Loading ...
Sorry, an error occurred while loading the content.

Re: static map returns 554, causing message to be accepted

Expand Messages
  • Noel Jones
    ... You re shooting yourself in the foot by not using permit_mynetworks. If they re authorized clients, you shouldn t make them jump through the hoops
    Message 1 of 21 , Oct 3, 2010
    • 0 Attachment
      On 10/3/2010 7:34 AM, martin f krafft wrote:
      > Dear list,
      >
      > I found that a lot of spam can be weeded out by rejecting clients
      > who greet me with my own hostname. Initially, I achieved this with
      > the following:
      >
      > main.cf:
      > smtpd_helo_restrictions =
      > […]
      > check_helo_access pcre:$config_directory/reject_helo_myhostname
      >
      > reject_helo_myhostname:
      > /^myhostname(\.mydomain)?$/ 554 do not impersonate me
      >
      > I then ran into problems when the host connected to itself through
      > the loopback interface. Since I did not want to add
      > permit_mynetworks to smtpd_helo_restrictions (I expect all machines
      > on my network to pass the other helo restrictions), I went on to

      You're shooting yourself in the foot by not using
      permit_mynetworks. If they're authorized clients, you
      shouldn't make them jump through the hoops intended for
      potentially hostile outside connections.


      > experiment with restriction classes. I now realise that there are
      > other, more direct ways to achieve what I want, but I would still
      > like to figure out a problem I ran into:
      >
      > main.cf:
      > smtpd_helo_restrictions =
      > […]
      > check_helo_access pcre:$config_directory/reject_helo_myhostname
      >
      > smtpd_restriction_classes =
      > […]
      > target_reject_helo_myhostname
      >
      > target_reject_helo_myhostname =
      > permit_mynetworks
      > sleep 10

      You're tying up a valuable smtpd process by using the sleep 10
      before reject. This is a fine way to create your own denial
      of service. Get rid of unwanted connections as soon as possible.

      > reject
      >
      > reject_helo_myhostname:
      > /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname
      >
      > This works, but I wanted to have a more verbose error message, so
      > I replaced the last line with

      Lots easier to just use
      /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

      >
      > check_helo_access static:554 do not impersonate me
      >
      > Much to my surprise, this caused the message to be accepted.

      The static: map type only returns the first element. This
      could probably be better documented, but has been discussed on
      this list numerous times.

      As documented in access(5), an all-numeric response means
      "OK". Anyway, you should be using 'REJECT' rather than a code
      as a general rule.


      ...
      > I now found a better solution, but I am still curious what I did
      > wrong in using the static map.

      Static maps are inappropriate for returning a custom response.
      Use a regexp: or pcre: map instead.


      -- Noel Jones
    • martin f krafft
      ... Thanks to everyone who responded. I am now going the suggested way. However, it occurs to me that this is something postfix could be trivially doing
      Message 2 of 21 , Oct 4, 2010
      • 0 Attachment
        also sprach Noel Jones <njones@...> [2010.10.04.0507 +0200]:
        > Lots easier to just use
        > /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

        Thanks to everyone who responded. I am now going the suggested way.

        However, it occurs to me that this is something postfix could be
        trivially doing itself, e.g.

        smtpd_helo_restrictions =
        […]
        reject_my_hostname
        reject_my_ipaddress

        since it has those data available. Is this something worth pursuing?

