Loading ...
Sorry, an error occurred while loading the content.

smtpd_restrictions sanity check

Expand Messages
  • Alex
    Hi all, Hopefully I don t have the most frequently asked question, but I m spinning my wheels and perhaps followed some bad advice. I hoped someone could look
    Message 1 of 6 , Oct 31, 2009
    • 0 Attachment
      Hi all,

      Hopefully I don't have the most frequently asked question, but I'm
      spinning my wheels and perhaps followed some bad advice. I hoped
      someone could look over my recipient restrictions to see if I'm making
      some kind of mistake:

      smtpd_recipient_restrictions =
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      reject_unauth_pipelining,
      check_client_access hash:/etc/postfix/client_checks,
      check_recipient_access pcre:/etc/postfix/relay_recips_checks,
      check_helo_access hash:/etc/postfix/helo_checks,
      check_sender_access hash:/etc/postfix/sender_checks,
      check_sender_access hash:/etc/postfix/disallow_my_domain,
      permit_mynetworks,
      check_recipient_access pcre:/etc/postfix/recipient_checks,
      reject_unauth_destination,
      reject_maps_rbl,
      permit

      I originally had permit_mynetworks further up, but it seems
      client_checks was then being ignored, despite the client not being on
      my network.

      I'm now trying to provide a mail server that is not part of my
      networks to my network.

      I also have a handful of cron scripts that run on this remote network
      that send mail to my network, but with internal hostnames that aren't
      resolvable once they reach my network. Do I just add them to my
      postfix hosts file or is there a way to avoid checking the hostname
      (sender access?) so they aren't rejected with "Sender address
      rejected: Domain not found"?

      Thanks,
      Alex
    • Sahil Tandon
      ... Place this higher so you can sooner reject unauthorized relay attempts. ... This is unnecessary; remove it. ... This is not how Postfix works, so you
      Message 2 of 6 , Oct 31, 2009
      • 0 Attachment
        On Sat, 31 Oct 2009, Alex wrote:

        > smtpd_recipient_restrictions =
        > reject_invalid_hostname,
        > reject_non_fqdn_hostname,
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,
        > reject_unauth_pipelining,
        > check_client_access hash:/etc/postfix/client_checks,
        > check_recipient_access pcre:/etc/postfix/relay_recips_checks,
        > check_helo_access hash:/etc/postfix/helo_checks,
        > check_sender_access hash:/etc/postfix/sender_checks,
        > check_sender_access hash:/etc/postfix/disallow_my_domain,
        > permit_mynetworks,
        > check_recipient_access pcre:/etc/postfix/recipient_checks,
        > reject_unauth_destination,

        Place this higher so you can sooner reject unauthorized relay attempts.

        > reject_maps_rbl,
        > permit

        This is unnecessary; remove it.

        > I originally had permit_mynetworks further up, but it seems
        > client_checks was then being ignored, despite the client not being on
        > my network.

        This is not how Postfix works, so you borked something, somewhere else
        in your configuration. Instead of showing a snippet of your main.cf,
        paste the entire output of 'postconf -n' and logging that corresponds to
        your problem description.

        > I also have a handful of cron scripts that run on this remote network
        > that send mail to my network, but with internal hostnames that aren't
        > resolvable once they reach my network. Do I just add them to my
        > postfix hosts file or is there a way to avoid checking the hostname
        > (sender access?) so they aren't rejected with "Sender address
        > rejected: Domain not found"?

        Add them to a whitelist and consult that whitelist (with
        check_client_access) before rejecting unknown (or non-fqdn) sender
        domains.

        --
        Sahil Tandon <sahil@...>
      • Ralf Hildebrandt
        ... That s deprecated, for years. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin
        Message 3 of 6 , Nov 1, 2009
        • 0 Attachment
          * Alex <mysqlstudent@...>:

          > reject_maps_rbl,

          That's deprecated, for years.

          --
          Ralf Hildebrandt
          Geschäftsbereich IT | Abteilung Netzwerk
          Charité - Universitätsmedizin Berlin
          Campus Benjamin Franklin
          Hindenburgdamm 30 | D-12203 Berlin
          Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
          ralf.hildebrandt@... | http://www.charite.de
        • mouss
          ... smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks #permit_sasl_authenticated reject_unauth_destination #
          Message 4 of 6 , Nov 1, 2009
          • 0 Attachment
            Alex a écrit :
            > Hi all,
            >
            > Hopefully I don't have the most frequently asked question, but I'm
            > spinning my wheels and perhaps followed some bad advice. I hoped
            > someone could look over my recipient restrictions to see if I'm making
            > some kind of mistake:
            >
            > smtpd_recipient_restrictions =
            > reject_invalid_hostname,
            > reject_non_fqdn_hostname,
            > reject_non_fqdn_sender,
            > reject_non_fqdn_recipient,
            > reject_unknown_sender_domain,
            > reject_unknown_recipient_domain,
            > reject_unauth_pipelining,
            > check_client_access hash:/etc/postfix/client_checks,
            > check_recipient_access pcre:/etc/postfix/relay_recips_checks,
            > check_helo_access hash:/etc/postfix/helo_checks,
            > check_sender_access hash:/etc/postfix/sender_checks,
            > check_sender_access hash:/etc/postfix/disallow_my_domain,
            > permit_mynetworks,
            > check_recipient_access pcre:/etc/postfix/recipient_checks,
            > reject_unauth_destination,
            > reject_maps_rbl,
            > permit
            >


