How to white list

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How to white list

durwin
I have whitelisted the ip in postscreen_access.cidr.  I can see the 'whitelisted' for postscreen in log.
But it does not get past smtpd.

I do not want to remove reject_invalid_helo_hostname as this really opens up more spam.  So how
do I white list the ip for smtpd?

Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [65.100.117.244]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<barracuda.slfcu.org>
Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Thank you,

Durwin

=== main.cf ===
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
mydomain = mycompany.com
myhostname = postfix.mycompany.com
mynetworks = 172.23.93.0/24
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*2
postscreen_dnsbl_threshold = 2
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $mydomain
relay_transport = relay:$mydomain
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_helo_name = mail.mycompany.com
smtpd_authorized_xclient_hosts = 172.23.93.0/24
smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_CAfile = /etc/pki/tls/certs/mycompany-chain3.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/mycompany3.crt
smtpd_tls_key_file = /etc/pki/tls/private/mycompany3.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual
=== END main.cf ===



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

durwin
I have.

smtpd_helo_restrictions =
    permit_mynetworks
    check_helo_access hash:/etc/postfix/helo_access
    reject_invalid_helo_hostname
#   reject_unknown_helo_hostname
    permit

And this file, helo_access has.

localhost.localdomain   PERMIT
65.100.117.244          PERMIT

60.189.57.253           REJECT

> From: Durwin De La Rue/Mgtsciences/US

> To: Postfix users <[hidden email]>
> Date: 07/23/2018 02:17 PM
> Subject: How to white list
>
> I have whitelisted the ip in postscreen_access.cidr.  I can see the
> 'whitelisted' for postscreen in log.

> But it does not get past smtpd.
>
> I do not want to remove reject_invalid_helo_hostname as this really
> opens up more spam.  So how

> do I white list the ip for smtpd?
>
> Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection
> established from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-
> AES256-SHA (256/256 bits)

> Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from
> unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find
> your reverse hostname, [65.100.117.244]; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<barracuda.slfcu.org>

> Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from unknown[65.
> 100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1
> quit=1 commands=6/8

>
> Thank you,

>
> Durwin

>
> === main.cf ===

> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/postfix/aliases
> command_directory = /usr/sbin
> compatibility_level = 2
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 1
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> ddd $daemon_directory/$process_name $process_id & sleep 5

> header_checks = regexp:/etc/postfix/header_checks
> html_directory = no
> inet_interfaces = all
> inet_protocols = all
> local_recipient_maps = $alias_maps
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> meta_directory = /etc/postfix
> mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
> mydomain = mycompany.com
> myhostname = postfix.mycompany.com
> mynetworks = 172.23.93.0/24
> mynetworks_style = subnet
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases.postfix
> postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/
> postscreen_access.cidr

> postscreen_blacklist_action = drop
> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> b.barracudacentral.org*2

> postscreen_dnsbl_threshold = 2
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix/README_FILES
> relay_domains = $mydomain
> relay_transport = relay:$mydomain
> sample_directory = /usr/share/doc/postfix/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> shlib_directory = /usr/lib64/postfix
> smtp_helo_name = mail.mycompany.com
> smtpd_authorized_xclient_hosts = 172.23.93.0/24
> smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version)
> smtpd_client_restrictions = reject_unknown_reverse_client_hostname
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/
> etc/postfix/helo_access reject_invalid_helo_hostname permit

> smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
> smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
> smtpd_tls_CAfile = /etc/pki/tls/certs/mycompany-chain3.crt
> smtpd_tls_cert_file = /etc/pki/tls/certs/mycompany3.crt
> smtpd_tls_key_file = /etc/pki/tls/private/mycompany3.key
> smtpd_tls_loglevel = 3
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_domains = hash:/etc/postfix/virtual_domains
> virtual_alias_maps = hash:/etc/postfix/virtual
> === END main.cf ===
>
>
>
> This email message and any attachments are for the sole use of the
> intended recipient(s) and may contain proprietary and/or
> confidential information which may be privileged or otherwise
> protected from disclosure. Any unauthorized review, use, disclosure
> or distribution is prohibited. If you are not the intended recipient
> (s), please contact the sender by reply email and destroy the
> original message and any copies of the message as well as any
> attachments to the original message.



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

Bill Cole-3
In reply to this post by durwin
On 23 Jul 2018, at 16:17 (-0400), [hidden email] wrote:

> Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from
> unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find
> your
> reverse hostname, [65.100.117.244]; from=<[hidden email]>
[...]
> smtpd_client_restrictions = reject_unknown_reverse_client_hostname

Read the error message carefully. This is NOT an issue with the HELO
name.

Postfix is failing to resolve 65.100.117.244 to a name. That may be
transient or it may be a configuration issue, such as attempting to run
smtpd inside a chroot jail that lacks the needed devices, an overly
restrictive packet filter (or external firewall,) or an extra security
layer (SELinux, AppArmor, etc.) that prevents DNS resolution.

Resolution is fine from here:

$ dig +nocmd +nocomments +nostats +noquestion -x 65.100.117.244
244.117.100.65.in-addr.arpa. 86266 IN PTR mail.slfcu.org.