        Thanks,

        --
        martin | http://madduck.net/ | http://two.sentenc.es/

        a qui sait comprendre, peu de mots suffisent.
        -- intelligenti pauca

        spamtraps: madduck.bogus@...
      • Jerry
        On Mon, 4 Oct 2010 17:49:17 +0200 ... Interesting; however, if it were really that simple and safe, I think Wietse would have all ready implemented it. --
        Message 3 of 21 , Oct 4, 2010
        • 0 Attachment
          On Mon, 4 Oct 2010 17:49:17 +0200
          martin f krafft <madduck@...> articulated:

          > also sprach Noel Jones <njones@...> [2010.10.04.0507
          > +0200]:
          > > Lots easier to just use
          > > /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
          >
          > Thanks to everyone who responded. I am now going the suggested way.
          >
          > However, it occurs to me that this is something postfix could be
          > trivially doing itself, e.g.
          >
          > smtpd_helo_restrictions =
          > […]
          > reject_my_hostname
          > reject_my_ipaddress
          >
          > since it has those data available. Is this something worth pursuing?

          Interesting; however, if it were really that simple and safe, I think
          Wietse would have all ready implemented it.

          --
          Jerry ✌
          postfix-user@...
          _____________________________________________________________________
          TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
          TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
        • Jeroen Geilman
          ... Where, exactly ? The real client IP ? That can t be trivially spoofed, and so would actually BE your server. As for EHLO, IP literals aren t accepted as a
          Message 4 of 21 , Oct 4, 2010
          • 0 Attachment
            On 10/04/2010 05:49 PM, martin f krafft wrote:
            > also sprach Noel Jones<njones@...> [2010.10.04.0507 +0200]:
            >
            >> Lots easier to just use
            >> /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
            >>
            > Thanks to everyone who responded. I am now going the suggested way.
            >
            > However, it occurs to me that this is something postfix could be
            > trivially doing itself, e.g.
            >
            > smtpd_helo_restrictions =
            > […]
            > reject_my_hostname
            >
            > reject_my_ipaddress
            >

            Where, exactly ?
            The real client IP ? That can't be trivially spoofed, and so would
            actually BE your server.
            As for EHLO, IP literals aren't accepted as a matter of course - not in
            this day and age.

            Personally, I reject all EHLO it it's not FQDN, not a valid hostname, or
            corresponds with my own identity.
            That pretty much accomplishes what you're talking about, without the
            need for additional options.


            --
            J.
          • martin f krafft
            ... The HELO greeting. ... I have seen clients who apparently connect to my MX with the IP and then send the IP after HELO. ... % swaks -h 77.109.139.84 -t
            Message 5 of 21 , Oct 4, 2010
            • 0 Attachment
              also sprach Jeroen Geilman <jeroen@...> [2010.10.04.1822 +0200]:
              > Where, exactly ?

              The HELO greeting.

              > The real client IP ? That can't be trivially spoofed, and so would
              > actually BE your server.

              I have seen clients who apparently connect to my MX with the IP and
              then send the IP after HELO.

              > Personally, I reject all EHLO it it's not FQDN, not a valid hostname,
              > or corresponds with my own identity.

              % swaks -h '77.109.139.84' -t jeroen@...
              === Trying xs.adaptr.nl:25...
              === Connected to xs.adaptr.nl.
              <- 220-Are you naughty or nice ?
              <- 220 mail.adaptr.nl ESMTP Ready.
              -> EHLO 77.109.139.84
              <- 250-mail.adaptr.nl
              […]

              (same with [77.109.139.84])

              > That pretty much accomplishes what you're talking about, without the
              > need for additional options.

              So you keep a file in /etc/postfix containing your own identity?
              That's redundant, isn't it? I can trivially do this with puppet, but
              I figure it would be something postfix could do too.

              --
              martin | http://madduck.net/ | http://two.sentenc.es/

              to err is human - to moo, bovine

              spamtraps: madduck.bogus@...
            • Jeroen Geilman
              Please don t send these redundant messages. It s a good indication of your general messaging skills. ... With YOUR IP ? That s highly unlikely, to the point of
              Message 6 of 21 , Oct 4, 2010
              • 0 Attachment
                Please don't send these redundant messages. It's a good indication of
                your general messaging skills.


