ... yes i reload and i just put my ip and tested! ;-) ... thanks alot for you reply Stan. No the problem has stopped but just trying to figure out a quick way
                              Message 14 of 19 , Dec 14, 2009
                              • 0 Attachment
                                Stan Hoeppner wrote:
                                vtzan put forth on 12/14/2009 1:17 AM:
                                  
                                Hello noel,
                                
                                thanks for you response but it didn't worked!
                                    
                                First, did you reload postfix after editing main.cf?  If not, the change
                                won't take effect until you reload of restart postfix.  And, how do you
                                know it didn't work?  Is he still sending spam?  If so use iptables
                                _NOW_ to put a stop to it!
                                  
                                yes i reload and i just put my ip and tested! ;-)
                                I cannot understand for the life of me why you're dicking around with
                                this instead of dropping the hammer instantly on this situation...
                                
                                >From the book of Sysadmin
                                Rule #1:  Use whatever _functional_ tool you have available _right now_
                                to stop network abuse.  Learn to use other tools/methods for the same
                                job _when you are not in crisis mode_.
                                
                                There is a bear knocking down your front door intent on eating you.  Are
                                you going to grab fork, then knife, then rolling pen, and realize none
                                of them work, before grabbing the gun and shooting the bear?  Taking
                                this route makes you bear food...
                                
                                --
                                Stan
                                
                                  
                                thanks alot for you reply Stan.
                                No the problem has stopped but just trying to figure out a quick way from postfix to prevent abusing my server is this is happened again.
                                I know how  to use IP tables but want to know a postfix way.
                                thanks

                                Bill

                              • Noel Jones
                                ... Please don t top post. If a suggestion didn t do what you expect, you ll need to show evidence including postconf -n output and logging demonstrating the
                                Message 15 of 19 , Dec 14, 2009
                                • 0 Attachment
                                  On 12/14/2009 1:17 AM, vtzan wrote:
                                  > Hello noel,
                                  >
                                  > thanks for you response but it didn't worked!


                                  Please don't top post.

                                  If a suggestion didn't do what you expect, you'll need to show
                                  evidence including "postconf -n" output and logging
                                  demonstrating the unwanted behavior, and what you expected to
                                  happen.

                                  http://www.postfix.org/DEBUG_README.html#mail

                                  -- Noel Jones
                                • Roman Gelfand
                                  I am using this parameter to send message to be filtered by dspam. However, I want local email to bypass dspam and go directly to mail box server over lmtp. I
                                  Message 16 of 19 , Feb 13, 2014
                                  • 0 Attachment
                                    I am using this parameter to send message to be filtered by dspam.
                                    However, I want local email to bypass dspam and go directly to mail
                                    box server over lmtp.

                                    I am not sure why the pcre code below doesn't work for local email.



                                    /^192\.168\.0.\d{1,3}$/ lmtp:[192.168.0.246]:24
                                    /./ FILTER dspam:dspam

                                    Thanks in advance
                                  • lists@rhsoft.net
                                    ... why playing around with such hacks instead permit_mynetworks before the filter
                                    Message 17 of 19 , Feb 13, 2014
                                    • 0 Attachment
                                      Am 13.02.2014 18:03, schrieb Roman Gelfand:
                                      > I am using this parameter to send message to be filtered by dspam.
                                      > However, I want local email to bypass dspam and go directly to mail
                                      > box server over lmtp.
                                      >
                                      > I am not sure why the pcre code below doesn't work for local email.
                                      >
                                      > /^192\.168\.0.\d{1,3}$/ lmtp:[192.168.0.246]:24
                                      > /./ FILTER dspam:dspam

                                      why playing around with such hacks instead "permit_mynetworks" before the filter
                                    • Noel Jones
                                      ... That doesn t work because the check_client_access table is checked first by client hostname, then by the IP. So the hostname always matches /./, even if
                                      Message 18 of 19 , Feb 13, 2014
                                      • 0 Attachment
                                        On 2/13/2014 11:03 AM, Roman Gelfand wrote:
                                        > I am using this parameter to send message to be filtered by dspam.
                                        > However, I want local email to bypass dspam and go directly to mail
                                        > box server over lmtp.
                                        >
                                        > I am not sure why the pcre code below doesn't work for local email.
                                        >
                                        >
                                        >
                                        > /^192\.168\.0.\d{1,3}$/ lmtp:[192.168.0.246]:24
                                        > /./ FILTER dspam:dspam
                                        >
                                        > Thanks in advance
                                        >

                                        That doesn't work because the check_client_access table is checked
                                        first by client hostname, then by the IP. So the hostname always
                                        matches /./, even if it's "unknown".

                                        Instead of /./ you could use a pattern that only matches an IP address.
                                        /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ FILTER dspam:dspam

                                        But it's probably easier to just put permit_mynetworks before the
                                        check_client_access table.



                                        -- Noel Jones
                                      • Roman Gelfand
                                        Ah... excellent. Thanks
                                        Message 19 of 19 , Feb 13, 2014
                                        • 0 Attachment
                                          Ah... excellent.

                                          Thanks

                                          On Thu, Feb 13, 2014 at 12:12 PM, Noel Jones <njones@...> wrote:
                                          > On 2/13/2014 11:03 AM, Roman Gelfand wrote:
                                          >> I am using this parameter to send message to be filtered by dspam.
                                          >> However, I want local email to bypass dspam and go directly to mail
                                          >> box server over lmtp.
                                          >>
                                          >> I am not sure why the pcre code below doesn't work for local email.
                                          >>
                                          >>
                                          >>
                                          >> /^192\.168\.0.\d{1,3}$/ lmtp:[192.168.0.246]:24
                                          >> /./ FILTER dspam:dspam
                                          >>
                                          >> Thanks in advance
                                          >>
                                          >
                                          > That doesn't work because the check_client_access table is checked
                                          > first by client hostname, then by the IP. So the hostname always
                                          > matches /./, even if it's "unknown".
                                          >
                                          > Instead of /./ you could use a pattern that only matches an IP address.
                                          > /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ FILTER dspam:dspam
                                          >
                                          > But it's probably easier to just put permit_mynetworks before the
                                          > check_client_access table.
                                          >
                                          >
                                          >
                                          > -- Noel Jones
                                        Your message has been successfully submitted and would be delivered to recipients shortly.