Loading ...
Sorry, an error occurred while loading the content.
 

Re: check_client_access

Expand Messages
  • Rocco Scappatura
    Mouss, ... This is the restictions in my main.cf file: smtpd_client_restrictions = check_client_access
    Message 1 of 17 , Feb 1, 2009
      Mouss,

      >>> and your explanation was about a "receiver". That's 3 different
      >>> things...
      >>
      >> So.. What I have to do to block a message based on the receiver?
      >>
      >
      > check_recipient_access.
      >
      >>> PS. it would be safer to put your check_sender_access in
      >>> smtpd_sender_restrictions so that an error in your sql query doesn't
      >>> make you an open relay.
      >>
      >> Why is safer? Could have any side effect in my configuration? Thanks.
      >>
      >
      > it's ok if you don't return "OK" in your map (Annie, are you OK?). but
      > one day, you'll be tired and you'll add an entry to your map...
      >
      > this is why it is generally safer to put check_*_access after
      > reject_unauth_destination in smtpd_recipient_restrictions, or to put
      > them in other restrictions (latter if you want them to apply to both
      > inbound and outbound mail).

      This is the restictions in my main.cf file:

      smtpd_client_restrictions =
      check_client_access
      proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

      smtpd_helo_restrictions =
      smtpd_sender_restrictions =

      smtpd_recipient_restrictions =
      check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      permit_mynetworks
      permit_sasl_authenticated
      check_policy_service inet:127.0.0.1:54000
      reject_unauth_destination
      .
      .
      .

      How do I have to modify it so that I could block an email address either
      if is the sender or one of the recipients, AND either if the message is
      incoming or outgoing?

      Maybe so (assuming that the action will never be "OK")...

      smtpd_client_restrictions =
      check_client_access
      proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

      smtpd_helo_restrictions =
      smtpd_sender_restrictions =
      check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

      smtpd_recipient_restrictions =
      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      permit_mynetworks
      permit_sasl_authenticated
      check_policy_service inet:127.0.0.1:54000
      reject_unauth_destination
      .
      .
      .

      Or you have another configuration to propose the is safer?

      rocsca
    • mouss
      ... this one is already in smtpd_sender_restrictions, so just remove it ... what s this for? it s already in smtpd_client_restrictions, so you may or may not
      Message 2 of 17 , Feb 1, 2009
        Rocco Scappatura a écrit :
        >
        >
        > Mouss,
        >
        >>>> and your explanation was about a "receiver". That's 3 different
        >>>> things...
        >>> So.. What I have to do to block a message based on the receiver?
        >>>
        >> check_recipient_access.
        >>
        >>>> PS. it would be safer to put your check_sender_access in
        >>>> smtpd_sender_restrictions so that an error in your sql query doesn't
        >>>> make you an open relay.
        >>> Why is safer? Could have any side effect in my configuration? Thanks.
        >>>
        >> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
        >> one day, you'll be tired and you'll add an entry to your map...
        >>
        >> this is why it is generally safer to put check_*_access after
        >> reject_unauth_destination in smtpd_recipient_restrictions, or to put
        >> them in other restrictions (latter if you want them to apply to both
        >> inbound and outbound mail).
        >
        > This is the restictions in my main.cf file:
        >
        > smtpd_client_restrictions =
        > check_client_access
        > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
        >
        > smtpd_helo_restrictions =
        > smtpd_sender_restrictions =
        >
        > smtpd_recipient_restrictions =
        > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
        > permit_mynetworks
        > permit_sasl_authenticated
        > check_policy_service inet:127.0.0.1:54000
        > reject_unauth_destination
        > .
        > .
        > .
        >
        > How do I have to modify it so that I could block an email address either
        > if is the sender or one of the recipients, AND either if the message is
        > incoming or outgoing?
        >
        > Maybe so (assuming that the action will never be "OK")...
        >
        > smtpd_client_restrictions =
        > check_client_access
        > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
        >
        > smtpd_helo_restrictions =
        > smtpd_sender_restrictions =
        > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >
        > smtpd_recipient_restrictions =
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

        this one is already in smtpd_sender_restrictions, so just remove it

        > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

        what's this for? it's already in smtpd_client_restrictions, so you may
        or may not need it here.


        > permit_mynetworks
        > permit_sasl_authenticated
        > check_policy_service inet:127.0.0.1:54000

        what's this for? you probably want to put this after
        reject_unauth_destination.

        remember: reject_unauth_destination is what prevents open relay. so
        avoid putting a lot of stuff before it, because you increase the risks.

        and reject_unauth_destination is a very safe a very cheap check, so it's
        good to have it as soon as possible.

        > reject_unauth_destination
        > .
        > .
        > .
        >
        > Or you have another configuration to propose the is safer?
        >

        see above.

        as a general "rule of thumb", put anti-spam checks (I'm talking about
        inbound spam. outbound spam is a different subject) after
        reject_unauth_destination, and put "general restrictions" (that also
        apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
      • Rocco Scappatura
        ... I can t remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient:
        Message 3 of 17 , Feb 1, 2009
          >> How do I have to modify it so that I could block an email address either
          >> if is the sender or one of the recipients, AND either if the message is
          >> incoming or outgoing?
          >>
          >> Maybe so (assuming that the action will never be "OK")...
          >>
          >> smtpd_client_restrictions =
          >> check_client_access
          >> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
          >>
          >> smtpd_helo_restrictions =
          >> smtpd_sender_restrictions =
          >> check_sender_access
          >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >> check_recipient_access
          >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>
          >> smtpd_recipient_restrictions =
          >> check_recipient_access
          >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          >
          > this one is already in smtpd_sender_restrictions, so just remove it
          >

          I can't remove it because this lookup return "reject_unverified_address"
          for the domains that I maintain but for wich I have no a list of valid
          recipient:

          query = select restriction from domain where domain='%s'

          maybe could I put both lookups in smtpd_sender_restrictions?

          check_recipient_access
          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

          is it ok?

          >> check_client_access
          >> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
          >
          > what's this for? it's already in smtpd_client_restrictions, so you may
          > or may not need it here.

          It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
          trhough my SMTP gateway). I need it.

          >
          >> permit_mynetworks
          >> permit_sasl_authenticated
          >> check_policy_service inet:127.0.0.1:54000
          >
          > what's this for? you probably want to put this after
          > reject_unauth_destination.

          postgrey

          >
          > remember: reject_unauth_destination is what prevents open relay. so
          > avoid putting a lot of stuff before it, because you increase the risks.
          >
          > and reject_unauth_destination is a very safe a very cheap check, so it's
          > good to have it as soon as possible.
          >
          >> reject_unauth_destination
          >> .
          >> .
          >> .
          >>
          >> Or you have another configuration to propose the is safer?
          >>
          >
          > see above.
          >
          > as a general "rule of thumb", put anti-spam checks (I'm talking about
          > inbound spam. outbound spam is a different subject) after
          > reject_unauth_destination, and put "general restrictions" (that also
          > apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

          thanks,

          rocsca
        • Rocco Scappatura
          Sorry, ... I m saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          Message 4 of 17 , Feb 1, 2009
            Sorry,

            >>> How do I have to modify it so that I could block an email address
            >>> either
            >>> if is the sender or one of the recipients, AND either if the message is
            >>> incoming or outgoing?
            >>>
            >>> Maybe so (assuming that the action will never be "OK")...
            >>>
            >>> smtpd_client_restrictions =
            >>> check_client_access
            >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
            >>>
            >>> smtpd_helo_restrictions =
            >>> smtpd_sender_restrictions =
            >>> check_sender_access
            >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >>> check_recipient_access
            >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >>>
            >>> smtpd_recipient_restrictions =
            >>> check_recipient_access
            >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
            >>
            >> this one is already in smtpd_sender_restrictions, so just remove it
            >>
            >
            > I can't remove it because this lookup return "reject_unverified_address"
            > for the domains that I maintain but for wich I have no a list of valid
            > recipient:
            >
            > query = select restriction from domain where domain='%s'
            >
            > maybe could I put both lookups in smtpd_sender_restrictions?
            >
            > check_recipient_access
            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

            I'm saying:

            check_recipient_access
            proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
            proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

            >
            > is it ok?
            >
            >>> check_client_access
            >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
            >>
            >> what's this for? it's already in smtpd_client_restrictions, so you may
            >> or may not need it here.
            >
            > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
            > trhough my SMTP gateway). I need it.
            >
            >>
            >>> permit_mynetworks
            >>> permit_sasl_authenticated
            >>> check_policy_service inet:127.0.0.1:54000
            >>
            >> what's this for? you probably want to put this after
            >> reject_unauth_destination.
            >
            > postgrey
            >
            >>
            >> remember: reject_unauth_destination is what prevents open relay. so
            >> avoid putting a lot of stuff before it, because you increase the risks.
            >>
            >> and reject_unauth_destination is a very safe a very cheap check, so it's
            >> good to have it as soon as possible.
            >>
            >>> reject_unauth_destination
            >>> .
            >>> .
            >>> .
            >>>
            >>> Or you have another configuration to propose the is safer?
            >>>
            >>
            >> see above.
            >>
            >> as a general "rule of thumb", put anti-spam checks (I'm talking about
            >> inbound spam. outbound spam is a different subject) after
            >> reject_unauth_destination, and put "general restrictions" (that also
            >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
            >
            > thanks,
            >
            > rocsca
            >
            >
          • mouss
            ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
            Message 5 of 17 , Feb 1, 2009
              Rocco Scappatura a écrit :
              >
              > Sorry,
              >
              >>>> How do I have to modify it so that I could block an email address
              >>>> either
              >>>> if is the sender or one of the recipients, AND either if the message is
              >>>> incoming or outgoing?
              >>>>
              >>>> Maybe so (assuming that the action will never be "OK")...
              >>>>
              >>>> smtpd_client_restrictions =
              >>>> check_client_access
              >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
              >>>>
              >>>> smtpd_helo_restrictions =
              >>>> smtpd_sender_restrictions =
              >>>> check_sender_access
              >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>>> check_recipient_access
              >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>>>
              >>>> smtpd_recipient_restrictions =
              >>>> check_recipient_access
              >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >>> this one is already in smtpd_sender_restrictions, so just remove it
              >>>
              >> I can't remove it

              sorry, I didn't notice that it was a different map.

              > because this lookup return "reject_unverified_address"
              >> for the domains that I maintain but for wich I have no a list of valid
              >> recipient:
              >>
              >> query = select restriction from domain where domain='%s'
              >>
              >> maybe could I put both lookups in smtpd_sender_restrictions?
              >>

              yes.

              >> check_recipient_access
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >
              > I'm saying:
              >
              > check_recipient_access
              > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
              > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >

              check_foo_access checks only one map. so you need to do it like this:

              check_recipient_access
              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              check_recipient_access
              proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


              >> is it ok?
              >>
              >>>> check_client_access
              >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
              >>> what's this for? it's already in smtpd_client_restrictions, so you may
              >>> or may not need it here.
              >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
              >> trhough my SMTP gateway). I need it.
              >>

              that's ok.

              >>>> permit_mynetworks
              >>>> permit_sasl_authenticated
              >>>> check_policy_service inet:127.0.0.1:54000
              >>> what's this for? you probably want to put this after
              >>> reject_unauth_destination.
              >> postgrey
              >>

              then put it at the end. no point to greylist a relay attempt.

              >>> remember: reject_unauth_destination is what prevents open relay. so
              >>> avoid putting a lot of stuff before it, because you increase the risks.
              >>>
              >>> and reject_unauth_destination is a very safe a very cheap check, so it's
              >>> good to have it as soon as possible.
              >>>
              >>>> reject_unauth_destination
              >>>> .
              >>>> .
              >>>> .
              >>>>
              >>>> Or you have another configuration to propose the is safer?
              >>>>
              >>> see above.
              >>>
              >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
              >>> inbound spam. outbound spam is a different subject) after
              >>> reject_unauth_destination, and put "general restrictions" (that also
              >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
              >> thanks,
              >>
              >> rocsca
              >>
              >>
              >
              >
            • Rocco Scappatura
              Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
              Message 6 of 17 , Feb 1, 2009
                Mouss,