                On 10/04/2010 07:56 PM, martin f krafft wrote:
                > also sprach Jeroen Geilman<jeroen@...> [2010.10.04.1822 +0200]:
                >
                >> Where, exactly ?
                >>
                > The HELO greeting.
                >
                >
                >> The real client IP ? That can't be trivially spoofed, and so would
                >> actually BE your server.
                >>
                > I have seen clients who apparently connect to my MX with the IP and
                > then send the IP after HELO.
                >

                With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                >> Personally, I reject all EHLO it it's not FQDN, not a valid hostname,
                >> or corresponds with my own identity.
                >>
                > % swaks -h '77.109.139.84' -t jeroen@...
                > === Trying xs.adaptr.nl:25...
                > === Connected to xs.adaptr.nl.
                > <- 220-Are you naughty or nice ?
                > <- 220 mail.adaptr.nl ESMTP Ready.
                > -> EHLO 77.109.139.84
                > <- 250-mail.adaptr.nl
                > […]
                >

                I'm quite sure I didn't ask you to post this online.

                > (same with [77.109.139.84])
                >
                >

                When I said that *I* use those rules, where did you get the notion it
                has anything to do with any particular domain, or mail server ?


                >> That pretty much accomplishes what you're talking about, without the
                >> need for additional options.
                >>
                > So you keep a file in /etc/postfix containing your own identity?
                > That's redundant, isn't it? I can trivially do this with puppet, but
                > I figure it would be something postfix could do too.
                >

                So you're too dumb to write a simple regex map, eh ?
                I guess "puppet" would be the solution for you then.
              • martin f krafft
                ... Yes, with my IP. -- martin | http://madduck.net/ | http://two.sentenc.es/ i like .net for the same reason i like gentoo. it keeps all the people with no
                Message 7 of 21 , Oct 4, 2010
                • 0 Attachment
                  also sprach Jeroen Geilman <jeroen@...> [2010.10.04.2004 +0200]:
                  > >I have seen clients who apparently connect to my MX with the IP and
                  > >then send the IP after HELO.
                  >
                  > With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                  Yes, with my IP.

                  --
                  martin | http://madduck.net/ | http://two.sentenc.es/

                  "i like .net for the same reason i like gentoo. it keeps all the
                  people with no clue from writing c code, which is much harder for me
                  to identify and eliminate from my systems. in the same way that
                  gentoo gives those people a place to be that isn't in debian"
                  -- andrew suffield

                  spamtraps: madduck.bogus@...
                • Charles Marcus
                  ... So your server is hacked? -- Best regards, Charles
                  Message 8 of 21 , Oct 4, 2010
                  • 0 Attachment
                    On 2010-10-04 2:15 PM, martin f krafft wrote:
                    >> With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                    > Yes, with my IP.

                    So your server is hacked?

                    --

                    Best regards,

                    Charles
                  • Ralf Hildebrandt
                    ... I ve seen those as well; not from within my networks, but yes. I ve seen them! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité -
                    Message 9 of 21 , Oct 4, 2010
                    • 0 Attachment
                      * Jeroen Geilman <jeroen@...>:
                      >
                      > Please don't send these redundant messages. It's a good indication of
                      > your general messaging skills.
                      >
                      >
                      > On 10/04/2010 07:56 PM, martin f krafft wrote:
                      > >also sprach Jeroen Geilman<jeroen@...> [2010.10.04.1822 +0200]:
                      > >>Where, exactly ?
                      > >The HELO greeting.
                      > >
                      > >>The real client IP ? That can't be trivially spoofed, and so would
                      > >>actually BE your server.
                      > >I have seen clients who apparently connect to my MX with the IP and
                      > >then send the IP after HELO.
                      >
                      > With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                      I've seen those as well; not from within my networks, but yes. I've
                      seen them!

