Fwd: Verify Proper method for sender restrictions
Locked
 
|
Hello All, Trying to make sure I'm doing this correctly, both at the right point within the mail communications and in the format of my has file. smtpd_recipient_restrictions= check_sender_access hash:name of file And within that file have both white & blacklist like so: youareok.com OK youarebad.com REJCT 1.2.3.4 550 Block-I dont like you 1.5.6.0/24 550 Block I dont like any of you. Thanks! Joey |
|
|
On 26/10/2020 20:44, Joey J wrote: > And within that file have both white & blacklist like so: > youareok.com <http://youareok.com> OK > youarebad.com <http://youarebad.com> REJCT > 1.2.3.4 550 Block-I dont like you > 1.5.6.0/24 <http://1.5.6.0/24> 550 Block I dont like any of you. > Some time ago (5 years maybe) I discovered that "OK" was not being universally recognised in every access list; I cultivated the habit of using the words "ACCEPT" and REJECT" - and have had no problems since. Allen C |
Re: Fwd: Verify Proper method for sender restrictions
|
|
On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote:
> Some time ago (5 years maybe) I discovered that "OK" was not being universally > recognised in every access list; I cultivated the habit of using the words > "ACCEPT" and REJECT" - and have had no problems since. That's odd, because in fact Postfix does not support "ACCEPT", but smtpd(8) definitely supports "OK" in *ALL* access(5) tables: smtpd_check.c: if (STREQUAL(value, "DUNNO", cmd_len)) smtpd_check.c: if (STREQUAL(value, "REJECT", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "DEFER", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "HANGUP", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "INFO", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "WARN", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "FILTER", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "HOLD", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "DELAY", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "DISCARD", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "REDIRECT", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "BCC", cmd_len)) { smtpd_check.c: if (STREQUAL(value, DEFER_IF_PERMIT, cmd_len)) { smtpd_check.c: if (STREQUAL(value, DEFER_IF_REJECT, cmd_len)) { smtpd_check.c: if (STREQUAL(value, "PREPEND", cmd_len)) { smtpd_check.c: if (STREQUAL(value, "OK", cmd_len) || STREQUAL(value, "RELAY", cmd_len)) and even cleanup(8) supports "OK" in header/body_checks(5), though "DUNNO" is preferred: cleanup_message.c: if (STREQUAL(value, "REJECT", command_len)) { cleanup_message.c: if (STREQUAL(value, "WARN", command_len)) { cleanup_message.c: if (STREQUAL(value, "INFO", command_len)) { cleanup_message.c: if (STREQUAL(value, "FILTER", command_len)) { cleanup_message.c: if (STREQUAL(value, "PASS", command_len)) { cleanup_message.c: if (STREQUAL(value, "DISCARD", command_len)) { cleanup_message.c: if (STREQUAL(value, "HOLD", command_len)) { cleanup_message.c: if (STREQUAL(value, "DELAY", command_len)) { cleanup_message.c: if (STREQUAL(value, "PREPEND", command_len)) { cleanup_message.c: if (STREQUAL(value, "REPLACE", command_len)) { cleanup_message.c: if (STREQUAL(value, "REDIRECT", command_len)) { cleanup_message.c: if (STREQUAL(value, "BCC", command_len)) { cleanup_message.c: if (STREQUAL(value, "STRIP", command_len)) { cleanup_message.c: if (STREQUAL(value, "IGNORE", command_len)) cleanup_message.c: if (STREQUAL(value, "DUNNO", command_len)) /* preferred */ cleanup_message.c: if (STREQUAL(value, "OK", command_len)) /* compat */ -- Viktor. |
|
|
Viktor, Since you are looking within the code, on a reject we used to put @abc.com 550 and custom reject message is that still valid? Will @abc.com REJECT 550 and custom reject message work? Thank you! On Wed, Oct 28, 2020 at 11:25 AM Viktor Dukhovni <[hidden email]> wrote: On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote: Thanks!
