Loading ...
Sorry, an error occurred while loading the content.
 

Re: check_client_access

Expand Messages
  • mouss
    ... this one is already in smtpd_sender_restrictions, so just remove it ... what s this for? it s already in smtpd_client_restrictions, so you may or may not
    Message 1 of 17 , Feb 1, 2009
      Rocco Scappatura a écrit :
      >
      >
      > Mouss,
      >
      >>>> and your explanation was about a "receiver". That's 3 different
      >>>> things...
      >>> So.. What I have to do to block a message based on the receiver?
      >>>
      >> check_recipient_access.
      >>
      >>>> PS. it would be safer to put your check_sender_access in
      >>>> smtpd_sender_restrictions so that an error in your sql query doesn't
      >>>> make you an open relay.
      >>> Why is safer? Could have any side effect in my configuration? Thanks.
      >>>
      >> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
      >> one day, you'll be tired and you'll add an entry to your map...
      >>
      >> this is why it is generally safer to put check_*_access after
      >> reject_unauth_destination in smtpd_recipient_restrictions, or to put
      >> them in other restrictions (latter if you want them to apply to both
      >> inbound and outbound mail).
      >
      > This is the restictions in my main.cf file:
      >
      > smtpd_client_restrictions =
      > check_client_access
      > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >
      > smtpd_helo_restrictions =
      > smtpd_sender_restrictions =
      >
      > smtpd_recipient_restrictions =
      > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      > permit_mynetworks
      > permit_sasl_authenticated
      > check_policy_service inet:127.0.0.1:54000
      > reject_unauth_destination
      > .
      > .
      > .
      >
      > How do I have to modify it so that I could block an email address either
      > if is the sender or one of the recipients, AND either if the message is
      > incoming or outgoing?
      >
      > Maybe so (assuming that the action will never be "OK")...
      >
      > smtpd_client_restrictions =
      > check_client_access
      > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >
      > smtpd_helo_restrictions =
      > smtpd_sender_restrictions =
      > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >
      > smtpd_recipient_restrictions =
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

      this one is already in smtpd_sender_restrictions, so just remove it

      > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

      what's this for? it's already in smtpd_client_restrictions, so you may
      or may not need it here.


      > permit_mynetworks
      > permit_sasl_authenticated
      > check_policy_service inet:127.0.0.1:54000

      what's this for? you probably want to put this after
      reject_unauth_destination.

      remember: reject_unauth_destination is what prevents open relay. so
      avoid putting a lot of stuff before it, because you increase the risks.

      and reject_unauth_destination is a very safe a very cheap check, so it's
      good to have it as soon as possible.

      > reject_unauth_destination
      > .
      > .
      > .
      >
      > Or you have another configuration to propose the is safer?
      >

      see above.

      as a general "rule of thumb", put anti-spam checks (I'm talking about
      inbound spam. outbound spam is a different subject) after
      reject_unauth_destination, and put "general restrictions" (that also
      apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
    • Rocco Scappatura
      ... I can t remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient:
      Message 2 of 17 , Feb 1, 2009
        >> How do I have to modify it so that I could block an email address either
        >> if is the sender or one of the recipients, AND either if the message is
        >> incoming or outgoing?
        >>
        >> Maybe so (assuming that the action will never be "OK")...
        >>
        >> smtpd_client_restrictions =
        >> check_client_access
        >> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
        >>
        >> smtpd_helo_restrictions =
        >> smtpd_sender_restrictions =
        >> check_sender_access
        >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >> check_recipient_access
        >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>
        >> smtpd_recipient_restrictions =
        >> check_recipient_access
        >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >
        > this one is already in smtpd_sender_restrictions, so just remove it
        >

        I can't remove it because this lookup return "reject_unverified_address"
        for the domains that I maintain but for wich I have no a list of valid
        recipient:

        query = select restriction from domain where domain='%s'

        maybe could I put both lookups in smtpd_sender_restrictions?

        check_recipient_access
        proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
        proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

        is it ok?

        >> check_client_access
        >> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
        >
        > what's this for? it's already in smtpd_client_restrictions, so you may
        > or may not need it here.