                      --
                      Ralf Hildebrandt
                      Geschäftsbereich IT | Abteilung Netzwerk
                      Charité - Universitätsmedizin Berlin
                      Campus Benjamin Franklin
                      Hindenburgdamm 30 | D-12203 Berlin
                      Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                      ralf.hildebrandt@... | http://www.charite.de
                    • martin f krafft
                      ... I am talking about the argument to HELO/EHLO. No, my server is not hacked. -- martin | http://madduck.net/ | http://two.sentenc.es/ if english was good
                      Message 10 of 21 , Oct 4, 2010
                      • 0 Attachment
                        also sprach Charles Marcus <CMarcus@...> [2010.10.04.2029 +0200]:
                        > > Yes, with my IP.
                        >
                        > So your server is hacked?

                        I am talking about the argument to HELO/EHLO. No, my server is not
                        hacked.

                        --
                        martin | http://madduck.net/ | http://two.sentenc.es/

                        "if english was good enough for jesus christ,
                        it's good enough for us."
                        -- miriam ferguson, governor of texas

                        spamtraps: madduck.bogus@...
                      • Wietse Venema
                        ... I see that all the time. For me, blocking helo with with $inet_interfaces/$myhostname is not sufficient, since Postfix does not know everything. More
                        Message 11 of 21 , Oct 4, 2010
                        • 0 Attachment
                          Ralf Hildebrandt:
                          > > With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                          >
                          > I've seen those as well; not from within my networks, but yes. I've
                          > seen them!

                          I see that all the time.

                          For me, blocking helo with with $inet_interfaces/$myhostname is
                          not sufficient, since Postfix does not know everything.

                          More useful is to block any helo name/address that resolves to an
                          address on the local network when the client is elsewhere, but
                          that is not as simple as suggested in this thread.

                          Wietse
                        • fakessh
                          i hijacked the server with the null sender and the valid recipient the mail go home nb : hey madduck ... --
                          Message 12 of 21 , Oct 4, 2010
                          • 0 Attachment
                            i hijacked the server with the null sender
                            and the valid recipient
                            the mail go home

                            <anonymous>

                            nb : hey madduck
                            Le lundi 04 octobre 2010 à 20:44 +0200, martin f krafft a écrit :
                            > also sprach Charles Marcus <CMarcus@...> [2010.10.04.2029 +0200]:
                            > > > Yes, with my IP.
                            > >
                            > > So your server is hacked?
                            >
                            > I am talking about the argument to HELO/EHLO. No, my server is not
                            > hacked.
                            >
                            --
                            http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7


                            gpg --keyserver pgp.mit.edu --recv-key 092164A7
                          • Jeroen Geilman
                            ... The OP says in so many words that he sees connections WITH HIS IP: who apparently connect to the MX *with the IP* This does not happen.
                            Message 13 of 21 , Oct 4, 2010
                            • 0 Attachment
                              On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                              > * Jeroen Geilman<jeroen@...>:
                              >
                              >> The real client IP ? That can't be trivially spoofed, and so would
                              >>>> actually BE your server.
                              >>>>
                              >>> I have seen clients who apparently connect to my MX with the IP and
                              >>> then send the IP after HELO.
                              >>>
                              >> With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                              >>
                              > I've seen those as well; not from within my networks, but yes. I've
                              > seen them!
                              >
                              >

                              The OP says in so many words that he sees connections WITH HIS IP: "who
                              apparently connect to the MX *with the IP*"

                              This does not happen.
                            • mouss
                              ... not really, except in your apparently simple environment. I have a lot more IPs that I would include in the check, that postfix has no idea where they come
                              Message 14 of 21 , Oct 4, 2010
                              • 0 Attachment
                                Le 04/10/2010 17:49, martin f krafft a écrit :
                                > also sprach Noel Jones<njones@...> [2010.10.04.0507 +0200]:
                                >> Lots easier to just use
                                >> /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
                                > Thanks to everyone who responded. I am now going the suggested way.
                                >
                                > However, it occurs to me that this is something postfix could be
                                > trivially doing itself, e.g.
                                >
                                > smtpd_helo_restrictions =
                                > […]
                                > reject_my_hostname
                                > reject_my_ipaddress
                                >
                                > since it has those data available. Is this something worth pursuing?