Joey |
Re: Fwd: Verify Proper method for sender restrictions
|
|
On Wed, Oct 28, 2020 at 11:34:35AM -0400, Joey J wrote:
> Since you are looking within the code, on a reject we used to put > @abc.com 550 and custom reject message There's no need to consult the code. The lookup keys for access(5) tables are documented. They DO NOT include "@domain". To reject mail to/from all users at a domain the lookup key is just the domain name. See the documentation. http://www.postfix.org/access.5.html EMAIL ADDRESS PATTERNS With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. The pattern domain.tld also matches subdomains, but only when the string smtpd_access_maps is listed in the Postfix par- ent_domain_matches_subdomains configuration setting. .domain.tld Matches subdomains of domain.tld, but only when the string smtpd_access_maps is not listed in the Postfix par- ent_domain_matches_subdomains configuration setting. user@ Matches all mail addresses with the specified user part. Note: lookup of the null sender address is not possible with some types of lookup table. By default, Postfix uses <> as the lookup key for such addresses. The value is specified with the smtpd_null_access_lookup_key parameter in the Postfix main.cf file. -- Viktor. |
|
|
In reply to this post by Viktor Dukhovni
On 28/10/2020 15:24, Viktor Dukhovni wrote: > On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote: > >> Some time ago (5 years maybe) I discovered that "OK" was not being universally >> recognised in every access list; I cultivated the habit of using the words >> "ACCEPT" and REJECT" - and have had no problems since. > That's odd, because in fact Postfix does not support "ACCEPT", but > smtpd(8) definitely supports "OK" in *ALL* access(5) tables: If I recall rightly, it was about the time I started using postscreen, and I was using the file postscreen_access.cidr as a whitelist to bypass the tests in smtpd_sender_restrictions. But it was a LONG time ago, and all I can remember is that there was something about "OK" that didn't give the results I expected. I will have to have a "play" again... Allen C |
Re: Fwd: Verify Proper method for sender restrictions
|
|
On 28/10/2020 15:53, Allen Coates wrote: > > On 28/10/2020 15:24, Viktor Dukhovni wrote: >> On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote: >> >>> Some time ago (5 years maybe) I discovered that "OK" was not being universally >>> recognised in every access list; I cultivated the habit of using the words >>> "ACCEPT" and REJECT" - and have had no problems since. >> That's odd, because in fact Postfix does not support "ACCEPT", but >> smtpd(8) definitely supports "OK" in *ALL* access(5) tables: > If I recall rightly, it was about the time I started using postscreen, and I was > using the file postscreen_access.cidr as a whitelist to bypass the tests in > smtpd_sender_restrictions. > > But it was a LONG time ago, and all I can remember is that there was something > about "OK" that didn't give the results I expected. > > I will have to have a "play" again... The only acceptable commands for postscreen_access_list (per documentation) are: permit_my_networks / permit / reject / dunno / type:table. OK is not acceptable here. |
|
|
In reply to this post by Viktor Dukhovni
Thank you, sometime I forget to RTFM. A 2 part question. abc.com 550 Spam from ABC.com Will this match anything with abc.com, as an example if the message comes from [hidden email] will it get rejected? Additionally in the doc I see REJECT and below that 5xx, do I need to have REJECT 550 We don't like you or does 500 We don't like you Work? Thank you On Wed, Oct 28, 2020 at 11:51 AM Viktor Dukhovni <[hidden email]> wrote: On Wed, Oct 28, 2020 at 11:34:35AM -0400, Joey J wrote: Thanks!
Joey |
Re: Fwd: Verify Proper method for sender restrictions
|
|
On Wed, Oct 28, 2020 at 12:09:38PM -0400, Joey J wrote:
> Thank you, sometime I forget to RTFM. > > A 2 part question. > abc.com 550 Spam from ABC.com > > Will this match anything with abc.com, as an example if the message comes > from [hidden email] will it get rejected? The same documentation answers that question. There's no need for me to paste it again, or attempt to restate it. > > See the documentation. > > > > http://www.postfix.org/access.5.html > > > > EMAIL ADDRESS PATTERNS -- Viktor. |
«
Return to Postfix Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |