Loading ...
Sorry, an error occurred while loading the content.

Re: Advice on filtering setup

Expand Messages
  • /dev/rob0
    ... And I ll throw in some nitpicks ... ... This being the default, the whole thing can be left out of main.cf altogether. ... This would be more properly
    Message 1 of 17 , Feb 2, 2011
    • 0 Attachment
      On Wed, Feb 02, 2011 at 12:49:49PM +0100, Ralf Hildebrandt wrote:
      > * Ralf Hildebrandt <Ralf.Hildebrandt@...>:
      >
      > The resulting set of restrictions after cleaning up:

      And I'll throw in some nitpicks ...

      > > > smtpd_helo_required = yes
      >
      > > > smtpd_helo_restrictions =

      This being the default, the whole thing can be left out of main.cf
      altogether.

      > > > smtpd_client_restrictions =
      > > > hash:/etc/postfix/client_restrictions,

      This would be more properly stated as:
      smtpd_client_restrictions = check_client_access
      hash:/etc/postfix/client_restrictions
      The OP was using the (undocumented?) default behavior of the implied
      check_mumble_access lookup in smtpd_mumble_restrictions. Probably
      best to be explicit and say that this is a client lookup.

      > > > disable_vrfy_command = yes
      >
      > > > smtpd_recipient_restrictions =
      > > > reject_invalid_hostname,
      > > > reject_non_fqdn_hostname,
      > > > reject_non_fqdn_sender,
      > > > reject_non_fqdn_recipient,
      > > > reject_unknown_sender_domain,
      > > > reject_unknown_recipient_domain,
      > > > reject_unknown_client,
      > > > reject_unknown_hostname,
      > > > permit_mynetworks,
      > > > reject_unauth_destination,
      > > > check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
      > > > check_helo_access hash:/etc/postfix/helo_checks,
      > > > check_sender_access hash:/etc/postfix/sender_checks,
      > > > check_client_access hash:/etc/postfix/client_checks,
      > > > check_client_access pcre:/etc/postfix/client_checks.pcre,
      > > > reject_rbl_client zen.spamhaus.org,
      > > > permit
      > > >
      > > > smtpd_data_restrictions =
      > > > reject_unauth_pipelining,
      > > > permit
      --
      Offlist mail to this address is discarded unless
      "/dev/rob0" or "not-spam" is in Subject: header
    • Aggelos
      ... Thanks. So the final version should be: ###################################### smtpd_helo_required = yes smtpd_client_restrictions = check_client_access
      Message 2 of 17 , Feb 2, 2011
      • 0 Attachment
        on 02/02/2011 03:56 PM /dev/rob0 wrote the following:
        > On Wed, Feb 02, 2011 at 12:49:49PM +0100, Ralf Hildebrandt wrote:
        >> * Ralf Hildebrandt <Ralf.Hildebrandt@...>:
        >>
        >> The resulting set of restrictions after cleaning up:
        >
        > And I'll throw in some nitpicks ...
        >
        >>>> smtpd_helo_required = yes
        >>
        >>>> smtpd_helo_restrictions =
        >
        > This being the default, the whole thing can be left out of main.cf
        > altogether.
        >
        >>>> smtpd_client_restrictions =
        >>>> hash:/etc/postfix/client_restrictions,
        >
        > This would be more properly stated as:
        > smtpd_client_restrictions = check_client_access
        > hash:/etc/postfix/client_restrictions
        > The OP was using the (undocumented?) default behavior of the implied
        > check_mumble_access lookup in smtpd_mumble_restrictions. Probably
        > best to be explicit and say that this is a client lookup.
        >

        Thanks.
        So the final version should be:

        ######################################
        smtpd_helo_required = yes

        smtpd_client_restrictions = check_client_access
        hash:/etc/postfix/client_restrictions

        disable_vrfy_command = yes

        smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unknown_client,
        reject_unknown_hostname,
        permit_mynetworks,
        reject_unauth_destination,
        check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
        check_helo_access hash:/etc/postfix/helo_checks,
        check_sender_access hash:/etc/postfix/sender_checks,
        check_client_access hash:/etc/postfix/client_checks,
        check_client_access pcre:/etc/postfix/client_checks.pcre,
        reject_rbl_client zen.spamhaus.org,
        permit