                                not really, except in your apparently simple environment. I have a lot
                                more IPs that I would include in the check, that postfix has no idea
                                where they come from. and besides, I didn't see that check catch
                                anything that isn't caught by other more effective checks. so I removed
                                the call to the map.
                              • mouss
                                ... OP talks about clients helo ing with his IP, not connections coming from someone who spoofed his IP.
                                Message 15 of 21 , Oct 4, 2010
                                • 0 Attachment
                                  Le 04/10/2010 21:10, Jeroen Geilman a écrit :
                                  > On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                                  >> * Jeroen Geilman<jeroen@...>:
                                  >>> The real client IP ? That can't be trivially spoofed, and so would
                                  >>>>> actually BE your server.
                                  >>>> I have seen clients who apparently connect to my MX with the IP and
                                  >>>> then send the IP after HELO.
                                  >>> With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                                  >> I've seen those as well; not from within my networks, but yes. I've
                                  >> seen them!
                                  >>
                                  >
                                  > The OP says in so many words that he sees connections WITH HIS IP:
                                  > "who apparently connect to the MX *with the IP*"
                                  >
                                  > This does not happen.
                                  >
                                  >

                                  OP talks about clients helo'ing with his IP, not connections coming from
                                  someone who spoofed his IP.
                                • Stan Hoeppner
                                  ... Is this remotely plausible if he s behind a really funky NAT/masquerade? I ve seen some junk quality NAT boxes present the inside private NAT address as
                                  Message 16 of 21 , Oct 4, 2010
                                  • 0 Attachment
                                    Jeroen Geilman put forth on 10/4/2010 2:10 PM:

                                    > The OP says in so many words that he sees connections WITH HIS IP: "who
                                    > apparently connect to the MX *with the IP*"
                                    >
                                    > This does not happen.

                                    Is this remotely plausible if he's behind a really funky NAT/masquerade?

                                    I've seen some junk quality NAT boxes present the inside private NAT
                                    address as the remote client host address after translation, but I've
                                    never seen one that presented the internal host's address to itself as
                                    the remote client address.

                                    --
                                    Stan
                                  • Jeroen Geilman
                                    ... Well excuse me, again, but he obviously did. Re-quoting: I have seen clients who apparently connect to my MX with the IP How does that translate to
                                    Message 17 of 21 , Oct 6, 2010
                                    • 0 Attachment
                                      On 10/04/2010 10:55 PM, mouss wrote:
                                      > Le 04/10/2010 21:10, Jeroen Geilman a écrit :
                                      >> On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                                      >>> * Jeroen Geilman<jeroen@...>:
                                      >>>> The real client IP ? That can't be trivially spoofed, and so would
                                      >>>>>> actually BE your server.
                                      >>>>> I have seen clients who apparently connect to my MX with the IP and
                                      >>>>> then send the IP after HELO.
                                      >>>> With YOUR IP ? That's highly unlikely, to the point of
                                      >>>> unbelievability.
                                      >>> I've seen those as well; not from within my networks, but yes. I've
                                      >>> seen them!
                                      >>>
                                      >>
                                      >> The OP says in so many words that he sees connections WITH HIS IP:
                                      >> "who apparently connect to the MX *with the IP*"
                                      >>
                                      >> This does not happen.
                                      >>
                                      >>
                                      >
                                      > OP talks about clients helo'ing with his IP, not connections coming
                                      > from someone who spoofed his IP.
                                      >
                                      >

                                      Well excuse me, again, but he obviously did.

                                      Re-quoting: "I have seen clients who apparently connect to my MX with
                                      the IP "

                                      How does that translate to anything else than what I said ?

                                      --
                                      J.
                                    Your message has been successfully submitted and would be delivered to recipients shortly.