Loading ...
Sorry, an error occurred while loading the content.

Re: Whitelist a host using check_client_access before the rbl check?

Expand Messages
  • Brian Evans - Postfix List
    ... This will not fix the OP s issue because client_restrictions occur before recipient_restrictions. This also does not deny any hosts with the line you
    Message 1 of 12 , Aug 4, 2008
    • 0 Attachment
      Stan Hoeppner wrote:
      > Hello Nicolas,
      >
      > Try this:
      >
      > Remove 'check_client_access hash:/etc/postfix/client_access' from
      > smtpd_recipient_restrictions. Add the following line in main.cf
      > somewhere before/above smtpd_recipient_restrictions:
      >
      > smtpd_client_restrictions = hash:/etc/postfix/client_access
      >
      > And make sure you 'postmap /etc/postfix/client_access' any time you
      > make changes to the file. And obviously, 'postfix reload' whenever
      > you make changes to main.cf.

      This will not fix the OP's issue because client_restrictions occur
      before recipient_restrictions.
      This also does not deny any hosts with the line you posted above so it's
      really worthless, due to the implied permit at the end of the
      client_restrictions.

      Since the check fails in recipient_restrictions, an exception must be
      placed before the rbl_check there.

      As Charles already pointed out, he was simply using the wrong check,
      even though a HELO whitelist is somewhat dangerous to trust (easily forged).

      Brian
      >
      > Hope this helps.
      >
      > Stan
      >
      >
      >
      >
      > Nicolas KOWALSKI wrote:
      >> Hello,
      >>
      >> I would like to whitelist a specific host, because it is currently
      >> listed in the zen rbl, but I am unable to do so.
      >>
      >> Here is a sample log of the rejected host connecting to my postfix:
      >>
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
      >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
      >> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
      >> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
      >> with cipher ADH-AES256-SHA (256/256 bits)
      >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
      >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
      >> unavailable; Client host [86.68.96.225] blocked using
      >> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
      >> from=<nicolas.kowalski@...> to=<niko@...>
      >> proto=ESMTP helo=<demisel.dyndns.org>
      >> Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
      >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >>
      >>
      >> - I added the following line (full postconf -n below) to the
      >> smtpd_recipient_restrictions, before the rbl check:
      >>
      >> check_client_access hash:/etc/postfix/client_access
      >>
      >>
      >> - /etc/postfix/client_access contains:
      >> demisel.dyndns.org OK
      >>
      >>
      >> - the full configuration:
      >>
      >>
    • Nicolas KOWALSKI
      ... But demisel.dyndns.org (currently) resolves to the above address (86.68.96.225) ; why doesn t postfix get it? -- Nicolas
      Message 2 of 12 , Aug 4, 2008
      • 0 Attachment
        On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
        > Let me give this one a try... I *think* i see the problem...
        >
        > On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
        >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
        >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
        >> unavailable; Client host [86.68.96.225] blocked using
        >> zen.spamhaus.org;
        >
        > THAT was the client...
        >
        > http://www.spamhaus.org/query/bl?ip=86.68.96.225;
        >> from=<nicolas.kowalski@...> to=<niko@...>
        >> proto=ESMTP helo=<demisel.dyndns.org>
        >
        > THAT was the helo...
        >
        > So, you're trying to whitelist a client using its helo...

        But demisel.dyndns.org (currently) resolves to the above address
        (86.68.96.225) ; why doesn't postfix get it?

        --
        Nicolas
      • Brian Evans - Postfix List
        ... This is how it works: Postfix receives a connect from an IP and does a lookup on that IP. See what it returns yourself with host 86.68.96.225 In your
        Message 3 of 12 , Aug 4, 2008
        • 0 Attachment
          Nicolas KOWALSKI wrote:
          > On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
          >
          >> Let me give this one a try... I *think* i see the problem...
          >>
          >> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
          >>
          >>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
          >>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
          >>> unavailable; Client host [86.68.96.225] blocked using
          >>> zen.spamhaus.org;
          >>>
          >> THAT was the client...
          >>
          >> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
          >>
          >>> from=<nicolas.kowalski@...> to=<niko@...>
          >>> proto=ESMTP helo=<demisel.dyndns.org>
          >>>
          >> THAT was the helo...
          >>
          >> So, you're trying to whitelist a client using its helo...
          >>
          >
          > But demisel.dyndns.org (currently) resolves to the above address
          > (86.68.96.225) ; why doesn't postfix get it?
          >
          This is how it works:
          Postfix receives a connect from an IP and does a lookup on that IP.
          See what it returns yourself with 'host 86.68.96.225'

