Loading ...
Sorry, an error occurred while loading the content.

Re: Whitelisting Redux

Expand Messages
  • Jorey Bump
    ... Then don t do that. :) ... I m not sure why you re removing permit_sasl_authenticated, but if you don t need it, no harm done. ... It appears your
    Message 1 of 17 , May 1, 2007
    • 0 Attachment
      Dennis Putnam wrote:
      > On May 1, 2007, at 8:44 AM, Jorey Bump wrote:
      >>
      >> And simply delete or comment out this line:
      >>
      >>> smtpd_recipient_restrictions =
      >>> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
      >>>
      >
      > This creates new problems. I thought I understood what these parameters
      > did from the documentation but clearly I am not understanding the docs
      > at all. If I remove 'permit_mynetworks' then all outgoing mail gets a
      > relay denied error. If I remove 'reject_unauth_destination' I get this:
      >
      > May 1 08:58:20 xserveoda postfix/smtpd[4921]: fatal: parameter
      > "smtpd_recipient_restrictions": specify at least one working instance
      > of: check_relay_domains, reject_unauth_destination, reject, defer or
      > defer_if_permit

      Then don't do that. :)

      > I guess removing the sasl statement is the only one that doesn't seem to
      > cause a problem. However, my problem user is still a problem.

      I'm not sure why you're removing permit_sasl_authenticated, but if you
      don't need it, no harm done.

      > May 1 08:54:35 xserveoda postfix/smtpd[4785]: NOQUEUE: reject: RCPT
      > from imf24aec.mail.bellsouth.net[205.152.59.72]: 554 Service
      > unavailable; Client host [205.152.59.72] blocked using dnsbl.sorbs.net;
      > Spam Received Recently See:
      > http://www.sorbs.net/lookup.shtml?205.152.59.72 / Escalated Listing
      > (Spam or Spam Support) See:
      > http://www.sorbs.net/lookup.shtml?205.152.59.72;
      > from=<dap@...> to=<dennis.putnam@...>
      > proto=ESMTP helo=<imf24aec.mail.bellsouth.net>

      It appears your whitelist is not being consulted. Be sure to issue a
      'postfix reload' after editing main.cf.

      > Here's a new 'postconf -n':
      > smtpd_recipient_restrictions = reject_non_fqdn_sender
      > reject_unknown_sender_domain check_sender_access
      > hash:/etc/postfix/sender_whitelist permit_mynetworks
      > reject_unauth_destination reject_rbl_client bl.spamcop.net
      > reject_rbl_client dnsbl.sorbs.net reject_rbl_client
      > cbl.abuseat.org reject_rbl_client dnsbl.njabl.org
      > check_client_access hash:/etc/postfix/smtpdreject

      Okay, looks good.

      > smtpd_sasl_auth_enable = yes
      > smtpd_tls_key_file =
      > smtpd_use_pw_server = yes

      Put permit_sasl_authenticated back before permit_mynetworks in
      smtpd_recipient_restrictions, if you are using authentication for
      submission via port 25.

      >> You might still have a bit of tweaking to do, but this should give you
      >> a working configuration. Be especially careful with what you put in
      >> your whitelist. Rejections are easy to manage, but whitelisting can
      >> allow unauthorized relaying if done improperly.
      >
      > Could you elaborate a little on this? As long as I don't use wildcards
      > in my white list, am I not safe? Also, just as a refresher, once again
      > here is my current sender_whitelist file:
      >
      > # This is a list of senders that will be accepted even if the server has
      > # been blacklisted.
      > #
      > # REMEMBER to run 'make' after changes
      > #
      > dap1@... permit_auth_destination

      This looks fine. Be sure to run 'postmap sender_whitelist' in
      /etc/postfix, and check your log to be sure there are no associated errors.

      I've duplicated your configuration (easy, since you've nearly duplicated
      mine), and it works for me (my residential IP is in one of the RBLs, and
      I can now send from my home computer using the same format you're
      using). At this point, you'll need to check your logs for clues, but
      I'll save you some searching:

      dap@... != dap1@...

      If you want to keep things simple, use this in sender_whitelist:

      bellsouth.net permit_auth_destination

      That's safe enough, but it means that anyone can bypass the RBL check by
      forging the envelope sender address as being from bellsouth.net. Not a
      big deal, here, but an example why I avoid whitelists for lower
      maintenance solutions. If you're trying to send mail to your server from
      a dynamic residential IP *without authentication*, then this is as
      appropriate a solution as any other.

      Note that you'll have to put your map *after* reject_unauth_destination
      if you use the bellsouth.net address for outgoing mail (in which case,
      you should really use their mail server, instead).
    • Dennis Putnam
      ... I thought that was what you suggested I do. ... I do/did. Why would the white list not be consulted? ... Except it doesn t work. :-) ... It seems to be
      Message 2 of 17 , May 1, 2007
      • 0 Attachment
        On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
        >
        >
        > Then don't do that. :)

        :-)


        >
        > I'm not sure why you're removing permit_sasl_authenticated, but if
        > you don't need it, no harm done.

        I thought that was what you suggested I do.


        >
        > It appears your whitelist is not being consulted. Be sure to issue
        > a 'postfix reload' after editing main.cf.

        I do/did. Why would the white list not be consulted?

        >
        > Okay, looks good.

        Except it doesn't work. :-)

        >
        > Put permit_sasl_authenticated back before permit_mynetworks in
        > smtpd_recipient_restrictions, if you are using authentication for
        > submission via port 25.