        smtpd_data_restrictions =
        reject_unauth_pipelining,
        permit
        ######################################
      • Aggelos
        ... With that setup, if I wanted to accept mail from a specific Internet IP, which would otherwise be filtered out, how would I do it?
        Message 3 of 17 , Feb 2, 2011
        • 0 Attachment
          on 02/02/2011 03:56 PM /dev/rob0 wrote the following:
          > On Wed, Feb 02, 2011 at 12:49:49PM +0100, Ralf Hildebrandt wrote:
          >> * Ralf Hildebrandt <Ralf.Hildebrandt@...>:
          >>
          >> The resulting set of restrictions after cleaning up:
          >
          > And I'll throw in some nitpicks ...
          >
          >>>> smtpd_helo_required = yes
          >>
          >>>> smtpd_helo_restrictions =
          >
          > This being the default, the whole thing can be left out of main.cf
          > altogether.
          >
          >>>> smtpd_client_restrictions =
          >>>> hash:/etc/postfix/client_restrictions,
          >
          > This would be more properly stated as:
          > smtpd_client_restrictions = check_client_access
          > hash:/etc/postfix/client_restrictions
          > The OP was using the (undocumented?) default behavior of the implied
          > check_mumble_access lookup in smtpd_mumble_restrictions. Probably
          > best to be explicit and say that this is a client lookup.
          >
          >>>> disable_vrfy_command = yes
          >>
          >>>> smtpd_recipient_restrictions =
          >>>> reject_invalid_hostname,
          >>>> reject_non_fqdn_hostname,
          >>>> reject_non_fqdn_sender,
          >>>> reject_non_fqdn_recipient,
          >>>> reject_unknown_sender_domain,
          >>>> reject_unknown_recipient_domain,
          >>>> reject_unknown_client,
          >>>> reject_unknown_hostname,
          >>>> permit_mynetworks,
          >>>> reject_unauth_destination,
          >>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
          >>>> check_helo_access hash:/etc/postfix/helo_checks,
          >>>> check_sender_access hash:/etc/postfix/sender_checks,
          >>>> check_client_access hash:/etc/postfix/client_checks,
          >>>> check_client_access pcre:/etc/postfix/client_checks.pcre,
          >>>> reject_rbl_client zen.spamhaus.org,
          >>>> permit
          >>>>
          >>>> smtpd_data_restrictions =
          >>>> reject_unauth_pipelining,
          >>>> permit

          With that setup, if I wanted to accept mail from a specific Internet IP,
          which would otherwise be filtered out, how would I do it?
        • Aggelos
          ... I meant clients that are rejected like so: Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from unknown[62.1.42.20]: 450 4.7.1 Client host
          Message 4 of 17 , Feb 2, 2011
          • 0 Attachment
            on 02/03/2011 05:24 AM Aggelos wrote the following:

            > With that setup, if I wanted to accept mail from a specific Internet IP,
            > which would otherwise be filtered out, how would I do it?
            >

            I meant clients that are rejected like so:
            Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from
            unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your
            hostname, [62.1.42.20]; from=<www-data@...>
            to=<agg@...> proto=ESMTP helo=<mail.insomnia.gr>
          • Stan Hoeppner
            ... One possible method, using a cidr table: smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/whitelist.cidr ...
            Message 5 of 17 , Feb 3, 2011
            • 0 Attachment
              Aggelos put forth on 2/2/2011 10:49 PM:
              > on 02/03/2011 05:24 AM Aggelos wrote the following:
              >
              >> With that setup, if I wanted to accept mail from a specific Internet IP,
              >> which would otherwise be filtered out, how would I do it?
              >>
              >
              > I meant clients that are rejected like so:
              > Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from
              > unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your
              > hostname, [62.1.42.20]; from=<www-data@...>
              > to=<agg@...> proto=ESMTP helo=<mail.insomnia.gr>

              One possible method, using a cidr table:

              smtpd_recipient_restrictions =
              check_client_access cidr:/etc/postfix/whitelist.cidr
              >>>> reject_invalid_hostname,
              >>>> reject_non_fqdn_hostname,
              >>>> reject_non_fqdn_sender,
              >>>> reject_non_fqdn_recipient,
              >>>> reject_unknown_sender_domain,
              >>>> reject_unknown_recipient_domain,
              >>>> reject_unknown_client,
              >>>> reject_unknown_hostname,
              >>>> permit_mynetworks,
              >>>> reject_unauth_destination,
              >>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
              >>>> check_helo_access hash:/etc/postfix/helo_checks,
              >>>> check_sender_access hash:/etc/postfix/sender_checks,
              >>>> check_client_access hash:/etc/postfix/client_checks,
              >>>> check_client_access pcre:/etc/postfix/client_checks.pcre,
              >>>> reject_rbl_client zen.spamhaus.org,
              >>>> permit