          In your case, the client address was 225.96.68-86.rev.gaoland.net (which
          is a unqualified RDNS entry for a dynamic pool).
          This is the value that check_client_access can find (either name or IP)

          The client said 'EHLO demisel.dyndns.org'.
          This is the value that check_helo_access can find, though somewhat
          unreliable to whitelist.

          Brian
        • Nicolas KOWALSKI
          ... Ok, I think I get it now. ... I apparently have no other choices to whitelist-before-rbl such a dynamic pool s host. Thanks to all, -- Nicolas
          Message 4 of 12 , Aug 4, 2008
          • 0 Attachment
            On Mon, Aug 04, 2008 at 10:56:36AM -0400, Brian Evans - Postfix List wrote:
            > Nicolas KOWALSKI wrote:
            >> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
            >>
            >>> On 8/4/2008, Nicolas KOWALSKI (niko@...) wrote:
            >>>
            >>>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
            >>>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
            >>>> unavailable; Client host [86.68.96.225] blocked using
            >>>> zen.spamhaus.org;
            >>>>
            >>> THAT was the client...
            >>>
            >>> http://www.spamhaus.org/query/bl?ip=86.68.96.225;
            >>>
            >>>> from=<nicolas.kowalski@...> to=<niko@...>
            >>>> proto=ESMTP helo=<demisel.dyndns.org>
            >>>>
            >>> THAT was the helo...
            >>>
            >>> So, you're trying to whitelist a client using its helo...
            >>>
            >> But demisel.dyndns.org (currently) resolves to the above address
            >> (86.68.96.225) ; why doesn't postfix get it?
            > This is how it works:
            > Postfix receives a connect from an IP and does a lookup on that IP.
            > See what it returns yourself with 'host 86.68.96.225'
            >
            > In your case, the client address was 225.96.68-86.rev.gaoland.net (which
            > is a unqualified RDNS entry for a dynamic pool).
            > This is the value that check_client_access can find (either name or IP)

            Ok, I think I get it now.

            > The client said 'EHLO demisel.dyndns.org'.
            > This is the value that check_helo_access can find, though somewhat
            > unreliable to whitelist.

            I apparently have no other choices to whitelist-before-rbl such a
            dynamic pool's host.

            Thanks to all,
            --
            Nicolas
          • Brian Evans - Postfix List
            ... A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. Brian
            Message 5 of 12 , Aug 4, 2008
            • 0 Attachment
              Nicolas KOWALSKI wrote:
              >> The client said 'EHLO demisel.dyndns.org'.
              >> This is the value that check_helo_access can find, though somewhat
              >> unreliable to whitelist.
              >>
              >
              > I apparently have no other choices to whitelist-before-rbl such a
              > dynamic pool's host.
              >
              > Thanks to all,
              >
              A *better* way is force them to Authenticate using SASL.

              See http://www.postfix.org/SASL_README.html
              Postfix supports either Cyrus or Dovecot SASL.

