Fwd: Verify Proper method for sender restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Verify Proper method for sender restrictions

Joey J


Hello All,

Trying to make sure I'm doing this correctly, both at the right point within the mail communications and in the format of my has file.

smtpd_recipient_restrictions=
   check_sender_access hash:name of file

And within that file have both white & blacklist like so:
1.2.3.4  550 Block-I dont like you
1.5.6.0/24 550 Block I dont like any of you.



--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

allenc


On 26/10/2020 20:44, Joey J wrote:
> And within that file have both white & blacklist like so:
> youareok.com <http://youareok.com>   OK
> youarebad.com <http://youarebad.com>  REJCT
> 1.2.3.4  550 Block-I dont like you
> 1.5.6.0/24 <http://1.5.6.0/24> 550 Block I dont like any of you.
>

Some time ago (5 years maybe) I discovered that "OK" was not being universally
recognised in every access list;  I cultivated the habit of using the words
"ACCEPT" and REJECT" - and have had no problems since.

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Viktor Dukhovni
On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote:

> Some time ago (5 years maybe) I discovered that "OK" was not being universally
> recognised in every access list;  I cultivated the habit of using the words
> "ACCEPT" and REJECT" - and have had no problems since.

That's odd, because in fact Postfix does not support "ACCEPT", but
smtpd(8) definitely supports "OK" in *ALL* access(5) tables:

    smtpd_check.c:    if (STREQUAL(value, "DUNNO", cmd_len))
    smtpd_check.c:    if (STREQUAL(value, "REJECT", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DEFER", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "HANGUP", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "INFO", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "WARN", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "FILTER", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "HOLD", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DELAY", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DISCARD", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "REDIRECT", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "BCC", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, DEFER_IF_PERMIT, cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, DEFER_IF_REJECT, cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "PREPEND", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "OK", cmd_len) || STREQUAL(value, "RELAY", cmd_len))

and even cleanup(8) supports "OK" in header/body_checks(5), though
"DUNNO" is preferred:

    cleanup_message.c:    if (STREQUAL(value, "REJECT", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "WARN", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "INFO", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "FILTER", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "PASS", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "DISCARD", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "HOLD", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "DELAY", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "PREPEND", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "REPLACE", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "REDIRECT", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "BCC", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "STRIP", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "IGNORE", command_len))
    cleanup_message.c:    if (STREQUAL(value, "DUNNO", command_len))    /* preferred */
    cleanup_message.c:    if (STREQUAL(value, "OK", command_len))       /* compat */

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Joey J
Viktor,

Since you are looking within the code, on a reject we used to put 
@abc.com   550 and custom reject message

is that still valid?

Will 
@abc.com   REJECT 550 and custom reject message work?

Thank you!

On Wed, Oct 28, 2020 at 11:25 AM Viktor Dukhovni <[hidden email]> wrote:
On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote:

> Some time ago (5 years maybe) I discovered that "OK" was not being universally
> recognised in every access list;  I cultivated the habit of using the words
> "ACCEPT" and REJECT" - and have had no problems since.

That's odd, because in fact Postfix does not support "ACCEPT", but
smtpd(8) definitely supports "OK" in *ALL* access(5) tables:

    smtpd_check.c:    if (STREQUAL(value, "DUNNO", cmd_len))
    smtpd_check.c:    if (STREQUAL(value, "REJECT", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DEFER", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "HANGUP", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "INFO", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "WARN", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "FILTER", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "HOLD", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DELAY", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "DISCARD", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "REDIRECT", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "BCC", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, DEFER_IF_PERMIT, cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, DEFER_IF_REJECT, cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "PREPEND", cmd_len)) {
    smtpd_check.c:    if (STREQUAL(value, "OK", cmd_len) || STREQUAL(value, "RELAY", cmd_len))

and even cleanup(8) supports "OK" in header/body_checks(5), though
"DUNNO" is preferred:

    cleanup_message.c:    if (STREQUAL(value, "REJECT", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "WARN", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "INFO", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "FILTER", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "PASS", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "DISCARD", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "HOLD", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "DELAY", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "PREPEND", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "REPLACE", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "REDIRECT", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "BCC", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "STRIP", command_len)) {
    cleanup_message.c:    if (STREQUAL(value, "IGNORE", command_len))
    cleanup_message.c:    if (STREQUAL(value, "DUNNO", command_len))    /* preferred */
    cleanup_message.c:    if (STREQUAL(value, "OK", command_len))       /* compat */

--
    Viktor.


--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Viktor Dukhovni
On Wed, Oct 28, 2020 at 11:34:35AM -0400, Joey J wrote:

> Since you are looking within the code, on a reject we used to put
> @abc.com   550 and custom reject message

There's no need to consult the code.  The lookup keys for access(5)
tables are documented.  They DO NOT include "@domain".  To reject
mail to/from all users at a domain the lookup key is just the
domain name.  See the documentation.

    http://www.postfix.org/access.5.html

    EMAIL ADDRESS PATTERNS
           With lookups from indexed files such as DB or DBM,  or  from  networked
           tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
           listed below:

           user@domain
                  Matches the specified mail address.

           domain.tld
                  Matches domain.tld as the domain part of an email address.