            smtpd_recipient_restrictions =
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            permit_mynetworks
            #permit_sasl_authenticated
            reject_unauth_destination
            #
            reject_invalid_hostname
            reject_non_fqdn_hostname
            reject_unknown_sender_domain
            #
            check_client_access hash:/etc/postfix/client_checks
            check_recipient_access pcre:/etc/postfix/relay_recips_checks
            check_helo_access hash:/etc/postfix/helo_checks
            check_sender_access hash:/etc/postfix/sender_checks
            check_sender_access hash:/etc/postfix/disallow_my_domain
            check_recipient_access pcre:/etc/postfix/recipient_checks
            #
            reject_rbl_client zen.spamhaus.org



            > I originally had permit_mynetworks further up, but it seems
            > client_checks was then being ignored, despite the client not being on
            > my network.
            >
            > I'm now trying to provide a mail server that is not part of my
            > networks to my network.
            >
            > I also have a handful of cron scripts that run on this remote network
            > that send mail to my network, but with internal hostnames that aren't
            > resolvable once they reach my network. Do I just add them to my
            > postfix hosts file or is there a way to avoid checking the hostname
            > (sender access?) so they aren't rejected with "Sender address
            > rejected: Domain not found"?
            >
            > Thanks,
            > Alex
          • Alex
            Hi, ... How about pop-before-smtp? Would I add the check_client_access immediately after permit_mynetworks above? Will this configuration above prevent DSL or
            Message 5 of 6 , Nov 1, 2009
            • 0 Attachment
              Hi,

              > smtpd_recipient_restrictions =
              >        reject_non_fqdn_sender
              >        reject_non_fqdn_recipient
              >        permit_mynetworks
              >        #permit_sasl_authenticated
              >        reject_unauth_destination
              >        #
              >        reject_invalid_hostname
              >        reject_non_fqdn_hostname
              >        reject_unknown_sender_domain
              >        #
              >        check_client_access hash:/etc/postfix/client_checks
              >        check_recipient_access pcre:/etc/postfix/relay_recips_checks
              >        check_helo_access hash:/etc/postfix/helo_checks
              >        check_sender_access hash:/etc/postfix/sender_checks
              >        check_sender_access hash:/etc/postfix/disallow_my_domain
              >        check_recipient_access pcre:/etc/postfix/recipient_checks
              >        #
              >        reject_rbl_client zen.spamhaus.org

              How about pop-before-smtp? Would I add the check_client_access
              immediately after permit_mynetworks above?

              Will this configuration above prevent DSL or cable users without
              reverse, only forward DNS from being accepted? I keep receiving the
              following:

              Nov 1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
              hostname host6714200122235.direcway.com verification failed: Host not
              found

              The IP is in the popb4smtp db, but they still receive a relaying denied message:

              Nov 1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
              unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
              from=<joe3135@...> to=<John@...>

              Thanks so much.
              Best regards,
              Alex
            • mouss
              ... yes. but it is worth investing your time to implement SASL instead. if you use pop before smtp, use a dedicated file and use it before
              Message 6 of 6 , Nov 1, 2009
              • 0 Attachment
                Alex a écrit :
                > Hi,
                >
                >> smtpd_recipient_restrictions =
                >> reject_non_fqdn_sender
                >> reject_non_fqdn_recipient
                >> permit_mynetworks
                >> #permit_sasl_authenticated
                >> reject_unauth_destination
                >> #
                >> reject_invalid_hostname
                >> reject_non_fqdn_hostname
                >> reject_unknown_sender_domain
                >> #
                >> check_client_access hash:/etc/postfix/client_checks
                >> check_recipient_access pcre:/etc/postfix/relay_recips_checks
                >> check_helo_access hash:/etc/postfix/helo_checks
                >> check_sender_access hash:/etc/postfix/sender_checks
                >> check_sender_access hash:/etc/postfix/disallow_my_domain
                >> check_recipient_access pcre:/etc/postfix/recipient_checks
                >> #
                >> reject_rbl_client zen.spamhaus.org
                >
                > How about pop-before-smtp? Would I add the check_client_access
                > immediately after permit_mynetworks above?
                >

                yes. but it is worth investing your time to implement SASL instead.

                if you use pop before smtp, use a dedicated file and use it before
                reject_unauth_destination (so that they can relay).

                > Will this configuration above prevent DSL or cable users without
                > reverse, only forward DNS from being accepted? I keep receiving the
                > following:
                >
                > Nov 1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
                > hostname host6714200122235.direcway.com verification failed: Host not
                > found
                >

                this is only informational.

                > The IP is in the popb4smtp db, but they still receive a relaying denied message:
                >
                > Nov 1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
                > unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
                > from=<joe3135@...> to=<John@...>
                >

                make sure the pop4smtp check comes before reject_unauth_destination. if
                this is the case and you still see "Relay access denied", check that
                the IP of the client is in the map at the time of the check. and of
                course, the map should return OK for the IP.
              Your message has been successfully submitted and would be delivered to recipients shortly.