Postfix HELO checks

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix HELO checks

Simon Brereton-3
Hallo,

For as long as I can I remember, I have blocked connections purporting
to be my own domain/IP address using a postmapped file called
helo_checks.

This is checked AFTER permit_sasl_authenticated.

smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
reject_sender_login_mismatch,
rejected_authenticated_sender_login_mismatch,
check_helo_access hash:/etc/postfix/helo_checks,
.
.
.
permit_mynetworks,
reject_unauth_destination,
a bunch more RBLs,
permit

Since upgrading to 2.11 yesterday (yes, I am on a path to move up
through debian versions), all mail coming in on
postfix/submission/smtpd is being rejected by the domain check in that
file, even though the user is sasl authenticated.

Can someone help me figure out why?

I can probably remove/comment the offending line and rely on other
rejection parameters, but it still rejects a significant of spam
attempts, so I'd prefer to keep it.

Many thanks.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Matus UHLAR - fantomas
On 10.01.20 12:42, Simon B wrote:

>For as long as I can I remember, I have blocked connections purporting
>to be my own domain/IP address using a postmapped file called
>helo_checks.
>
>This is checked AFTER permit_sasl_authenticated.
>
>smtpd_recipient_restrictions =
>reject_non_fqdn_sender,
>reject_non_fqdn_recipient,
>permit_sasl_authenticated,
>reject_sender_login_mismatch,
>rejected_authenticated_sender_login_mismatch,
>check_helo_access hash:/etc/postfix/helo_checks,
>.
>.
>.
>permit_mynetworks,
>reject_unauth_destination,
>a bunch more RBLs,
>permit
>
>Since upgrading to 2.11 yesterday (yes, I am on a path to move up
>through debian versions), all mail coming in on
>postfix/submission/smtpd is being rejected by the domain check in that
>file, even though the user is sasl authenticated.
>
>Can someone help me figure out why?
>
>I can probably remove/comment the offending line and rely on other
>rejection parameters, but it still rejects a significant of spam
>attempts, so I'd prefer to keep it.

logs?

don't you have check_helo_access at different place in any chance?

I'm not sure what smtpd_relay_restrictions debian adds to main.cf by
default.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <[hidden email]> wrote:

>
> On 10.01.20 12:42, Simon B wrote:
> >For as long as I can I remember, I have blocked connections purporting
> >to be my own domain/IP address using a postmapped file called
> >helo_checks.
> >
> >This is checked AFTER permit_sasl_authenticated.
> >
> >smtpd_recipient_restrictions =
> >reject_non_fqdn_sender,
> >reject_non_fqdn_recipient,
> >permit_sasl_authenticated,
> >reject_sender_login_mismatch,
> >rejected_authenticated_sender_login_mismatch,
> >check_helo_access hash:/etc/postfix/helo_checks,
> >.
> >.
> >.
> >permit_mynetworks,
> >reject_unauth_destination,
> >a bunch more RBLs,
> >permit
> >
> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> >through debian versions), all mail coming in on
> >postfix/submission/smtpd is being rejected by the domain check in that
> >file, even though the user is sasl authenticated.
> >
> >Can someone help me figure out why?
> >
> >I can probably remove/comment the offending line and rely on other
> >rejection parameters, but it still rejects a significant of spam
> >attempts, so I'd prefer to keep it.
>
> logs?

Quite difficult to get logs off the production environment onto my
office client, hence the redacted smtpd_recipient_restrictions

Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from
localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command
rejected: Your server is misconfigured as you are not a member of this
domain; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<mail.example.net>

> don't you have check_helo_access at different place in any chance?

Good shout.  it is also in smtpd_relay_restrictions, but that is
functionally a one-to-one copy of smtpd_recipient_restrictions

> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by
> default.

nothing in my main.cf is default by debian.  It's been painstakingly
constructed over hears with contributions from this list.

Thanks

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Matus UHLAR - fantomas
>> On 10.01.20 12:42, Simon B wrote:
>> >For as long as I can I remember, I have blocked connections purporting
>> >to be my own domain/IP address using a postmapped file called
>> >helo_checks.
>> >
>> >This is checked AFTER permit_sasl_authenticated.
>> >
>> >smtpd_recipient_restrictions =
>> >reject_non_fqdn_sender,
>> >reject_non_fqdn_recipient,
>> >permit_sasl_authenticated,
>> >reject_sender_login_mismatch,
>> >rejected_authenticated_sender_login_mismatch,
>> >check_helo_access hash:/etc/postfix/helo_checks,
>> >.
>> >.
>> >.
>> >permit_mynetworks,
>> >reject_unauth_destination,
>> >a bunch more RBLs,
>> >permit
>> >
>> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
>> >through debian versions), all mail coming in on
>> >postfix/submission/smtpd is being rejected by the domain check in that
>> >file, even though the user is sasl authenticated.
>> >
>> >Can someone help me figure out why?
>> >
>> >I can probably remove/comment the offending line and rely on other
>> >rejection parameters, but it still rejects a significant of spam
>> >attempts, so I'd prefer to keep it.

>On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <[hidden email]> wrote:
>> logs?

On 10.01.20 14:50, Simon B wrote:
>Quite difficult to get logs off the production environment onto my
>office client, hence the redacted smtpd_recipient_restrictions
>
>Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from
>localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command
>rejected: Your server is misconfigured as you are not a member of this
>domain; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>helo=<mail.example.net>

ok, this looks like recipient rejection, because of helo checks.
Are you sure those clients did authenticate successfully?

