Loading ...
Sorry, an error occurred while loading the content.
 

Re: Whitelist a host using check_client_access before the rbl check?

Expand Messages
  • Charles Marcus
    Let me give this one a try... I *think* i see the problem... ... THAT was the client... http://www.spamhaus.org/query/bl?ip=86.68.96.225; ... THAT was the
    Message 1 of 12 , Aug 4, 2008
      Let me give this one a try... I *think* i see the problem...

      On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
      > Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
      > from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
      > unavailable; Client host [86.68.96.225] blocked using
      > zen.spamhaus.org;

      THAT was the client...

      http://www.spamhaus.org/query/bl?ip=86.68.96.225;
      > from=<nicolas.kowalski@...> to=<niko@...>
      > proto=ESMTP helo=<demisel.dyndns.org>

      THAT was the helo...

      So, you're trying to whitelist a client using its helo...

      Either use a helo access check, or use the right client, but only if you
      are sure the client won't change (it is, after all, on a dynamic block)...

      --

      Best regards,

      Charles
    • Stan Hoeppner
      Hello Nicolas, Try this: Remove check_client_access hash:/etc/postfix/client_access from smtpd_recipient_restrictions. Add the following line in main.cf
      Message 2 of 12 , Aug 4, 2008
        Hello Nicolas,

        Try this:

        Remove 'check_client_access hash:/etc/postfix/client_access' from
        smtpd_recipient_restrictions. Add the following line in main.cf
        somewhere before/above smtpd_recipient_restrictions:

        smtpd_client_restrictions = hash:/etc/postfix/client_access

        And make sure you 'postmap /etc/postfix/client_access' any time you make
        changes to the file. And obviously, 'postfix reload' whenever you make
        changes to main.cf.

        Hope this helps.

        Stan




        Nicolas KOWALSKI wrote:
        > Hello,
        >
        > I would like to whitelist a specific host, because it is currently
        > listed in the zen rbl, but I am unable to do so.
        >
        > Here is a sample log of the rejected host connecting to my postfix:
        >
        > Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
        > Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
        > Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
        > Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<nicolas.kowalski@...> to=<niko@...> proto=ESMTP helo=<demisel.dyndns.org>
        > Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
        >
        >
        > - I added the following line (full postconf -n below) to the
        > smtpd_recipient_restrictions, before the rbl check:
        >
        > check_client_access hash:/etc/postfix/client_access
        >
        >
        > - /etc/postfix/client_access contains:
        > demisel.dyndns.org OK
        >
        >
        > - the full configuration:
        >
        > petole:~# postconf -n
        > alias_maps = hash:/etc/aliases
        > append_dot_mydomain = no
        > config_directory = /etc/postfix
        > disable_mime_output_conversion = yes
        > header_checks = regexp:/etc/postfix/header_checks
        > inet_protocols = all
        > local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps
        > mailbox_size_limit = 0
        > mailbox_transport = cyrus
        > maximal_queue_lifetime = 60d
        > message_size_limit = 0
        > mydestination = localhost, localhost.localdomain, petole, petole.lan, petole.dyndns.org, petole.demisel.net
        > mydomain = $myhostname
        > myhostname = petole.dyndns.org
        > relay_domains = demisel.dyndns.org
        > relay_recipient_maps = hash:/etc/postfix/relay_recipients
        > relayhost = [mail.club-internet.fr]
        > smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
        > smtp_tls_loglevel = 1
        > smtp_tls_security_level = may
        > smtpd_helo_required = yes
        > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, permit
        > smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem
        > smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem
        > smtpd_tls_loglevel = 1
        > smtpd_tls_received_header = yes
        > smtpd_tls_security_level = may
        > smtpd_tls_session_cache_timeout = 3600s
        >
        >
        >
        > Any help would be appreciated,
        >
        > Thanks,
      • Brian Evans - Postfix List
        ... This will not fix the OP s issue because client_restrictions occur before recipient_restrictions. This also does not deny any hosts with the line you
        Message 3 of 12 , Aug 4, 2008
          Stan Hoeppner wrote:
          > Hello Nicolas,
          >
          > Try this:
          >
          > Remove 'check_client_access hash:/etc/postfix/client_access' from
          > smtpd_recipient_restrictions. Add the following line in main.cf
          > somewhere before/above smtpd_recipient_restrictions:
          >
          > smtpd_client_restrictions = hash:/etc/postfix/client_access
          >
          > And make sure you 'postmap /etc/postfix/client_access' any time you
          > make changes to the file. And obviously, 'postfix reload' whenever
          > you make changes to main.cf.

          This will not fix the OP's issue because client_restrictions occur
          before recipient_restrictions.
          This also does not deny any hosts with the line you posted above so it's
          really worthless, due to the implied permit at the end of the
          client_restrictions.

          Since the check fails in recipient_restrictions, an exception must be
          placed before the rbl_check there.

          As Charles already pointed out, he was simply using the wrong check,
          even though a HELO whitelist is somewhat dangerous to trust (easily forged).

          Brian
          >
          > Hope this helps.
          >
          > Stan
          >
          >
          >
          >
          > Nicolas KOWALSKI wrote:
          >> Hello,
          >>
          >> I would like to whitelist a specific host, because it is currently
          >> listed in the zen rbl, but I am unable to do so.
          >>
          >> Here is a sample log of the rejected host connecting to my postfix:
          >>
          >> Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
          >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
          >> Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
          >> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
          >> Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
          >> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
          >> with cipher ADH-AES256-SHA (256/256 bits)
          >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
          >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
          >> unavailable; Client host [86.68.96.225] blocked using
          >> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
          >> from=<nicolas.kowalski@...> to=<niko@...>
          >> proto=ESMTP helo=<demisel.dyndns.org>
          >> Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
          >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
          >>
          >>
          >> - I added the following line (full postconf -n below) to the
          >> smtpd_recipient_restrictions, before the rbl check:
          >>
          >> check_client_access hash:/etc/postfix/client_access
          >>
          >>
          >> - /etc/postfix/client_access contains:
          >> demisel.dyndns.org OK
          >>
          >>
          >> - the full configuration:
          >>
          >>
        • Nicolas KOWALSKI
          ... But demisel.dyndns.org (currently) resolves to the above address (86.68.96.225) ; why doesn t postfix get it? -- Nicolas
          Message 4 of 12 , Aug 4, 2008
            On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
            > Let me give this one a try... I *think* i see the problem...
            >
            > On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
            >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
            >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
            >> unavailable; Client host [86.68.96.225] blocked using
            >> zen.spamhaus.org;
            >
            > THAT was the client...
            >
            > http://www.spamhaus.org/query/bl?ip=86.68.96.225;
            >> from=<nicolas.kowalski@...> to=<niko@...>
            >> proto=ESMTP helo=<demisel.dyndns.org>
            >
            > THAT was the helo...
            >
            > So, you're trying to whitelist a client using its helo...

            But demisel.dyndns.org (currently) resolves to the above address
            (86.68.96.225) ; why doesn't postfix get it?

            --
            Nicolas
          • Brian Evans - Postfix List
            ... This is how it works: Postfix receives a connect from an IP and does a lookup on that IP. See what it returns yourself with host 86.68.96.225 In your
            Message 5 of 12 , Aug 4, 2008
              Nicolas KOWALSKI wrote:
              > On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
              >
              >> Let me give this one a try... I *think* i see the problem...
              >>
              >> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
              >>
              >>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
              >>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
              >>> unavailable; Client host [86.68.96.225] blocked using
              >>> zen.spamhaus.org;
              >>>
              >> THAT was the client...
              >>
              >> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
              >>
              >>> from=<nicolas.kowalski@...> to=<niko@...>
              >>> proto=ESMTP helo=<demisel.dyndns.org>
              >>>
              >> THAT was the helo...
              >>
              >> So, you're trying to whitelist a client using its helo...
              >>
              >
              > But demisel.dyndns.org (currently) resolves to the above address
              > (86.68.96.225) ; why doesn't postfix get it?
              >
              This is how it works:
              Postfix receives a connect from an IP and does a lookup on that IP.
              See what it returns yourself with 'host 86.68.96.225'