              Brian
            • Brian Evans - Postfix List
              ... P.S. This is if you fully trust and know this host
              Message 6 of 12 , Aug 4, 2008
              • 0 Attachment
                Brian Evans - Postfix List wrote:
                > Nicolas KOWALSKI wrote:
                >>> The client said 'EHLO demisel.dyndns.org'.
                >>> This is the value that check_helo_access can find, though somewhat
                >>> unreliable to whitelist.
                >>>
                >>
                >> I apparently have no other choices to whitelist-before-rbl such a
                >> dynamic pool's host.
                >>
                >> Thanks to all,
                >>
                > A *better* way is force them to Authenticate using SASL.
                >
                > See http://www.postfix.org/SASL_README.html
                > Postfix supports either Cyrus or Dovecot SASL.
                >
                > Brian
                >
                >
                P.S. This is if you fully trust and know this host
              • Nicolas KOWALSKI
                ... Yes, I fully trust this host. Actually, it is the mx backup for my home server: $ host petole.dyndns.org petole.dyndns.org has address 87.90.240.206
                Message 7 of 12 , Aug 4, 2008
                • 0 Attachment
                  On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                  > Brian Evans - Postfix List wrote:
                  >> Nicolas KOWALSKI wrote:
                  >>>> The client said 'EHLO demisel.dyndns.org'.
                  >>>> This is the value that check_helo_access can find, though somewhat
                  >>>> unreliable to whitelist.
                  >>>
                  >>> I apparently have no other choices to whitelist-before-rbl such a
                  >>> dynamic pool's host.
                  >>>
                  >> A *better* way is force them to Authenticate using SASL.
                  >>
                  >> See http://www.postfix.org/SASL_README.html
                  >> Postfix supports either Cyrus or Dovecot SASL.
                  >>
                  > P.S. This is if you fully trust and know this host

                  Yes, I fully trust this host. Actually, it is the mx backup for my home
                  server:

                  $ host petole.dyndns.org
                  petole.dyndns.org has address 87.90.240.206
                  petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                  petole.dyndns.org mail is handled by 5 petole.dyndns.org.

                  Can I use authentication for MX?

                  --
                  Nicolas
                • Brian Evans - Postfix List
                  ... I would highly recommend setting SASL up on both ends in this case. This is much more secure and reliable than whitelisting a dynamic host. See the above
                  Message 8 of 12 , Aug 4, 2008
                  • 0 Attachment
                    Nicolas KOWALSKI wrote:
                    > On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                    >
                    >>> A *better* way is force them to Authenticate using SASL.
                    >>> See http://www.postfix.org/SASL_README.html
                    >>> Postfix supports either Cyrus or Dovecot SASL.
                    >>>
                    >>>
                    >> P.S. This is if you fully trust and know this host
                    >>
                    >
                    > Yes, I fully trust this host. Actually, it is the mx backup for my home
                    > server:
                    >
                    > $ host petole.dyndns.org
                    > petole.dyndns.org has address 87.90.240.206
                    > petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                    > petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                    >
                    > Can I use authentication for MX?
                    >
                    >
                    I would highly recommend setting SASL up on both ends in this case. This
                    is much more secure and reliable than whitelisting a dynamic host.
                    See the above link for details.

                    If you implement this and have problems, please post logs and new
                    'postconf -n' to this list.

                    Brian
                  • Nicolas KOWALSKI
                    ... Just to close this thread, we implemented SMTP AUTH over TLS between my server and its secondary MX, and it works perfectly. Thanks for your suggestions,
                    Message 9 of 12 , Aug 5, 2008
                    • 0 Attachment
                      On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote:
                      > Nicolas KOWALSKI wrote:
                      >> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
                      >>
                      >>>> A *better* way is force them to Authenticate using SASL.
                      >>>> See http://www.postfix.org/SASL_README.html
                      >>>> Postfix supports either Cyrus or Dovecot SASL.
                      >>>>
                      >>> P.S. This is if you fully trust and know this host
                      >>
                      >> Yes, I fully trust this host. Actually, it is the mx backup for my home
                      >> server:
                      >>
                      >> $ host petole.dyndns.org
                      >> petole.dyndns.org has address 87.90.240.206
                      >> petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
                      >> petole.dyndns.org mail is handled by 5 petole.dyndns.org.
                      >>
                      >> Can I use authentication for MX?
                      >>
                      > I would highly recommend setting SASL up on both ends in this case. This
                      > is much more secure and reliable than whitelisting a dynamic host.
                      > See the above link for details.

                      Just to close this thread, we implemented SMTP AUTH over TLS between my
                      server and its secondary MX, and it works perfectly.

                      Thanks for your suggestions,
                      --
                      Nicolas
                    Your message has been successfully submitted and would be delivered to recipients shortly.