Loading ...
Sorry, an error occurred while loading the content.
 

Re: Whitelist a host using check_client_access before the rbl check?

Expand Messages
  • Stan Hoeppner
    Hello Nicolas, Try this: Remove check_client_access hash:/etc/postfix/client_access from smtpd_recipient_restrictions. Add the following line in main.cf
    Message 1 of 12 , Aug 4, 2008
      Hello Nicolas,

      Try this:

      Remove 'check_client_access hash:/etc/postfix/client_access' from
      smtpd_recipient_restrictions. Add the following line in main.cf
      somewhere before/above smtpd_recipient_restrictions:

      smtpd_client_restrictions = hash:/etc/postfix/client_access

      And make sure you 'postmap /etc/postfix/client_access' any time you make
      changes to the file. And obviously, 'postfix reload' whenever you make
      changes to main.cf.

      Hope this helps.

      Stan




      Nicolas KOWALSKI wrote:
      > Hello,
      >
      > I would like to whitelist a specific host, because it is currently
      > listed in the zen rbl, but I am unable to do so.
      >
      > Here is a sample log of the rejected host connecting to my postfix:
      >
      > Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
      > Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
      > Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
      > Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<nicolas.kowalski@...> to=<niko@...> proto=ESMTP helo=<demisel.dyndns.org>
      > Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >
      >
      > - I added the following line (full postconf -n below) to the
      > smtpd_recipient_restrictions, before the rbl check:
      >
      > check_client_access hash:/etc/postfix/client_access
      >
      >
      > - /etc/postfix/client_access contains:
      > demisel.dyndns.org OK
      >
      >
      > - the full configuration:
      >
      > petole:~# postconf -n
      > alias_maps = hash:/etc/aliases
      > append_dot_mydomain = no
      > config_directory = /etc/postfix
      > disable_mime_output_conversion = yes
      > header_checks = regexp:/etc/postfix/header_checks
      > inet_protocols = all
      > local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps
      > mailbox_size_limit = 0
      > mailbox_transport = cyrus
      > maximal_queue_lifetime = 60d
      > message_size_limit = 0
      > mydestination = localhost, localhost.localdomain, petole, petole.lan, petole.dyndns.org, petole.demisel.net
      > mydomain = $myhostname
      > myhostname = petole.dyndns.org
      > relay_domains = demisel.dyndns.org
      > relay_recipient_maps = hash:/etc/postfix/relay_recipients
      > relayhost = [mail.club-internet.fr]
      > smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
      > smtp_tls_loglevel = 1
      > smtp_tls_security_level = may
      > smtpd_helo_required = yes
      > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, permit
      > smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem
      > smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem
      > smtpd_tls_loglevel = 1
      > smtpd_tls_received_header = yes
      > smtpd_tls_security_level = may
      > smtpd_tls_session_cache_timeout = 3600s
      >
      >
      >
      > Any help would be appreciated,
      >
      > Thanks,
    • Brian Evans - Postfix List
      ... This will not fix the OP s issue because client_restrictions occur before recipient_restrictions. This also does not deny any hosts with the line you
      Message 2 of 12 , Aug 4, 2008
        Stan Hoeppner wrote:
        > Hello Nicolas,
        >
        > Try this:
        >
        > Remove 'check_client_access hash:/etc/postfix/client_access' from
        > smtpd_recipient_restrictions. Add the following line in main.cf
        > somewhere before/above smtpd_recipient_restrictions:
        >
        > smtpd_client_restrictions = hash:/etc/postfix/client_access
        >
        > And make sure you 'postmap /etc/postfix/client_access' any time you
        > make changes to the file. And obviously, 'postfix reload' whenever
        > you make changes to main.cf.

        This will not fix the OP's issue because client_restrictions occur
        before recipient_restrictions.
        This also does not deny any hosts with the line you posted above so it's
        really worthless, due to the implied permit at the end of the
        client_restrictions.

        Since the check fails in recipient_restrictions, an exception must be
        placed before the rbl_check there.

        As Charles already pointed out, he was simply using the wrong check,
        even though a HELO whitelist is somewhat dangerous to trust (easily forged).