That name even resolves back properly to the IP:

$ dig +nocmd +nocomments +nostats +noquestion mail.slfcu.org
mail.slfcu.org. 6149 IN A 65.100.117.244




--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

allenc
In reply to this post by durwin


On 23/07/18 21:17, [hidden email] wrote:

> I have whitelisted the ip in postscreen_access.cidr.  I can see the
> 'whitelisted' for postscreen in log.
> But it does not get past smtpd.
>
> I do not want to remove reject_invalid_helo_hostname as this really opens
> up more spam.  So how
> do I white list the ip for smtpd?
>
> Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established
> from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA
> (256/256 bits)
> Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from
> unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your
> reverse hostname, [65.100.117.244]; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<barracuda.slfcu.org>
> Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from
> unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1
> quit=1 commands=6/8
>
> Thank you,
>
> Durwin
>
> === main.cf ===

[snip]

> shlib_directory = /usr/lib64/postfix
> smtp_helo_name = mail.mycompany.com
> smtpd_authorized_xclient_hosts = 172.23.93.0/24
> smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version)

> smtpd_client_restrictions = reject_unknown_reverse_client_hostname
THIS is the line which is rejecting the email;

you could try
smtpd_client_restrictions = permit_mynetworks,
        check_client_access cidr:/etc/postfix/postscreen_access.cidr
        reject_unknown_reverse_client_hostname

anything white-listed by postscreen will bypass client restrictions also

> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks check_helo_access
> hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit

Two useful (and safe) additions to your smtpd_helo_restrictions are:
reject_invalid_helo_hostname, and
reject_non_fqdn_helo_hostname
these force the HELO argument to be RFC compliant

Hope this helps

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

durwin
[hidden email] wrote on 07/23/2018 05:04:45 PM:

> From: Allen Coates <[hidden email]>

> To: [hidden email]
> Date: 07/23/2018 05:05 PM
> Subject: Re: How to white list
> Sent by: [hidden email]
>
>
>
> On 23/07/18 21:17, [hidden email] wrote:
> > I have whitelisted the ip in postscreen_access.cidr.  I can see the
> > 'whitelisted' for postscreen in log.
> > But it does not get past smtpd.
> >
> > I do not want to remove reject_invalid_helo_hostname as this really opens
> > up more spam.  So how
> > do I white list the ip for smtpd?
> >
> > Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established
> > from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA
> > (256/256 bits)
> > Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from
> > unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your
> > reverse hostname, [65.100.117.244]; from=<[hidden email]>
> > to=<[hidden email]> proto=ESMTP helo=<barracuda.slfcu.org>
> > Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from
> > unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1
> > quit=1 commands=6/8
> >
> > Thank you,
> >
> > Durwin
> >
> > === main.cf ===
>
> [snip]
>
> > shlib_directory = /usr/lib64/postfix
> > smtp_helo_name = mail.mycompany.com
> > smtpd_authorized_xclient_hosts = 172.23.93.0/24
> > smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version)
>
> > smtpd_client_restrictions = reject_unknown_reverse_client_hostname
> THIS is the line which is rejecting the email;
>
> you could try
> smtpd_client_restrictions = permit_mynetworks,
>    check_client_access cidr:/etc/postfix/postscreen_access.cidr
>    reject_unknown_reverse_client_hostname


Thank you.  This fixed issue.  Though I can't figure why it was being
blocked in the first place.

>
> anything white-listed by postscreen will bypass client restrictions also


I had it white-listed here.
postscreen_access_list = permit_mynetworks,
    cidr:/etc/postfix/postscreen_access.cidr

So why was it not passed?

>
> > smtpd_delay_reject = yes
> > smtpd_helo_required = yes
> > smtpd_helo_restrictions = permit_mynetworks check_helo_access
> > hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit
>
> Two useful (and safe) additions to your smtpd_helo_restrictions are:
> reject_invalid_helo_hostname, and
> reject_non_fqdn_helo_hostname
> these force the HELO argument to be RFC compliant
>
> Hope this helps
>
> Allen C

Thank you.  This helped immensely.

Durwin


This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

Viktor Dukhovni
In reply to this post by allenc


> On Jul 23, 2018, at 7:04 PM, Allen Coates <[hidden email]> wrote:
>
> anything white-listed by postscreen will bypass client restrictions also

That's not correct.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: How to white list

durwin
[hidden email] wrote on 07/24/2018 09:35:39 AM:

> From: Viktor Dukhovni <[hidden email]>

> To: Postfix users <[hidden email]>
> Date: 07/24/2018 09:36 AM
> Subject: Re: How to white list
> Sent by: [hidden email]
>
>
>
> > On Jul 23, 2018, at 7:04 PM, Allen Coates
> <[hidden email]> wrote:
> >
> > anything white-listed by postscreen will bypass client restrictions also
>
> That's not correct.


Thank you for update.

>
> --
>    Viktor.
>



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: How to white list

Bill Cole-3
In reply to this post by durwin
On 24 Jul 2018, at 11:31, [hidden email] wrote:

> I had it white-listed here.
> postscreen_access_list = permit_mynetworks,
>     cidr:/etc/postfix/postscreen_access.cidr
>
> So why was it not passed?

Because postscreen and smtpd are distinct programs that have independent
(but compatibly configured) restrictions. All that postscreen can do is
decide whether to hand off a connection to smtpd or not. It cannot tell
smtpd to whitelist the session against all of the restrictions that
smtpd can use, because postscreen does not have all of the information
about a session that smtpd has after it has engaged the client in a SMTP
conversation.