                  The pattern domain.tld also matches subdomains,  but  only  when
                  the  string  smtpd_access_maps  is  listed  in  the Postfix par-
                  ent_domain_matches_subdomains configuration setting.

           .domain.tld
                  Matches subdomains of  domain.tld,  but  only  when  the  string
                  smtpd_access_maps   is   not   listed   in   the   Postfix  par-
                  ent_domain_matches_subdomains configuration setting.

           user@  Matches all mail addresses with the specified user part.

           Note: lookup of the null sender address is not possible with some types
           of lookup table. By default, Postfix uses <> as the lookup key for such
           addresses. The value is specified with the smtpd_null_access_lookup_key
           parameter in the Postfix main.cf file.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

allenc
In reply to this post by Viktor Dukhovni


On 28/10/2020 15:24, Viktor Dukhovni wrote:
> On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote:
>
>> Some time ago (5 years maybe) I discovered that "OK" was not being universally
>> recognised in every access list;  I cultivated the habit of using the words
>> "ACCEPT" and REJECT" - and have had no problems since.
> That's odd, because in fact Postfix does not support "ACCEPT", but
> smtpd(8) definitely supports "OK" in *ALL* access(5) tables:

If I recall rightly, it was about the time I started using postscreen, and I was
using the file postscreen_access.cidr as a whitelist to bypass the tests in
smtpd_sender_restrictions.

But it was a LONG time ago, and all I can remember is that there was something
about "OK" that didn't give the results I expected.

I will have to have a "play" again...

Allen C


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Dominic Raferd

On 28/10/2020 15:53, Allen Coates wrote:

>
> On 28/10/2020 15:24, Viktor Dukhovni wrote:
>> On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote:
>>
>>> Some time ago (5 years maybe) I discovered that "OK" was not being universally
>>> recognised in every access list;  I cultivated the habit of using the words
>>> "ACCEPT" and REJECT" - and have had no problems since.
>> That's odd, because in fact Postfix does not support "ACCEPT", but
>> smtpd(8) definitely supports "OK" in *ALL* access(5) tables:
> If I recall rightly, it was about the time I started using postscreen, and I was
> using the file postscreen_access.cidr as a whitelist to bypass the tests in
> smtpd_sender_restrictions.
>
> But it was a LONG time ago, and all I can remember is that there was something
> about "OK" that didn't give the results I expected.
>
> I will have to have a "play" again...

The only acceptable commands for postscreen_access_list (per
documentation) are: permit_my_networks / permit / reject / dunno /
type:table. OK is not acceptable here.

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Joey J
In reply to this post by Viktor Dukhovni
Thank you, sometime I forget to RTFM.

A 2 part question.
abc.com  550 Spam from ABC.com

Will this match anything with abc.com, as an example if the message comes from [hidden email] will it get rejected?
Additionally in the doc I see REJECT and below that 5xx, do I need to have
REJECT 550 We don't like you
or does 
500 We don't like you 
Work?

Thank you



On Wed, Oct 28, 2020 at 11:51 AM Viktor Dukhovni <[hidden email]> wrote:
On Wed, Oct 28, 2020 at 11:34:35AM -0400, Joey J wrote:

> Since you are looking within the code, on a reject we used to put
> @abc.com   550 and custom reject message

There's no need to consult the code.  The lookup keys for access(5)
tables are documented.  They DO NOT include "@domain".  To reject
mail to/from all users at a domain the lookup key is just the
domain name.  See the documentation.

    http://www.postfix.org/access.5.html

    EMAIL ADDRESS PATTERNS
           With lookups from indexed files such as DB or DBM,  or  from  networked
           tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
           listed below:

           user@domain
                  Matches the specified mail address.

           domain.tld
                  Matches domain.tld as the domain part of an email address.

                  The pattern domain.tld also matches subdomains,  but  only  when
                  the  string  smtpd_access_maps  is  listed  in  the Postfix par-
                  ent_domain_matches_subdomains configuration setting.

           .domain.tld
                  Matches subdomains of  domain.tld,  but  only  when  the  string
                  smtpd_access_maps   is   not   listed   in   the   Postfix  par-
                  ent_domain_matches_subdomains configuration setting.

           user@  Matches all mail addresses with the specified user part.

           Note: lookup of the null sender address is not possible with some types
           of lookup table. By default, Postfix uses <> as the lookup key for such
           addresses. The value is specified with the smtpd_null_access_lookup_key
           parameter in the Postfix main.cf file.

--
    Viktor.


--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Verify Proper method for sender restrictions

Viktor Dukhovni
On Wed, Oct 28, 2020 at 12:09:38PM -0400, Joey J wrote:

> Thank you, sometime I forget to RTFM.
>
> A 2 part question.
> abc.com  550 Spam from ABC.com
>
> Will this match anything with abc.com, as an example if the message comes
> from [hidden email] will it get rejected?

The same documentation answers that question.  There's no need for me to
paste it again, or attempt to restate it.

> > See the documentation.
> >
> >     http://www.postfix.org/access.5.html
> >
> >     EMAIL ADDRESS PATTERNS

--
    Viktor.