              In your case, the client address was 225.96.68-86.rev.gaoland.net (which
              is a unqualified RDNS entry for a dynamic pool).
              This is the value that check_client_access can find (either name or IP)

              The client said 'EHLO demisel.dyndns.org'.
              This is the value that check_helo_access can find, though somewhat
              unreliable to whitelist.

              Brian
            • Nicolas KOWALSKI
              ... Ok, I think I get it now. ... I apparently have no other choices to whitelist-before-rbl such a dynamic pool s host. Thanks to all, -- Nicolas
              Message 6 of 12 , Aug 4, 2008
                On Mon, Aug 04, 2008 at 10:56:36AM -0400, Brian Evans - Postfix List wrote:
                > Nicolas KOWALSKI wrote:
                >> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
                >>
                >>> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
                >>>
                >>>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
                >>>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
                >>>> unavailable; Client host [86.68.96.225] blocked using
                >>>> zen.spamhaus.org;
                >>>>
                >>> THAT was the client...
                >>>
                >>> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
                >>>
                >>>> from=<nicolas.kowalski@...> to=<niko@...>
                >>>> proto=ESMTP helo=<demisel.dyndns.org>
                >>>>
                >>> THAT was the helo...
                >>>
                >>> So, you're trying to whitelist a client using its helo...
                >>>
                >> But demisel.dyndns.org (currently) resolves to the above address
                >> (86.68.96.225) ; why doesn't postfix get it?
                > This is how it works:
                > Postfix receives a connect from an IP and does a lookup on that IP.
                > See what it returns yourself with 'host 86.68.96.225'
                >
                > In your case, the client address was 225.96.68-86.rev.gaoland.net (which
                > is a unqualified RDNS entry for a dynamic pool).
                > This is the value that check_client_access can find (either name or IP)

                Ok, I think I get it now.

                > The client said 'EHLO demisel.dyndns.org'.
                > This is the value that check_helo_access can find, though somewhat
                > unreliable to whitelist.

                I apparently have no other choices to whitelist-before-rbl such a
                dynamic pool's host.

                Thanks to all,
                --
                Nicolas
              • Brian Evans - Postfix List
                ... A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. Brian
                Message 7 of 12 , Aug 4, 2008
                  Nicolas KOWALSKI wrote:
                  >> The client said 'EHLO demisel.dyndns.org'.
                  >> This is the value that check_helo_access can find, though somewhat
                  >> unreliable to whitelist.
                  >>
                  >
                  > I apparently have no other choices to whitelist-before-rbl such a
                  > dynamic pool's host.
                  >
                  > Thanks to all,
                  >
                  A *better* way is force them to Authenticate using SASL.

                  See http://www.postfix.org/SASL_README.html
                  Postfix supports either Cyrus or Dovecot SASL.

