Loading ...
Sorry, an error occurred while loading the content.

Re: Postfix Restriction class not working properly

Expand Messages
  • Magnus Bäck
    On Tuesday, August 01, 2006 at 13:51 CEST, ankush grover wrote: [...] ... You missed a couple of log entries from smtpd(8) at the start
    Message 1 of 8 , Aug 1, 2006
    • 0 Attachment
      On Tuesday, August 01, 2006 at 13:51 CEST,
      ankush grover <grover.pix@...> wrote:

      [...]

      > Aug 1 16:48:58 mail postfix/smtpd[4863]: disconnect from
      > localhost.localdomain[127.0.0.1]

      You missed a couple of log entries from smtpd(8) at the start of the
      log, but this line shows anyway that the client was localhost. The
      loopback interface is listed in mynetworks, so your permit_mynetworks
      bypasses your restrictions.

      [...]

      --
      Magnus Bäck
      magnus@...
    • ankush grover
      ... Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header Received: from localhost (localhost.localdomain [127.0.0.1])??by mail.sun.net
      Message 2 of 8 , Aug 1, 2006
      • 0 Attachment
        On 8/2/06, Magnus Bäck <magnus@...> wrote:

        >
        > You missed a couple of log entries from smtpd(8) at the start of the
        > log, but this line shows anyway that the client was localhost. The
        > loopback interface is listed in mynetworks, so your permit_mynetworks
        > bypasses your restrictions.
        >

        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: from localhost (localhost.localdomain [127.0.0.1])??by
        mail.sun.net (Postfix) with ESMTP id 0E3766FFE5??for
        <testing@...>; Tue, 1 Aug 2006 16:48:57 +0530 (IST) from
        localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
        to=<testing@...> proto=ESMTP helo=<localhost>


        You can see the mail is coming from grover.pix@... and this
        address is not listed in sender_access.

        recipient_access file
        testing@... insiders_only

        sender_access file

        example.com OK
        ankush@... OK
        ankush@... OK
        john@... OK

        grover.pix@... is not listed in the users who are authorized to
        send the mail to testing@...

        I am downloading the mails through fetchmail from my ISP account and
        redistributing to my internal users.


        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: from mail.isp.com??by localhost with IMAP
        (fetchmail-6.2.5.5)??for testing@... (multi-drop); Tue, 01 Aug
        2006 16:48:57 +0530 (IST) from localhost.localdomain[127.0.0.1];
        from=<grover.pix@...> to=<testing@...> proto=ESMTP
        helo=<localhost>

        You can see fetchmail has downloaded the mail and the mail is from the
        grover.pix@... is for testing@... and it is a
        multidrop(catchall) account.


        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: from ug-out-1314.google.com (ug-out-1314.google.com
        [66.249.92.174])??by mail252.megamailservers.com
        (8.13.6.20060614/8.13.1) with ESMTP id k71Bb1aL003459??for
        <testing@... from localhost.localdomain[127.0.0.1];
        from=<grover.pix@...> to=<testing@...> proto=ESMTP
        helo=<localhost>


        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: by ug-out-1314.google.com with SMTP id m3so1254036ugc?
        for <testing@...>; Tue, 01 Aug 2006 04:36:59 -0700 (PDT) from
        localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
        to=<testing@...> proto=ESMTP helo=<localhost>
        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: by 10.66.221.19 with SMTP id t19mr749382ugg;?
        Tue, 01 Aug 2006 04:36:58 -0700 (PDT) from localhost.localdomain[127.0.0.1];
        from=<grover.pix@...> to=<testing@...> proto=ESMTP
        helo=<localhost>
        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Received: by 10.66.225.3 with HTTP; Tue, 1 Aug 2006 04:36:58 -0700
        (PDT) from localhost.localdomain[127.0.0.1];
        from=<grover.pix@...> to=<testing@...> proto=ESMTP
        helo=<localhost>
        Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5:
        message-id=<cf4061610608010436o28366aeaob24407c9f95eb3bb@...>
        Aug 1 16:48:57 mail MailScanner[30558]: New Batch: Scanning 1
        messages, 2194 bytes
        Aug 1 16:48:58 mail postfix/smtpd[4863]: disconnect from
        localhost.localdomain[127.0.0.1]
        Aug 1 16:49:04 mail MailScanner[30558]: Virus and Content Scanning: Starting
        Aug 1 16:49:04 mail MailScanner[30558]: Requeue: 0E3766FFE5.381FC to 647537000E
        Aug 1 16:49:04 mail MailScanner[30558I hope I am clear this time ]:
        Uninfected: Delivered 1 messages
        Aug 1 16:49:04 mail MailScanner[30558]: Logging message 0E3766FFE5.381FC to SQL
        Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E:
        from=<grover.pix@...>, size=1927, nrcpt=2 (queue active)
        Aug 1 16:49:04 mail MailScanner[30517]: 0E3766FFE5.381FC: Logged to
        MailWatch SQL
        Aug 1 16:49:04 mail postfix/local[4871]: 647537000E:
        to=<ankush@...>, orig_to=<testing@...>, relay=local,
        delay=7, status=sent (delivered to maildir)
        Aug 1 16:49:04 mail postfix/local[4870]: 647537000E:
        to=<agrover@...>, orig_to=<testing@...>, relay=local,
        delay=7, status=sent (delivered to maildir)
        Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E: removed

        The mail for testing@... is redirected to 2 users

        Entries for these users is defined in virtual file (/etc/postfix/virtual)

        testing@... ankush agrover (local users)

        What else should I post?