                >>>>> How do I have to modify it so that I could block an email address
                >>>>> either
                >>>>> if is the sender or one of the recipients, AND either if the message
                >>>>> is
                >>>>> incoming or outgoing?
                >>>>>
                >>>>> Maybe so (assuming that the action will never be "OK")...
                >>>>>
                >>>>> smtpd_client_restrictions =
                >>>>> check_client_access
                >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                >>>>>
                >>>>> smtpd_helo_restrictions =
                >>>>> smtpd_sender_restrictions =
                >>>>> check_sender_access
                >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                >>>>> check_recipient_access
                >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                >>>>>
                >>>>> smtpd_recipient_restrictions =
                >>>>> check_recipient_access
                >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                >>>> this one is already in smtpd_sender_restrictions, so just remove it
                >>>>
                >>> I can't remove it
                >
                > sorry, I didn't notice that it was a different map.
                >
                >> because this lookup return "reject_unverified_address"
                >>> for the domains that I maintain but for wich I have no a list of valid
                >>> recipient:
                >>>
                >>> query = select restriction from domain where domain='%s'
                >>>
                >>> maybe could I put both lookups in smtpd_sender_restrictions?
                >>>
                >
                > yes.
                >
                >>> check_recipient_access
                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                >>
                >> I'm saying:
                >>
                >> check_recipient_access
                >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                >>
                >
                > check_foo_access checks only one map. so you need to do it like this:
                >
                > check_recipient_access
                > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                > check_recipient_access
                > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                >
                >
                >>> is it ok?
                >>>
                >>>>> check_client_access
                >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                >>>> what's this for? it's already in smtpd_client_restrictions, so you may
                >>>> or may not need it here.
                >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                >>> trhough my SMTP gateway). I need it.
                >>>
                >
                > that's ok.
                >
                >>>>> permit_mynetworks
                >>>>> permit_sasl_authenticated
                >>>>> check_policy_service inet:127.0.0.1:54000
                >>>> what's this for? you probably want to put this after
                >>>> reject_unauth_destination.
                >>> postgrey
                >>>
                >
                > then put it at the end. no point to greylist a relay attempt.
                >
                >>>> remember: reject_unauth_destination is what prevents open relay. so
                >>>> avoid putting a lot of stuff before it, because you increase the
                >>>> risks.
                >>>>
                >>>> and reject_unauth_destination is a very safe a very cheap check, so
                >>>> it's
                >>>> good to have it as soon as possible.
                >>>>
                >>>>> reject_unauth_destination
                >>>>> .
                >>>>> .
                >>>>> .
                >>>>>
                >>>>> Or you have another configuration to propose the is safer?
                >>>>>
                >>>> see above.
                >>>>
                >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
                >>>> inbound spam. outbound spam is a different subject) after
                >>>> reject_unauth_destination, and put "general restrictions" (that also
                >>>> apply to your users) in one of
                >>>> smtpd_(client|helo|sender)_restrictions.

                All works fine.. Annie is OK! ;-)

                Thanks,

                rocsca
              • Tolga
                Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
                Message 7 of 17 , Jul 22, 2012
                  Hi,

                  I have put line in my main.cf

                  check_client_access = cidr:/etc/postfix/sinokorea.cidr

                  I then restarted postfix, but I can't see it in postconf -n. How come?

                  For reference: my postconf -n output is:

                  [root@vps ~]# postconf -n
                  alias_database = hash:/etc/aliases
                  alias_maps = hash:/etc/aliases
                  append_dot_mydomain = no
                  biff = no
                  broken_sasl_auth_clients = yes
                  config_directory = /etc/postfix
                  html_directory = /usr/share/doc/postfix/html
                  inet_interfaces = all
                  mailbox_command = procmail -a "$EXTENSION"
                  mailbox_size_limit = 0
                  mydestination = localhost
                  myhostname = mail.bilgisayarciniz.org
                  mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
                  myorigin = /etc/mailname
                  readme_directory = /usr/share/doc/postfix
                  recipient_delimiter = +
                  relayhost =
                  smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                  smtpd_recipient_restrictions = permit_sasl_authenticated,
                  permit_mynetworks, reject_unauth_destination,
                  reject_non_fqdn_hostname, reject_non_fqdn_sender,
                  reject_non_fqdn_recipient, reject_unauth_pipelining,
                  reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
                  reject_rbl_client xbl.spamhaus.org
                  smtpd_sasl_auth_enable = yes
                  smtpd_sasl_local_domain = $myhostname
                  smtpd_sasl_path = private/auth
                  smtpd_sasl_security_options = noanonymous
                  smtpd_sasl_type = dovecot
                  virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                  virtual_gid_maps = static:5000
                  virtual_mailbox_base = /srv/vmail
                  virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                  virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                  virtual_minimum_uid = 100
                  virtual_transport = virtual
                  virtual_uid_maps = static:5000

                  Regards,
                • Wietse Venema
                  ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
                  Message 8 of 17 , Jul 22, 2012
                    Tolga:
                    > Hi,
                    >
                    > I have put line in my main.cf
                    >
                    > check_client_access = cidr:/etc/postfix/sinokorea.cidr

                    In Postfix 2.9, this will result in a warning:

                    postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

                    And indeed check_client_access is not a parameter name. Instead, it
                    is used inside smtpd_recipient(etc) restrictions.

                    Wietse
                  • Tolga
                    ... Thanks Wietse :)
                    Message 9 of 17 , Jul 22, 2012
                      On 07/22/2012 03:12 PM, Wietse Venema wrote:
                      > Tolga:
                      >> Hi,
                      >>
                      >> I have put line in my main.cf
                      >>
                      >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
                      > In Postfix 2.9, this will result in a warning:
                      >
                      > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
                      >
                      > And indeed check_client_access is not a parameter name. Instead, it
                      > is used inside smtpd_recipient(etc) restrictions.
                      >
                      > Wietse
                      Thanks Wietse :)
                    Your message has been successfully submitted and would be delivered to recipients shortly.