        It seems to be working without it but I will. In any case this is not
        effecting the white list is it?

        >
        > This looks fine. Be sure to run 'postmap sender_whitelist' in /etc/
        > postfix, and check your log to be sure there are no associated errors.

        Done.

        >
        > I've duplicated your configuration (easy, since you've nearly
        > duplicated mine), and it works for me (my residential IP is in one
        > of the RBLs, and I can now send from my home computer using the
        > same format you're using). At this point, you'll need to check your
        > logs for clues, but I'll save you some searching:
        >
        > dap@... != dap1@...

        I missed that detail. I didn't think it used the FROM field since
        that is easily spoofed. The difference is whether the mail originated
        on a Linux box or Windows box. The bad news is that when I add that
        to my white list it still doesn't work.

        >
        > If you want to keep things simple, use this in sender_whitelist:
        >
        > bellsouth.net permit_auth_destination
        >
        > That's safe enough, but it means that anyone can bypass the RBL
        > check by forging the envelope sender address as being from
        > bellsouth.net. Not a big deal, here, but an example why I avoid
        > whitelists for lower maintenance solutions. If you're trying to
        > send mail to your server from a dynamic residential IP *without
        > authentication*, then this is as appropriate a solution as any other.

        I don't really want to open it to all but I might have to try that
        just to see if anything can get through. Will that also work if the
        hostname is home.bellsouth.net? Actually I need to get this working
        not just for this user but for others as well. I want to make sure it
        all works and I understand it before adding more users. These
        otherwise legitimate ISPs that refuse to take responsibility for spam
        originating on their networks drive me nuts. I have things pretty
        tight so we get very little spam leaking through but there are a few
        legitimate sources that don't.

        >
        > Note that you'll have to put your map *after*
        > reject_unauth_destination if you use the bellsouth.net address for
        > outgoing mail (in which case, you should really use their mail
        > server, instead).
        >

        Now I'm confused (as usual). If I send something to
        dap1@... it will be rejected? Outgoing mail cannot go to
        'bellsouth.net' as that does not resolve to an smtp server. I thought
        postfix looked up the MX record for that address instead.
      • Jorey Bump
        ... No, I meant for you to change the smtpd_client_restrictions entry that you provided to smtpd_recipient_restrictions and remove the redundant
        Message 3 of 17 , May 1, 2007
        • 0 Attachment
          Dennis Putnam wrote:
          >
          > On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
          >>
          >> I'm not sure why you're removing permit_sasl_authenticated, but if you
          >> don't need it, no harm done.
          >
          > I thought that was what you suggested I do.

          No, I meant for you to change the "smtpd_client_restrictions" entry that
          you provided to "smtpd_recipient_restrictions" and remove the redundant
          smtpd_recipient_restrictions from your configuration.

          >> It appears your whitelist is not being consulted. Be sure to issue a
          >> 'postfix reload' after editing main.cf.
          >
          > I do/did. Why would the white list not be consulted?

          It was. The address was wrong.

          >> Put permit_sasl_authenticated back before permit_mynetworks in
          >> smtpd_recipient_restrictions, if you are using authentication for
          >> submission via port 25.
          >
          > It seems to be working without it but I will. In any case this is not
          > effecting the white list is it?

          No.

          >> dap@... != dap1@...
          >
          > I missed that detail. I didn't think it used the FROM field since that
          > is easily spoofed. The difference is whether the mail originated on a
          > Linux box or Windows box. The bad news is that when I add that to my
          > white list it still doesn't work.

          To be clear, it's using the address provided during MAIL FROM (not the
          From: header), and you're right, that's easily spoofed. But if you want
          to use check_sender_access, that's what we're talking about, the
          envelope sender.

          >> If you want to keep things simple, use this in sender_whitelist:
          >>
          >> bellsouth.net permit_auth_destination

          > I don't really want to open it to all but I might have to try that just
          > to see if anything can get through. Will that also work if the hostname
          > is home.bellsouth.net?

          Refer to Email Address Patterns in:

          man 5 access

          or:

          http://www.postfix.org/access.5.html

          > Actually I need to get this working not just for
          > this user but for others as well. I want to make sure it all works and I
          > understand it before adding more users. These otherwise legitimate ISPs
          > that refuse to take responsibility for spam originating on their
          > networks drive me nuts. I have things pretty tight so we get very little
          > spam leaking through but there are a few legitimate sources that don't.

          Well, I sympathize, but this may be a user issue. They need to complain
          to the ISP or switch. Kudos for trying to solve their problem, but you
          may be taking on a maintenance headache. Of course, you could move your
          RBLs to a scoring system via a policy server or SpamAssassin if they are
          causing you too many problems. Using RBLs isn't required, so I guess you
          do bear some of the responsibility here.

          >> Note that you'll have to put your map *after*
          >> reject_unauth_destination if you use the bellsouth.net address for
          >> outgoing mail (in which case, you should really use their mail server,
          >> instead).
          >>
          >
          > Now I'm confused (as usual). If I send something to dap1@...
          > it will be rejected? Outgoing mail cannot go to 'bellsouth.net' as that
          > does not resolve to an smtp server. I thought postfix looked up the MX
          > record for that address instead.

          I meant you must do this if you plan to use the bellsouth.net address as
          your sender address for outgoing mail. Outgoing mail *to* bellsouth.net
          is not affected by this configuration.
        Your message has been successfully submitted and would be delivered to recipients shortly.