        It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
        trhough my SMTP gateway). I need it.

        >
        >> permit_mynetworks
        >> permit_sasl_authenticated
        >> check_policy_service inet:127.0.0.1:54000
        >
        > what's this for? you probably want to put this after
        > reject_unauth_destination.

        postgrey

        >
        > remember: reject_unauth_destination is what prevents open relay. so
        > avoid putting a lot of stuff before it, because you increase the risks.
        >
        > and reject_unauth_destination is a very safe a very cheap check, so it's
        > good to have it as soon as possible.
        >
        >> reject_unauth_destination
        >> .
        >> .
        >> .
        >>
        >> Or you have another configuration to propose the is safer?
        >>
        >
        > see above.
        >
        > as a general "rule of thumb", put anti-spam checks (I'm talking about
        > inbound spam. outbound spam is a different subject) after
        > reject_unauth_destination, and put "general restrictions" (that also
        > apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

        thanks,

        rocsca
      • Rocco Scappatura
        Sorry, ... I m saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        Message 3 of 17 , Feb 1, 2009
          Sorry,

          >>> How do I have to modify it so that I could block an email address
          >>> either
          >>> if is the sender or one of the recipients, AND either if the message is
          >>> incoming or outgoing?
          >>>
          >>> Maybe so (assuming that the action will never be "OK")...
          >>>
          >>> smtpd_client_restrictions =
          >>> check_client_access
          >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
          >>>
          >>> smtpd_helo_restrictions =
          >>> smtpd_sender_restrictions =
          >>> check_sender_access
          >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>> check_recipient_access
          >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>>
          >>> smtpd_recipient_restrictions =
          >>> check_recipient_access
          >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          >>
          >> this one is already in smtpd_sender_restrictions, so just remove it
          >>
          >
          > I can't remove it because this lookup return "reject_unverified_address"
          > for the domains that I maintain but for wich I have no a list of valid
          > recipient:
          >
          > query = select restriction from domain where domain='%s'
          >
          > maybe could I put both lookups in smtpd_sender_restrictions?
          >
          > check_recipient_access
          > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
          > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

          I'm saying:

          check_recipient_access
          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
          proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

          >
          > is it ok?
          >
          >>> check_client_access
          >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
          >>
          >> what's this for? it's already in smtpd_client_restrictions, so you may
          >> or may not need it here.
          >
          > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
          > trhough my SMTP gateway). I need it.
          >
          >>
          >>> permit_mynetworks
          >>> permit_sasl_authenticated
          >>> check_policy_service inet:127.0.0.1:54000
          >>
          >> what's this for? you probably want to put this after
          >> reject_unauth_destination.
          >
          > postgrey
          >
          >>
          >> remember: reject_unauth_destination is what prevents open relay. so
          >> avoid putting a lot of stuff before it, because you increase the risks.
          >>
          >> and reject_unauth_destination is a very safe a very cheap check, so it's
          >> good to have it as soon as possible.
          >>
          >>> reject_unauth_destination
          >>> .
          >>> .
          >>> .
          >>>
          >>> Or you have another configuration to propose the is safer?
          >>>
          >>
          >> see above.
          >>
          >> as a general "rule of thumb", put anti-spam checks (I'm talking about
          >> inbound spam. outbound spam is a different subject) after
          >> reject_unauth_destination, and put "general restrictions" (that also
          >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
          >
          > thanks,
          >
          > rocsca
          >
          >
        • mouss
          ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
          Message 4 of 17 , Feb 1, 2009
            Rocco Scappatura a écrit :
            >
            > Sorry,
            >
            >>>> How do I have to modify it so that I could block an email address
            >>>> either
            >>>> if is the sender or one of the recipients, AND either if the message is
            >>>> incoming or outgoing?
            >>>>
            >>>> Maybe so (assuming that the action will never be "OK")...
            >>>>
            >>>> smtpd_client_restrictions =
            >>>> check_client_access
            >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
            >>>>
            >>>> smtpd_helo_restrictions =
            >>>> smtpd_sender_restrictions =
            >>>> check_sender_access
            >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >>>> check_recipient_access
            >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >>>>
            >>>> smtpd_recipient_restrictions =
            >>>> check_recipient_access
            >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
            >>> this one is already in smtpd_sender_restrictions, so just remove it
            >>>
            >> I can't remove it

            sorry, I didn't notice that it was a different map.