              /etc/postfix/whitelist.cidr
              62.1.42.20 permit_auth_destination


              --
              Stan
            • Aggelos
              ... Thanks. 1) Where should this be placed? Should it be first in smtpd_recipient_restrictions ? I tried it and it worked when placed just after
              Message 6 of 17 , Feb 3, 2011
              • 0 Attachment
                on 02/03/2011 10:05 AM Stan Hoeppner wrote the following:
                > Aggelos put forth on 2/2/2011 10:49 PM:
                >> on 02/03/2011 05:24 AM Aggelos wrote the following:
                >>
                >>> With that setup, if I wanted to accept mail from a specific Internet IP,
                >>> which would otherwise be filtered out, how would I do it?
                >>>
                >>
                >> I meant clients that are rejected like so:
                >> Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from
                >> unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your
                >> hostname, [62.1.42.20]; from=<www-data@...>
                >> to=<agg@...> proto=ESMTP helo=<mail.insomnia.gr>
                >
                > One possible method, using a cidr table:
                >
                > smtpd_recipient_restrictions =
                > check_client_access cidr:/etc/postfix/whitelist.cidr
                >>>>> reject_invalid_hostname,
                >>>>> reject_non_fqdn_hostname,
                >>>>> reject_non_fqdn_sender,
                >>>>> reject_non_fqdn_recipient,
                >>>>> reject_unknown_sender_domain,
                >>>>> reject_unknown_recipient_domain,
                >>>>> reject_unknown_client,
                >>>>> reject_unknown_hostname,
                >>>>> permit_mynetworks,
                >>>>> reject_unauth_destination,
                >>>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
                >>>>> check_helo_access hash:/etc/postfix/helo_checks,
                >>>>> check_sender_access hash:/etc/postfix/sender_checks,
                >>>>> check_client_access hash:/etc/postfix/client_checks,
                >>>>> check_client_access pcre:/etc/postfix/client_checks.pcre,
                >>>>> reject_rbl_client zen.spamhaus.org,
                >>>>> permit
                >
                > /etc/postfix/whitelist.cidr
                > 62.1.42.20 permit_auth_destination
                >
                >
                Thanks.

                1) Where should this be placed?
                Should it be first in smtpd_recipient_restrictions ?
                I tried it and it worked when placed just after
                reject_unknown_recipient_domain (before reject_unknown_client).

                2) Also tried
                62.1.42.20 OK
                in /etc/postfix/client_checks
                and moving check_client_access hash:/etc/postfix/client_checks as above
                (before reject_unknown_client) which also worked.

                Which one of the two is more safe?
              • Brian Evans - Postfix List
                ... OK makes you an open relay for mail from that IP. It is better to use permit_auth_destination since it comes before reject_unauth_destination unless you
                Message 7 of 17 , Feb 3, 2011
                • 0 Attachment
                  On 2/3/2011 3:34 AM, Aggelos wrote:
                  > on 02/03/2011 10:05 AM Stan Hoeppner wrote the following:
                  >> Aggelos put forth on 2/2/2011 10:49 PM:
                  >>> on 02/03/2011 05:24 AM Aggelos wrote the following:
                  >>>
                  >>>> With that setup, if I wanted to accept mail from a specific Internet IP,
                  >>>> which would otherwise be filtered out, how would I do it?
                  >>>>
                  >>> I meant clients that are rejected like so:
                  >>> Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from
                  >>> unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your
                  >>> hostname, [62.1.42.20]; from=<www-data@...>
                  >>> to=<agg@...> proto=ESMTP helo=<mail.insomnia.gr>
                  >> One possible method, using a cidr table:
                  >>
                  >> smtpd_recipient_restrictions =
                  >> check_client_access cidr:/etc/postfix/whitelist.cidr
                  >>>>>> reject_invalid_hostname,
                  >>>>>> reject_non_fqdn_hostname,
                  >>>>>> reject_non_fqdn_sender,
                  >>>>>> reject_non_fqdn_recipient,
                  >>>>>> reject_unknown_sender_domain,
                  >>>>>> reject_unknown_recipient_domain,
                  >>>>>> reject_unknown_client,
                  >>>>>> reject_unknown_hostname,
                  >>>>>> permit_mynetworks,
                  >>>>>> reject_unauth_destination,
                  >>>>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
                  >>>>>> check_helo_access hash:/etc/postfix/helo_checks,
                  >>>>>> check_sender_access hash:/etc/postfix/sender_checks,
                  >>>>>> check_client_access hash:/etc/postfix/client_checks,
                  >>>>>> check_client_access pcre:/etc/postfix/client_checks.pcre,
                  >>>>>> reject_rbl_client zen.spamhaus.org,
                  >>>>>> permit
                  >> /etc/postfix/whitelist.cidr
                  >> 62.1.42.20 permit_auth_destination
                  >>
                  >>
                  > Thanks.
                  >
                  > 1) Where should this be placed?
                  > Should it be first in smtpd_recipient_restrictions ?
                  > I tried it and it worked when placed just after
                  > reject_unknown_recipient_domain (before reject_unknown_client).
                  >
                  > 2) Also tried
                  > 62.1.42.20 OK
                  > in /etc/postfix/client_checks
                  > and moving check_client_access hash:/etc/postfix/client_checks as above
                  > (before reject_unknown_client) which also worked.
                  >
                  > Which one of the two is more safe?

