Domain not being blocked in check_client_access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Domain not being blocked in check_client_access

Joey J
Hello All,

I'm trying to figure out if I have made a mistake in my configuration or I won't match the record for this domain that made it through the rules.

I have the table  sender_reject_domain with this record:
mediaware-news.com  REJECT 550 SPR-mediaware-news.com

And below is my configuration:

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_non_fqdn_recipient
        check_recipient_access  regexp:/etc/postfix/rcptaccess 
         check_sender_access  regexp:/etc/postfix/senderaccess
        check_client_access     hash:/etc/postfix/sender_reject_domain
        check_client_access     cidr:/etc/postfix/sender_reject_ip
        check_recipient_access  hash:/etc/postfix/sender_reject_invalid

The header for the message which made it through:

Received: from SN6PR19MB2383.namprd19.prod.outlook.com (2603:10b6:805:57::26)
 by BN6PR19MB0916.namprd19.prod.outlook.com with HTTPS; Thu, 29 Oct 2020
 19:54:52 +0000
Received: from CO2PR05CA0071.namprd05.prod.outlook.com (2603:10b6:102:2::39)
 by SN6PR19MB2383.namprd19.prod.outlook.com (2603:10b6:805:57::26) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.28; Thu, 29 Oct
 2020 19:54:50 +0000
Received: from MW2NAM12FT034.eop-nam12.prod.protection.outlook.com
 (2603:10b6:102:2:cafe::af) by CO2PR05CA0071.outlook.office365.com
 (2603:10b6:102:2::39) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.11 via Frontend
 Transport; Thu, 29 Oct 2020 19:54:49 +0000
Authentication-Results: spf=softfail (sender IP is 138.31.130.40)
 smtp.mailfrom=emark4.embluejet.com; userdom.com; dkim=pass
 (signature was verified) header.d=mediaware-news.com;userdom.com;
 dmarc=pass action=none header.from=mediaware-news.com;compauth=pass
 reason=100
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 emark4.embluejet.com discourages use of 138.31.130.40 as permitted sender)
Received: from mgw.mailgateway.net (138.31.130.40) by
 MW2NAM12FT034.mail.protection.outlook.com (10.13.180.182) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3520.9 via Frontend Transport; Thu, 29 Oct 2020 19:54:49 +0000
Received: from mgw.mgw.mailgateway.net (localhost.localdomain [127.0.0.1])
by mgw.mgw.mailgateway.net (Proxmox) with ESMTP id 5B30D808D7
for <[hidden email]>; Thu, 29 Oct 2020 15:54:48 -0400 (EDT)
Received: from nit9.embluenitro.com (nit9.embluenitro.com [185.98.146.11])
by mgw.mgw.mailgateway.net (Proxmox) with ESMTPS id 9DFFD804DB
for <[hidden email]>; Thu, 29 Oct 2020 15:54:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=epexo; d=mediaware-news.com;
 h=Content-Type:MIME-Version:From:To:Subject:reply-to:List-Unsubscribe:
 Message-ID:Date; i=[hidden email];
 bh=q/QebtA0Tax6bGYx7tp2DWcaumrGnzimiKqqmOCvSHw=;
 b=KWHGyCUEnKPq4n9CBtkAh+VrUl946rf4Bb0cJ2hO5Ja9titTEms/BWCb5rK51B7ko/BxoNHq0hsU
   8thSxY8mb6WlCXfO5Hq6/SO2LIl4C2xcZ3+TjztolGUqUHWp2McYDkv/MKoE1uG6316Y1+/CtezF
   w7covac4cHqXuI0YHJo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=epexo; d=embluenitro.com;
 h=Content-Type:MIME-Version:From:To:Subject:reply-to:List-Unsubscribe:
 Message-ID:Date;
 bh=q/QebtA0Tax6bGYx7tp2DWcaumrGnzimiKqqmOCvSHw=;
 b=ZCuBZgMsCIGDxydtJqlPDEuFp30Y6luIhy8t3HWTQUKtS96q8DNAkn/GFW/clBSq1MsgKtfxc5qn
   Cz4Q1Tj7bapwfWQwl2ZrElVGcDKdck4Qwjp5HZY6P2+bnT67ZMxY0hOjYdkzGY2MhRtT916ajzvZ
   YyiKX1EWO6eCwNqR3rHk34O0yazaHt9isyj0BG0vrv8rEg/K/Jdk0bXNVbqCDJ8shik95GokRk8q
   62ezTZeqxeXxjluBskB2ywUjzz0U/tWPonwZT5vWAPovrRxccaOMDFpUR5jAZ+SGLClMmODwYS8X
   6Ddgycyg1zdIBIqB7trnfBgaqkfhmjkZqv4eGA==
Content-Type: multipart/alternative;
 boundary="===============1405112018376654933=="
MIME-Version: 1.0
From: Veeam Latam <[hidden email]>
To: [hidden email]
Subject: =?utf-8?q?El_backup_n=2E=C2=BA_1_para_los_proveedores_de_servicios?=
reply-to: [hidden email]
Feedback-ID: 5i1dp:5:email_id:ENVIO SIMPLE:5c3
X-mta: emblue3prd-0
X-emmkt: E;;5e3hm99;;5c3;;5i1dp:5;;9g3cr9
List-Unsubscribe: <https://app.embluemail.com/Services/Interaccion.svc/DesuscribirContactoEnvio?datos=5c3-R-ixfxyrxBKuwep:8t:b-R-9g3cr9>
Message-ID: <[hidden email]>
Date: Thu, 29 Oct 2020 16:54:29 -0300 (-03)
X-SPAM-LEVEL: Spam detection results:  0






