Loading ...
Sorry, an error occurred while loading the content.

Re: Exceptions to reject_rbl_client *AND* SASL authentication enforcement

Expand Messages
  • Fabio Sangiovanni
    ... Sorry Viktor, I have another question: what happens if a client is whitelisted AND it fails SASL authentication? I suppose that the following directives
    Message 1 of 8 , Feb 11, 2013
    • 0 Attachment
      Viktor Dukhovni <postfix-users <at> dukhovni.org> writes:

      > Replace "OK" with:
      >
      > /etc/postfix/whitelist_client.cidr:
      > 192.0.2.1/32 permit_sasl_authenticated
      >

      Sorry Viktor,

      I have another question: what happens if a client is whitelisted AND it fails
      SASL authentication?
      I suppose that the following directives are evaluated, aren't they?
      So, in such cases, there is a query to the rbl, another (failed) check for
      SASL authentication (if the IP is not listed), and the final reject due to
      reject_unauth_destination.

      So, is it correct to create the file /etc/postfix/whitelist_client.cidr with
      entries like:
      192.0.2.1/32 permit_sasl_authenticated,reject

      The additional reject should prevent further evaluation of restrictions outside
      (and following) the access table.

      Thanks again for your help.

      Fabio
    • Viktor Dukhovni
      ... The whitelist only applies to authenticated users. Unauthenticated users are treated like everyone else. ... You re working too hard, the suggested
      Message 2 of 8 , Feb 11, 2013
      • 0 Attachment
        On Mon, Feb 11, 2013 at 03:19:52PM +0000, Fabio Sangiovanni wrote:

        > I have another question: what happens if a client is whitelisted AND it fails
        > SASL authentication?

        The whitelist only applies to authenticated users. Unauthenticated users
        are treated like everyone else.

        > I suppose that the following directives are evaluated, aren't they?
        > So, in such cases, there is a query to the rbl, another (failed) check for
        > SASL authentication (if the IP is not listed), and the final reject due to
        > reject_unauth_destination.
        >
        > So, is it correct to create the file /etc/postfix/whitelist_client.cidr with
        > entries like:
        > 192.0.2.1/32 permit_sasl_authenticated,reject
        >
        > The additional reject should prevent further evaluation of restrictions outside
        > (and following) the access table.

        You're working too hard, the suggested settings should work just fine.

        --
        Viktor.
      • Fabii Sangiovanni
        ... Would you be so kind to point me to some readings on the matter? The only relevant piece of documentation seems to be RESTRICTION_CLASS_README, but, even
        Message 3 of 8 , Feb 11, 2013
        • 0 Attachment
          Viktor Dukhovni <postfix-users <at> dukhovni.org> writes:

          > You're working too hard, the suggested settings should work just fine.

          Would you be so kind to point me to some readings on the matter? The only
          relevant piece of documentation seems to be RESTRICTION_CLASS_README, but, even
          after reading that, it's not clear to me *why* those settings should work
          equally (that is, with or without the final reject), nor what is the default in
          a sequnce of restrictions within an access table...
          I don't want to just set the right configuration once for all, I'm interested in
          developing a deeper knowledge on the topic. :)

          As usual, thanks for your time.

          Fabio
        • Viktor Dukhovni
          ... You don t want to explicitly blacklist RBL addresses (for unauthenticated users). The addresses may be deleted from the RBL at some point. The proposed
          Message 4 of 8 , Feb 12, 2013
          • 0 Attachment
            On Mon, Feb 11, 2013 at 10:29:38PM +0000, Fabii Sangiovanni wrote:

            > Viktor Dukhovni <postfix-users <at> dukhovni.org> writes:
            >
            > > You're working too hard, the suggested settings should work just fine.
            >
            > Would you be so kind to point me to some readings on the matter?

            You don't want to explicitly blacklist RBL addresses (for unauthenticated
            users). The addresses may be deleted from the RBL at some point.

            The proposed solution simply whitelists the address for authenticated
            users and otherwise treats exactly as any other address.

            --
            Viktor.
          Your message has been successfully submitted and would be delivered to recipients shortly.