        Thanks & Regards

        Ankush Grover
      • Magnus Bäck
        On Wednesday, August 02, 2006 at 07:05 CEST, ... I repeat: The messages are coming from a host in mynetworks, and your permit_mynetworks restriction will
        Message 3 of 8 , Aug 2, 2006
        • 0 Attachment
          On Wednesday, August 02, 2006 at 07:05 CEST,
          ankush grover <grover.pix@...> wrote:

          > On 8/2/06, Magnus Bäck <magnus@...> wrote:
          >
          > > You missed a couple of log entries from smtpd(8) at the start
          > > of the log, but this line shows anyway that the client was
          > > localhost. The loopback interface is listed in mynetworks,
          > > so your permit_mynetworks bypasses your restrictions.
          >
          > Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          > Received: from localhost (localhost.localdomain [127.0.0.1])??by
          > mail.sun.net (Postfix) with ESMTP id 0E3766FFE5??for
          > <testing@...>; Tue, 1 Aug 2006 16:48:57 +0530 (IST) from
          > localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
          > to=<testing@...> proto=ESMTP helo=<localhost>
          >
          > You can see the mail is coming from grover.pix@... and this
          > address is not listed in sender_access.

          I repeat: The messages are coming from a host in mynetworks, and your
          permit_mynetworks restriction will bypass your check_recipient_access
          restriction. Move check_recipient_access above permit_mynetworks and
          your problem will be solved.

          (You are still not posting all log entries for the message, but never
          mind.)

          [...]

          --
          Magnus Bäck
          magnus@...
        • ankush grover
          ... Okay I got it. ... I moved the check_recipient_access above the permit_mynetworks and it worked. ... I posted all the logs generated by the mail
          Message 4 of 8 , Aug 2, 2006
          • 0 Attachment
            > > You can see the mail is coming from grover.pix@... and this
            > > address is not listed in sender_access.

            Okay I got it.

            > I repeat: The messages are coming from a host in mynetworks, and your
            > permit_mynetworks restriction will bypass your check_recipient_access
            > restriction. Move check_recipient_access above permit_mynetworks and
            > your problem will be solved.

            I moved the check_recipient_access above the permit_mynetworks and it worked.


            > (You are still not posting all log entries for the message, but never
            > mind.)

            I posted all the logs generated by the mail (/var/log/maillog) .

            You earlier mentioned this
            But anyway, wouldn't it be a better idea to rely on the client address
            and authentication rather than the easily spoofed sender address, like
            in the example in RESTRICTION_CLASS_README?

            I agree but if the sender is not from my domain for example an email
            id from gmail or from yahoo these people are not going to authenticate
            to my server but still I am interested in the above can you guide me a
            little.

            Thanks & Regards

            Ankush Grover
          • Magnus Bäck
            On Wednesday, August 02, 2006 at 13:16 CEST, ankush grover wrote: [...] ... No, you did not. You will have entries like these: Aug 2
            Message 5 of 8 , Aug 2, 2006
            • 0 Attachment
              On Wednesday, August 02, 2006 at 13:16 CEST,
              ankush grover <grover.pix@...> wrote:

              [...]

              > I posted all the logs generated by the mail (/var/log/maillog) .

              No, you did not. You will have entries like these:

              Aug 2 13:23:38 jeeves postfix/smtpd[12813]: connect from localhost[127.0.0.1]
              Aug 2 13:23:38 jeeves postfix/smtpd[12813]: EBCF23C2C: client=localhost[127.0.0.1]

              > You earlier mentioned this
              > But anyway, wouldn't it be a better idea to rely on the client address
              > and authentication rather than the easily spoofed sender address, like
              > in the example in RESTRICTION_CLASS_README?
              >
              > I agree but if the sender is not from my domain for example an email
              > id from gmail or from yahoo these people are not going to authenticate
              > to my server but still I am interested in the above can you guide me a
              > little.

              They can connect directly to your server, assuming they are using an
              SMTP-capable client. This may or may not be feasible, but as I said
              sender addresses can easily be spoofed so your solution is by no means
              secure.

              --
              Magnus Bäck
              magnus@...
            Your message has been successfully submitted and would be delivered to recipients shortly.