Exceptions to reject_invalid_hostname ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Exceptions to reject_invalid_hostname ?

Frank Bonnet
Hello

I have the following rules in main.cf :

smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    reject_unauth_destination,
    reject_unlisted_recipient,
    check_policy_service inet:127.0.0.1:10023,
    permit


I wonder if it is possible to add exceptions to the
reject_invalid_hostname statement because two professors
need to receive some emails from few persons that haven't
well configured machines and don't have DNS access/knowledge.


Thanks a lot


Reply | Threaded
Open this post in threaded view
|

Re: Exceptions to reject_invalid_hostname ?

Barney Desmond
On 17 February 2010 20:07, Frank Bonnet <[hidden email]> wrote:

> smtpd_recipient_restrictions =
>   reject_invalid_hostname,
>   reject_non_fqdn_sender,
>   reject_unknown_sender_domain,
>   reject_unknown_recipient_domain,
>   reject_unauth_pipelining,
>   permit_mynetworks,
>   reject_unauth_destination,
>   reject_unlisted_recipient,
>   check_policy_service inet:127.0.0.1:10023,
>   permit
>
> I wonder if it is possible to add exceptions to the reject_invalid_hostname
> statement because two professors
> need to receive some emails from few persons that haven't
> well configured machines and don't have DNS access/knowledge.

This will depend on what you do/don't have control over. For the
record, reject_invalid_hostname is a deprecated pre-Postfix 2.3 name,
the new name for this is "reject_invalid_helo_hostname". It sounds
like you want to whitelist the professors based on either HELO name
(kind of unreliable and easily abused if someone finds out), or their
IP address (could be troublesome if it's dynamic).

http://www.postfix.org/postconf.5.html#check_client_access
Basically, you'd insert an access-table lookup first in the list of
restrictions and only apply reject_invalid_hostname if the sender
isn't one of the professors. I don't guarantee that I've got this
right, but it'd be something like this...

smtpd_recipient_restrictions =
  check_client_access cidr:/etc/postfix/professors.cidr,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  etc...

Where the contents of /etc/postfix/professors.cidr is:
1.2.3.4    DUNNO
1.2.4.10    DUNNO
0.0.0.0/0    reject_invalid_hostname


This assumes that you're checking the source address. The DUNNO should
skip the professors, and apply reject_invalid_hostname to everyone
else.

More on access tables here: http://www.postfix.org/access.5.html
Reply | Threaded
Open this post in threaded view
|

Re: Exceptions to reject_invalid_hostname ?

Frank Bonnet
On 02/17/10 11:32, Barney Desmond wrote:

> On 17 February 2010 20:07, Frank Bonnet<[hidden email]>  wrote:
>> smtpd_recipient_restrictions =
>>    reject_invalid_hostname,
>>    reject_non_fqdn_sender,
>>    reject_unknown_sender_domain,
>>    reject_unknown_recipient_domain,
>>    reject_unauth_pipelining,
>>    permit_mynetworks,
>>    reject_unauth_destination,
>>    reject_unlisted_recipient,
>>    check_policy_service inet:127.0.0.1:10023,
>>    permit
>>
>> I wonder if it is possible to add exceptions to the reject_invalid_hostname
>> statement because two professors
>> need to receive some emails from few persons that haven't
>> well configured machines and don't have DNS access/knowledge.
>
> This will depend on what you do/don't have control over. For the
> record, reject_invalid_hostname is a deprecated pre-Postfix 2.3 name,
> the new name for this is "reject_invalid_helo_hostname". It sounds
> like you want to whitelist the professors based on either HELO name
> (kind of unreliable and easily abused if someone finds out), or their
> IP address (could be troublesome if it's dynamic).
>
> http://www.postfix.org/postconf.5.html#check_client_access
> Basically, you'd insert an access-table lookup first in the list of
> restrictions and only apply reject_invalid_hostname if the sender
> isn't one of the professors. I don't guarantee that I've got this
> right, but it'd be something like this...
>
> smtpd_recipient_restrictions =
>    check_client_access cidr:/etc/postfix/professors.cidr,
>    reject_non_fqdn_sender,
>    reject_unknown_sender_domain,
>    etc...
>
> Where the contents of /etc/postfix/professors.cidr is:
> 1.2.3.4    DUNNO
> 1.2.4.10    DUNNO
> 0.0.0.0/0    reject_invalid_hostname
>
>
> This assumes that you're checking the source address. The DUNNO should
> skip the professors, and apply reject_invalid_hostname to everyone
> else.
>
> More on access tables here: http://www.postfix.org/access.5.html

OK,
  thanks a lot Barney