        Brian
        >
        > Hope this helps.
        >
        > Stan
        >
        >
        >
        >
        > Nicolas KOWALSKI wrote:
        >> Hello,
        >>
        >> I would like to whitelist a specific host, because it is currently
        >> listed in the zen rbl, but I am unable to do so.
        >>
        >> Here is a sample log of the rejected host connecting to my postfix:
        >>
        >> Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
        >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
        >> Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
        >> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
        >> Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
        >> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
        >> with cipher ADH-AES256-SHA (256/256 bits)
        >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
        >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
        >> unavailable; Client host [86.68.96.225] blocked using
        >> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
        >> from=<nicolas.kowalski@...> to=<niko@...>
        >> proto=ESMTP helo=<demisel.dyndns.org>
        >> Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
        >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
        >>
        >>
        >> - I added the following line (full postconf -n below) to the
        >> smtpd_recipient_restrictions, before the rbl check:
        >>
        >> check_client_access hash:/etc/postfix/client_access
        >>
        >>
        >> - /etc/postfix/client_access contains:
        >> demisel.dyndns.org OK
        >>
        >>
        >> - the full configuration:
        >>
        >>
      • Nicolas KOWALSKI
        ... But demisel.dyndns.org (currently) resolves to the above address (86.68.96.225) ; why doesn t postfix get it? -- Nicolas
        Message 3 of 12 , Aug 4, 2008
          On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
          > Let me give this one a try... I *think* i see the problem...
          >
          > On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
          >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
          >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
          >> unavailable; Client host [86.68.96.225] blocked using
          >> zen.spamhaus.org;
          >
          > THAT was the client...
          >
          > http://www.spamhaus.org/query/bl?ip=86.68.96.225;
          >> from=<nicolas.kowalski@...> to=<niko@...>
          >> proto=ESMTP helo=<demisel.dyndns.org>
          >
          > THAT was the helo...
          >
          > So, you're trying to whitelist a client using its helo...

          But demisel.dyndns.org (currently) resolves to the above address
          (86.68.96.225) ; why doesn't postfix get it?

          --
          Nicolas
        • Brian Evans - Postfix List
          ... This is how it works: Postfix receives a connect from an IP and does a lookup on that IP. See what it returns yourself with host 86.68.96.225 In your
          Message 4 of 12 , Aug 4, 2008
            Nicolas KOWALSKI wrote:
            > On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
            >
            >> Let me give this one a try... I *think* i see the problem...
            >>
            >> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
            >>
            >>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
            >>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
            >>> unavailable; Client host [86.68.96.225] blocked using
            >>> zen.spamhaus.org;
            >>>
            >> THAT was the client...
            >>
            >> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
            >>
            >>> from=<nicolas.kowalski@...> to=<niko@...>
            >>> proto=ESMTP helo=<demisel.dyndns.org>
            >>>
            >> THAT was the helo...
            >>
            >> So, you're trying to whitelist a client using its helo...
            >>
            >
            > But demisel.dyndns.org (currently) resolves to the above address
            > (86.68.96.225) ; why doesn't postfix get it?
            >
            This is how it works:
            Postfix receives a connect from an IP and does a lookup on that IP.
            See what it returns yourself with 'host 86.68.96.225'

            In your case, the client address was 225.96.68-86.rev.gaoland.net (which
            is a unqualified RDNS entry for a dynamic pool).
            This is the value that check_client_access can find (either name or IP)

            The client said 'EHLO demisel.dyndns.org'.
            This is the value that check_helo_access can find, though somewhat
            unreliable to whitelist.

            Brian
          • Nicolas KOWALSKI
            ... Ok, I think I get it now. ... I apparently have no other choices to whitelist-before-rbl such a dynamic pool s host. Thanks to all, -- Nicolas
            Message 5 of 12 , Aug 4, 2008
              On Mon, Aug 04, 2008 at 10:56:36AM -0400, Brian Evans - Postfix List wrote:
              > Nicolas KOWALSKI wrote:
              >> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
              >>
              >>> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
              >>>
              >>>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
              >>>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
              >>>> unavailable; Client host [86.68.96.225] blocked using
              >>>> zen.spamhaus.org;
              >>>>
              >>> THAT was the client...
              >>>
              >>> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
              >>>
              >>>> from=<nicolas.kowalski@...> to=<niko@...>
              >>>> proto=ESMTP helo=<demisel.dyndns.org>
              >>>>
              >>> THAT was the helo...
              >>>
              >>> So, you're trying to whitelist a client using its helo...
              >>>
              >> But demisel.dyndns.org (currently) resolves to the above address
              >> (86.68.96.225) ; why doesn't postfix get it?
              > This is how it works:
              > Postfix receives a connect from an IP and does a lookup on that IP.
              > See what it returns yourself with 'host 86.68.96.225'
              >
              > In your case, the client address was 225.96.68-86.rev.gaoland.net (which
              > is a unqualified RDNS entry for a dynamic pool).
              > This is the value that check_client_access can find (either name or IP)

              Ok, I think I get it now.

              > The client said 'EHLO demisel.dyndns.org'.
              > This is the value that check_helo_access can find, though somewhat
              > unreliable to whitelist.

              I apparently have no other choices to whitelist-before-rbl such a
              dynamic pool's host.

              Thanks to all,
              --
              Nicolas
            • Brian Evans - Postfix List
              ... A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. Brian
              Message 6 of 12 , Aug 4, 2008
                Nicolas KOWALSKI wrote:
                >> The client said 'EHLO demisel.dyndns.org'.
                >> This is the value that check_helo_access can find, though somewhat
                >> unreliable to whitelist.
                >>
                >
                > I apparently have no other choices to whitelist-before-rbl such a
                > dynamic pool's host.
                >
                > Thanks to all,
                >
                A *better* way is force them to Authenticate using SASL.