                  Brian
                • Brian Evans - Postfix List
                  ... P.S. This is if you fully trust and know this host
                  Message 8 of 12 , Aug 4, 2008
                    Brian Evans - Postfix List wrote:
                    > Nicolas KOWALSKI wrote:
                    >>> The client said 'EHLO demisel.dyndns.org'.
                    >>> This is the value that check_helo_access can find, though somewhat
                    >>> unreliable to whitelist.
                    >>>
                    >>
                    >> I apparently have no other choices to whitelist-before-rbl such a
                    >> dynamic pool's host.
                    >>
                    >> Thanks to all,
                    >>
                    > A *better* way is force them to Authenticate using SASL.
                    >
                    > See http://www.postfix.org/SASL_README.html
                    > Postfix supports either Cyrus or Dovecot SASL.
                    >
                    > Brian
                    >
                    >
                    P.S. This is if you fully trust and know this host
                  • Nicolas KOWALSKI
                    ... Yes, I fully trust this host. Actually, it is the mx backup for my home server: $ host petole.dyndns.org petole.dyndns.org has address 87.90.240.206
                    Message 9 of 12 , Aug 4, 2008
                      On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                      > Brian Evans - Postfix List wrote:
                      >> Nicolas KOWALSKI wrote:
                      >>>> The client said 'EHLO demisel.dyndns.org'.
                      >>>> This is the value that check_helo_access can find, though somewhat
                      >>>> unreliable to whitelist.
                      >>>
                      >>> I apparently have no other choices to whitelist-before-rbl such a
                      >>> dynamic pool's host.
                      >>>
                      >> A *better* way is force them to Authenticate using SASL.
                      >>
                      >> See http://www.postfix.org/SASL_README.html
                      >> Postfix supports either Cyrus or Dovecot SASL.
                      >>
                      > P.S. This is if you fully trust and know this host

                      Yes, I fully trust this host. Actually, it is the mx backup for my home
                      server:

                      $ host petole.dyndns.org
                      petole.dyndns.org has address 87.90.240.206
                      petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                      petole.dyndns.org mail is handled by 5 petole.dyndns.org.

                      Can I use authentication for MX?

                      --
                      Nicolas
                    • Brian Evans - Postfix List
                      ... I would highly recommend setting SASL up on both ends in this case. This is much more secure and reliable than whitelisting a dynamic host. See the above
                      Message 10 of 12 , Aug 4, 2008
                        Nicolas KOWALSKI wrote:
                        > On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                        >
                        >>> A *better* way is force them to Authenticate using SASL.
                        >>> See http://www.postfix.org/SASL_README.html
                        >>> Postfix supports either Cyrus or Dovecot SASL.
                        >>>
                        >>>
                        >> P.S. This is if you fully trust and know this host
                        >>
                        >
                        > Yes, I fully trust this host. Actually, it is the mx backup for my home
                        > server:
                        >
                        > $ host petole.dyndns.org
                        > petole.dyndns.org has address 87.90.240.206
                        > petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                        > petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                        >
                        > Can I use authentication for MX?
                        >
                        >
                        I would highly recommend setting SASL up on both ends in this case. This
                        is much more secure and reliable than whitelisting a dynamic host.
                        See the above link for details.

                        If you implement this and have problems, please post logs and new
                        'postconf -n' to this list.

                        Brian
                      • Nicolas KOWALSKI
                        ... Just to close this thread, we implemented SMTP AUTH over TLS between my server and its secondary MX, and it works perfectly. Thanks for your suggestions,
                        Message 11 of 12 , Aug 5, 2008
                          On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote:
                          > Nicolas KOWALSKI wrote:
                          >> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                          >>
                          >>>> A *better* way is force them to Authenticate using SASL.
                          >>>> See http://www.postfix.org/SASL_README.html
                          >>>> Postfix supports either Cyrus or Dovecot SASL.
                          >>>>
                          >>> P.S. This is if you fully trust and know this host
                          >>
                          >> Yes, I fully trust this host. Actually, it is the mx backup for my home
                          >> server:
                          >>
                          >> $ host petole.dyndns.org
                          >> petole.dyndns.org has address 87.90.240.206
                          >> petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                          >> petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                          >>
                          >> Can I use authentication for MX?
                          >>
                          > I would highly recommend setting SASL up on both ends in this case. This
                          > is much more secure and reliable than whitelisting a dynamic host.
                          > See the above link for details.

                          Just to close this thread, we implemented SMTP AUTH over TLS between my
                          server and its secondary MX, and it works perfectly.

                          Thanks for your suggestions,
                          --
                          Nicolas
                        Your message has been successfully submitted and would be delivered to recipients shortly.