--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Domain not being blocked in check_client_access

Bill Cole-3
On 29 Oct 2020, at 17:28, Joey J wrote:

> Hello All,
>
> I'm trying to figure out if I have made a mistake in my configuration
> or I
> won't match the record for this domain that made it through the rules.
>
> I have the table  sender_reject_domain with this record:
> mediaware-news.com  REJECT 550 SPR-mediaware-news.com
>
> And below is my configuration:
>
> smtpd_recipient_restrictions =
>         permit_mynetworks
>         reject_unauth_destination
>         reject_non_fqdn_recipient
>         check_recipient_access  regexp:/etc/postfix/rcptaccess
>          check_sender_access  regexp:/etc/postfix/senderaccess
>         check_client_access     hash:/etc/postfix/sender_reject_domain
>         check_client_access     cidr:/etc/postfix/sender_reject_ip
>         check_recipient_access  
> hash:/etc/postfix/sender_reject_invalid

check_client_access acts on the valid hostname or IP address of thge
connecting SMTP client. It DOES NOT act on any headers. No
'check_whatever_access' directive acts on headers, for that you need to
use header_checks.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Domain not being blocked in check_client_access

Noel Jones-2
In reply to this post by Joey J

On 10/29/2020 4:28 PM, Joey J wrote:

> Hello All,
>
> I'm trying to figure out if I have made a mistake in my
> configuration or I won't match the record for this domain that made
> it through the rules.
>
> I have the table sender_reject_domain with this record:
> mediaware-news.com <http://mediaware-news.com>  REJECT 550
> SPR-mediaware-news.com
>
> And below is my configuration:
>
> smtpd_recipient_restrictions =
>          permit_mynetworks
>          reject_unauth_destination
>          reject_non_fqdn_recipient
>          check_recipient_access  regexp:/etc/postfix/rcptaccess
>           check_sender_access  regexp:/etc/postfix/senderaccess
>          check_client_access     hash:/etc/postfix/sender_reject_domain

check_client_access is for checking the client domain name or IP.
You probably want check_sender_access to check the MAIL FROM address.


>          check_client_access     cidr:/etc/postfix/sender_reject_ip
>          check_recipient_access  hash:/etc/postfix/sender_reject_invalid
>
> The header for the message which made it through:

The postfix logs for this message would be far more useful. The logs
will show the client IP and verified hostname, and the MAIL FROM
name(s) used.



   -- Noel Jones