                See http://www.postfix.org/SASL_README.html
                Postfix supports either Cyrus or Dovecot SASL.

                Brian
              • Brian Evans - Postfix List
                ... P.S. This is if you fully trust and know this host
                Message 7 of 12 , Aug 4, 2008
                  Brian Evans - Postfix List wrote:
                  > Nicolas KOWALSKI wrote:
                  >>> The client said 'EHLO demisel.dyndns.org'.
                  >>> This is the value that check_helo_access can find, though somewhat
                  >>> unreliable to whitelist.
                  >>>
                  >>
                  >> I apparently have no other choices to whitelist-before-rbl such a
                  >> dynamic pool's host.
                  >>
                  >> Thanks to all,
                  >>
                  > A *better* way is force them to Authenticate using SASL.
                  >
                  > See http://www.postfix.org/SASL_README.html
                  > Postfix supports either Cyrus or Dovecot SASL.
                  >
                  > Brian
                  >
                  >
                  P.S. This is if you fully trust and know this host
                • Nicolas KOWALSKI
                  ... Yes, I fully trust this host. Actually, it is the mx backup for my home server: $ host petole.dyndns.org petole.dyndns.org has address 87.90.240.206
                  Message 8 of 12 , Aug 4, 2008
                    On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                    > Brian Evans - Postfix List wrote:
                    >> Nicolas KOWALSKI wrote:
                    >>>> The client said 'EHLO demisel.dyndns.org'.
                    >>>> This is the value that check_helo_access can find, though somewhat
                    >>>> unreliable to whitelist.
                    >>>
                    >>> I apparently have no other choices to whitelist-before-rbl such a
                    >>> dynamic pool's host.
                    >>>
                    >> A *better* way is force them to Authenticate using SASL.
                    >>
                    >> See http://www.postfix.org/SASL_README.html
                    >> Postfix supports either Cyrus or Dovecot SASL.
                    >>
                    > P.S. This is if you fully trust and know this host

                    Yes, I fully trust this host. Actually, it is the mx backup for my home
                    server:

                    $ host petole.dyndns.org
                    petole.dyndns.org has address 87.90.240.206
                    petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                    petole.dyndns.org mail is handled by 5 petole.dyndns.org.

                    Can I use authentication for MX?

                    --
                    Nicolas
                  • Brian Evans - Postfix List
                    ... I would highly recommend setting SASL up on both ends in this case. This is much more secure and reliable than whitelisting a dynamic host. See the above
                    Message 9 of 12 , Aug 4, 2008
                      Nicolas KOWALSKI wrote:
                      > On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                      >
                      >>> A *better* way is force them to Authenticate using SASL.
                      >>> See http://www.postfix.org/SASL_README.html
                      >>> Postfix supports either Cyrus or Dovecot SASL.
                      >>>
                      >>>
                      >> P.S. This is if you fully trust and know this host
                      >>
                      >
                      > Yes, I fully trust this host. Actually, it is the mx backup for my home
                      > server:
                      >
                      > $ host petole.dyndns.org
                      > petole.dyndns.org has address 87.90.240.206
                      > petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                      > petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                      >
                      > Can I use authentication for MX?
                      >
                      >
                      I would highly recommend setting SASL up on both ends in this case. This
                      is much more secure and reliable than whitelisting a dynamic host.
                      See the above link for details.

                      If you implement this and have problems, please post logs and new
                      'postconf -n' to this list.

                      Brian
                    • Nicolas KOWALSKI
                      ... Just to close this thread, we implemented SMTP AUTH over TLS between my server and its secondary MX, and it works perfectly. Thanks for your suggestions,
                      Message 10 of 12 , Aug 5, 2008
                        On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote:
                        > Nicolas KOWALSKI wrote:
                        >> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                        >>
                        >>>> A *better* way is force them to Authenticate using SASL.
                        >>>> See http://www.postfix.org/SASL_README.html
                        >>>> Postfix supports either Cyrus or Dovecot SASL.
                        >>>>
                        >>> P.S. This is if you fully trust and know this host
                        >>
                        >> Yes, I fully trust this host. Actually, it is the mx backup for my home
                        >> server:
                        >>
                        >> $ host petole.dyndns.org
                        >> petole.dyndns.org has address 87.90.240.206
                        >> petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                        >> petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                        >>
                        >> Can I use authentication for MX?
                        >>
                        > I would highly recommend setting SASL up on both ends in this case. This
                        > is much more secure and reliable than whitelisting a dynamic host.
                        > See the above link for details.

                        Just to close this thread, we implemented SMTP AUTH over TLS between my
                        server and its secondary MX, and it works perfectly.

                        Thanks for your suggestions,
                        --
                        Nicolas
                      Your message has been successfully submitted and would be delivered to recipients shortly.