                  "OK" makes you an open relay for mail from that IP.
                  It is better to use permit_auth_destination since it comes before
                  reject_unauth_destination unless you trust that source.
                • Aggelos
                  ... Thanks a lot! I don t trust any external source. So I had better use the permit_auth_destination as suggested by Stan in the first place.
                  Message 8 of 17 , Feb 3, 2011
                  • 0 Attachment
                    on 02/03/2011 04:13 PM Brian Evans - Postfix List wrote the following:
                    > On 2/3/2011 3:34 AM, Aggelos wrote:
                    >> on 02/03/2011 10:05 AM Stan Hoeppner wrote the following:
                    >>> Aggelos put forth on 2/2/2011 10:49 PM:
                    >>>> on 02/03/2011 05:24 AM Aggelos wrote the following:
                    >>>>
                    >>>>> With that setup, if I wanted to accept mail from a specific Internet IP,
                    >>>>> which would otherwise be filtered out, how would I do it?
                    >>>>>
                    >>>> I meant clients that are rejected like so:
                    >>>> Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from
                    >>>> unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your
                    >>>> hostname, [62.1.42.20]; from=<www-data@...>
                    >>>> to=<...> proto=ESMTP helo=<mail.insomnia.gr>
                    >>> One possible method, using a cidr table:
                    >>>
                    >>> smtpd_recipient_restrictions =
                    >>> check_client_access cidr:/etc/postfix/whitelist.cidr
                    >>>>>>> reject_invalid_hostname,
                    >>>>>>> reject_non_fqdn_hostname,
                    >>>>>>> reject_non_fqdn_sender,
                    >>>>>>> reject_non_fqdn_recipient,
                    >>>>>>> reject_unknown_sender_domain,
                    >>>>>>> reject_unknown_recipient_domain,
                    >>>>>>> reject_unknown_client,
                    >>>>>>> reject_unknown_hostname,
                    >>>>>>> permit_mynetworks,
                    >>>>>>> reject_unauth_destination,
                    >>>>>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
                    >>>>>>> check_helo_access hash:/etc/postfix/helo_checks,
                    >>>>>>> check_sender_access hash:/etc/postfix/sender_checks,
                    >>>>>>> check_client_access hash:/etc/postfix/client_checks,
                    >>>>>>> check_client_access pcre:/etc/postfix/client_checks.pcre,
                    >>>>>>> reject_rbl_client zen.spamhaus.org,
                    >>>>>>> permit
                    >>> /etc/postfix/whitelist.cidr
                    >>> 62.1.42.20 permit_auth_destination
                    >>>
                    >>>
                    >> Thanks.
                    >>
                    >> 1) Where should this be placed?
                    >> Should it be first in smtpd_recipient_restrictions ?
                    >> I tried it and it worked when placed just after
                    >> reject_unknown_recipient_domain (before reject_unknown_client).
                    >>
                    >> 2) Also tried
                    >> 62.1.42.20 OK
                    >> in /etc/postfix/client_checks
                    >> and moving check_client_access hash:/etc/postfix/client_checks as above
                    >> (before reject_unknown_client) which also worked.
                    >>
                    >> Which one of the two is more safe?
                    >
                    > "OK" makes you an open relay for mail from that IP.
                    > It is better to use permit_auth_destination since it comes before
                    > reject_unauth_destination unless you trust that source.
                    >

                    Thanks a lot!
                    I don't trust any external source. So I had better use the
                    permit_auth_destination as suggested by Stan in the first place.
                  Your message has been successfully submitted and would be delivered to recipients shortly.