            > because this lookup return "reject_unverified_address"
            >> for the domains that I maintain but for wich I have no a list of valid
            >> recipient:
            >>
            >> query = select restriction from domain where domain='%s'
            >>
            >> maybe could I put both lookups in smtpd_sender_restrictions?
            >>

            yes.

            >> check_recipient_access
            >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
            >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >
            > I'm saying:
            >
            > check_recipient_access
            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
            > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
            >

            check_foo_access checks only one map. so you need to do it like this:

            check_recipient_access
            proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            check_recipient_access
            proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


            >> is it ok?
            >>
            >>>> check_client_access
            >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
            >>> what's this for? it's already in smtpd_client_restrictions, so you may
            >>> or may not need it here.
            >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
            >> trhough my SMTP gateway). I need it.
            >>

            that's ok.

            >>>> permit_mynetworks
            >>>> permit_sasl_authenticated
            >>>> check_policy_service inet:127.0.0.1:54000
            >>> what's this for? you probably want to put this after
            >>> reject_unauth_destination.
            >> postgrey
            >>

            then put it at the end. no point to greylist a relay attempt.

            >>> remember: reject_unauth_destination is what prevents open relay. so
            >>> avoid putting a lot of stuff before it, because you increase the risks.
            >>>
            >>> and reject_unauth_destination is a very safe a very cheap check, so it's
            >>> good to have it as soon as possible.
            >>>
            >>>> reject_unauth_destination
            >>>> .
            >>>> .
            >>>> .
            >>>>
            >>>> Or you have another configuration to propose the is safer?
            >>>>
            >>> see above.
            >>>
            >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
            >>> inbound spam. outbound spam is a different subject) after
            >>> reject_unauth_destination, and put "general restrictions" (that also
            >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
            >> thanks,
            >>
            >> rocsca
            >>
            >>
            >
            >
          • Rocco Scappatura
            Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
            Message 5 of 17 , Feb 1, 2009
              Mouss,

              >>>>> How do I have to modify it so that I could block an email address
              >>>>> either
              >>>>> if is the sender or one of the recipients, AND either if the message
              >>>>> is
              >>>>> incoming or outgoing?
              >>>>>
              >>>>> Maybe so (assuming that the action will never be "OK")...
              >>>>>
              >>>>> smtpd_client_restrictions =
              >>>>> check_client_access
              >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
              >>>>>
              >>>>> smtpd_helo_restrictions =
              >>>>> smtpd_sender_restrictions =
              >>>>> check_sender_access
              >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>>>> check_recipient_access
              >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>>>>
              >>>>> smtpd_recipient_restrictions =
              >>>>> check_recipient_access
              >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >>>> this one is already in smtpd_sender_restrictions, so just remove it
              >>>>
              >>> I can't remove it
              >
              > sorry, I didn't notice that it was a different map.
              >
              >> because this lookup return "reject_unverified_address"
              >>> for the domains that I maintain but for wich I have no a list of valid
              >>> recipient:
              >>>
              >>> query = select restriction from domain where domain='%s'
              >>>
              >>> maybe could I put both lookups in smtpd_sender_restrictions?
              >>>
              >
              > yes.
              >
              >>> check_recipient_access
              >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
              >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>
              >> I'm saying:
              >>
              >> check_recipient_access
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
              >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >>
              >
              > check_foo_access checks only one map. so you need to do it like this:
              >
              > check_recipient_access
              > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              > check_recipient_access
              > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >
              >
              >>> is it ok?
              >>>
              >>>>> check_client_access
              >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
              >>>> what's this for? it's already in smtpd_client_restrictions, so you may
              >>>> or may not need it here.
              >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
              >>> trhough my SMTP gateway). I need it.
              >>>
              >
              > that's ok.
              >
              >>>>> permit_mynetworks
              >>>>> permit_sasl_authenticated
              >>>>> check_policy_service inet:127.0.0.1:54000
              >>>> what's this for? you probably want to put this after
              >>>> reject_unauth_destination.
              >>> postgrey
              >>>
              >
              > then put it at the end. no point to greylist a relay attempt.
              >
              >>>> remember: reject_unauth_destination is what prevents open relay. so
              >>>> avoid putting a lot of stuff before it, because you increase the
              >>>> risks.
              >>>>
              >>>> and reject_unauth_destination is a very safe a very cheap check, so
              >>>> it's
              >>>> good to have it as soon as possible.
              >>>>
              >>>>> reject_unauth_destination
              >>>>> .
              >>>>> .
              >>>>> .
              >>>>>
              >>>>> Or you have another configuration to propose the is safer?
              >>>>>
              >>>> see above.
              >>>>
              >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
              >>>> inbound spam. outbound spam is a different subject) after
              >>>> reject_unauth_destination, and put "general restrictions" (that also
              >>>> apply to your users) in one of
              >>>> smtpd_(client|helo|sender)_restrictions.

