Loading ...
Sorry, an error occurred while loading the content.

Re: Exceptions to reject_rbl_client *AND* SASL authentication enforcement

Expand Messages
  • Noel Jones
    ... Seems like the easiest solution is to put permit_sasl_authenticated BEFORE reject_rbl_client. Then no whitelisting is needed. -- Noel Jones
    Message 1 of 3 , Feb 8 9:37 AM
    • 0 Attachment
      On 2/8/2013 3:51 AM, Fabio Sangiovanni wrote:
      > Hello list,
      >
      > I'm running a Postfix (2.6.6) server used by my company's customers
      > to submit mail.
      > Source IPs are not known in advance, so normally we grant relay
      > access using SASL authentication.
      > Additionally, we need to prevent as much as possible submissions
      > from unauthorized clients using stolen credentials (ie. viruses or
      > bots), so, as a further measure, we check source IPs against
      > Spamhaus RBL (I know that this might not be an exhaustive solution -
      > we have in fact other controls down the line).
      >
      > I'm using the following set of restrictions
      > (/etc/postfix/domain.hash is a list of recipent domains we don't
      > want to send mail to):
      >
      > smtpd_recipient_restrictions =
      > reject_rbl_client zen.spamhaus.org,
      > reject_non_fqdn_sender,
      > reject_non_fqdn_recipient,
      > reject_unknown_sender_domain,
      > check_recipient_access hash:/etc/postfix/domain.hash,
      > permit_sasl_authenticated,
      > reject_unauth_destination
      >
      > Everything works fine, except when one client's IP is blacklisted by
      > Spamhaus. In this case, we need to whitelist that IP - and that
      > should be obtainable with the following:
      >
      > smtpd_recipient_restrictions =
      > reject_non_fqdn_sender,
      > reject_non_fqdn_recipient,
      > reject_unknown_sender_domain,
      > check_recipient_access hash:/etc/postfix/domain.hash,
      > check_client_access cidr:/etc/postfix/whitelist_client.cidr,
      > reject_rbl_client zen.spamhaus.org,
      > permit_sasl_authenticated,
      > reject_unauth_destination
      >
      > /etc/postfix/whitelist_client.cidr
      > 1.2.3.4/32 OK
      >
      > Moving up sender/rcpt restrictions I can enforce those checks to
      > whitelisted clients too. But (and that's my question) how can I
      > force SASL authentication to whitelisted clients? I couldn't figure
      > out a way to make Postfix evaluate the permit_sasl_authenticated
      > directive in those cases.
      >
      > Thanks a lot for your help!
      >
      > Fabio


      Seems like the easiest solution is to put permit_sasl_authenticated
      BEFORE reject_rbl_client. Then no whitelisting is needed.



      -- Noel Jones
    Your message has been successfully submitted and would be delivered to recipients shortly.