              All works fine.. Annie is OK! ;-)

              Thanks,

              rocsca
            • Tolga
              Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
              Message 6 of 17 , Jul 22, 2012
                Hi,

                I have put line in my main.cf

                check_client_access = cidr:/etc/postfix/sinokorea.cidr

                I then restarted postfix, but I can't see it in postconf -n. How come?

                For reference: my postconf -n output is:

                [root@vps ~]# postconf -n
                alias_database = hash:/etc/aliases
                alias_maps = hash:/etc/aliases
                append_dot_mydomain = no
                biff = no
                broken_sasl_auth_clients = yes
                config_directory = /etc/postfix
                html_directory = /usr/share/doc/postfix/html
                inet_interfaces = all
                mailbox_command = procmail -a "$EXTENSION"
                mailbox_size_limit = 0
                mydestination = localhost
                myhostname = mail.bilgisayarciniz.org
                mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
                myorigin = /etc/mailname
                readme_directory = /usr/share/doc/postfix
                recipient_delimiter = +
                relayhost =
                smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                smtpd_recipient_restrictions = permit_sasl_authenticated,
                permit_mynetworks, reject_unauth_destination,
                reject_non_fqdn_hostname, reject_non_fqdn_sender,
                reject_non_fqdn_recipient, reject_unauth_pipelining,
                reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
                reject_rbl_client xbl.spamhaus.org
                smtpd_sasl_auth_enable = yes
                smtpd_sasl_local_domain = $myhostname
                smtpd_sasl_path = private/auth
                smtpd_sasl_security_options = noanonymous
                smtpd_sasl_type = dovecot
                virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                virtual_gid_maps = static:5000
                virtual_mailbox_base = /srv/vmail
                virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                virtual_minimum_uid = 100
                virtual_transport = virtual
                virtual_uid_maps = static:5000

                Regards,
              • Wietse Venema
                ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
                Message 7 of 17 , Jul 22, 2012
                  Tolga:
                  > Hi,
                  >
                  > I have put line in my main.cf
                  >
                  > check_client_access = cidr:/etc/postfix/sinokorea.cidr

                  In Postfix 2.9, this will result in a warning:

                  postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

                  And indeed check_client_access is not a parameter name. Instead, it
                  is used inside smtpd_recipient(etc) restrictions.

                  Wietse
                • Tolga
                  ... Thanks Wietse :)
                  Message 8 of 17 , Jul 22, 2012
                    On 07/22/2012 03:12 PM, Wietse Venema wrote:
                    > Tolga:
                    >> Hi,
                    >>
                    >> I have put line in my main.cf
                    >>
                    >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
                    > In Postfix 2.9, this will result in a warning:
                    >
                    > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
                    >
                    > And indeed check_client_access is not a parameter name. Instead, it
                    > is used inside smtpd_recipient(etc) restrictions.
                    >
                    > Wietse
                    Thanks Wietse :)
                  Your message has been successfully submitted and would be delivered to recipients shortly.