>> don't you have check_helo_access at different place in any chance?
>
>Good shout.  it is also in smtpd_relay_restrictions, but that is
>functionally a one-to-one copy of smtpd_recipient_restrictions

>> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by
>> default.
>
>nothing in my main.cf is default by debian.  It's been painstakingly
>constructed over hears with contributions from this list.

I guess that upgrade script configured smtpd_recipient_restrictions to
smtpd_relay_restrictions.

Since it's postfix/submission/smtpd, isn't there anything strange in
master.cf ?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Fri, 10 Jan 2020 at 15:53, Matus UHLAR - fantomas <[hidden email]> wrote:

>
> >> On 10.01.20 12:42, Simon B wrote:
> >> >For as long as I can I remember, I have blocked connections purporting
> >> >to be my own domain/IP address using a postmapped file called
> >> >helo_checks.
> >> >
> >> >This is checked AFTER permit_sasl_authenticated.
> >> >
> >> >smtpd_recipient_restrictions =
> >> >reject_non_fqdn_sender,
> >> >reject_non_fqdn_recipient,
> >> >permit_sasl_authenticated,
> >> >reject_sender_login_mismatch,
> >> >rejected_authenticated_sender_login_mismatch,
> >> >check_helo_access hash:/etc/postfix/helo_checks,
> >> >.
> >> >.
> >> >.
> >> >permit_mynetworks,
> >> >reject_unauth_destination,
> >> >a bunch more RBLs,
> >> >permit
> >> >
> >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> >> >through debian versions), all mail coming in on
> >> >postfix/submission/smtpd is being rejected by the domain check in that
> >> >file, even though the user is sasl authenticated.
> >> >
> >> >Can someone help me figure out why?
> >> >
> >> >I can probably remove/comment the offending line and rely on other
> >> >rejection parameters, but it still rejects a significant of spam
> >> >attempts, so I'd prefer to keep it.
>
> >On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <[hidden email]> wrote:
> >> logs?
>
> On 10.01.20 14:50, Simon B wrote:
> >Quite difficult to get logs off the production environment onto my
> >office client, hence the redacted smtpd_recipient_restrictions
> >
> >Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from
> >localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command
> >rejected: Your server is misconfigured as you are not a member of this
> >domain; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> >helo=<mail.example.net>
>
> ok, this looks like recipient rejection, because of helo checks.
> Are you sure those clients did authenticate successfully?

Very :)  I can see the authentication attempt succeed,

> >> don't you have check_helo_access at different place in any chance?
> >
> >Good shout.  it is also in smtpd_relay_restrictions, but that is
> >functionally a one-to-one copy of smtpd_recipient_restrictions
>
> >> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by
> >> default.
> >
> >nothing in my main.cf is default by debian.  It's been painstakingly
> >constructed over hears with contributions from this list.
>
> I guess that upgrade script configured smtpd_recipient_restrictions to
> smtpd_relay_restrictions.

That's a good guess, because I don't actually remember doing that...
But it makes sense to have it the same...

> Since it's postfix/submission/smtpd, isn't there anything strange in
> master.cf ?

Nothing I can see.  I'll pick this up Monday and post that.

Thanks.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Fri, 10 Jan 2020 at 18:22, Simon B <[hidden email]> wrote:

>
> On Fri, 10 Jan 2020 at 15:53, Matus UHLAR - fantomas <[hidden email]> wrote:
> >
> > >> On 10.01.20 12:42, Simon B wrote:
> > >> >For as long as I can I remember, I have blocked connections purporting
> > >> >to be my own domain/IP address using a postmapped file called
> > >> >helo_checks.
> > >> >
> > >> >This is checked AFTER permit_sasl_authenticated.
> > >> >
> > >> >smtpd_recipient_restrictions =
> > >> >reject_non_fqdn_sender,
> > >> >reject_non_fqdn_recipient,
> > >> >permit_sasl_authenticated,
> > >> >reject_sender_login_mismatch,
> > >> >rejected_authenticated_sender_login_mismatch,
> > >> >check_helo_access hash:/etc/postfix/helo_checks,
> > >> >.
> > >> >.
> > >> >.
> > >> >permit_mynetworks,
> > >> >reject_unauth_destination,
> > >> >a bunch more RBLs,
> > >> >permit
> > >> >
> > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> > >> >through debian versions), all mail coming in on
> > >> >postfix/submission/smtpd is being rejected by the domain check in that
> > >> >file, even though the user is sasl authenticated.
> > >> >
> > >> >Can someone help me figure out why?
> > >> >
> > >> >I can probably remove/comment the offending line and rely on other
> > >> >rejection parameters, but it still rejects a significant of spam
> > >> >attempts, so I'd prefer to keep it.
> >
> > >On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <[hidden email]> wrote:
> > >> logs?
> >
> > On 10.01.20 14:50, Simon B wrote:
> > >Quite difficult to get logs off the production environment onto my
> > >office client, hence the redacted smtpd_recipient_restrictions
> > >
> > >Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from
> > >localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command
> > >rejected: Your server is misconfigured as you are not a member of this
> > >domain; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> > >helo=<mail.example.net>
> >
> > ok, this looks like recipient rejection, because of helo checks.
> > Are you sure those clients did authenticate successfully?
>
> Very :)  I can see the authentication attempt succeed,
>
> > >> don't you have check_helo_access at different place in any chance?
> > >
> > >Good shout.  it is also in smtpd_relay_restrictions, but that is
> > >functionally a one-to-one copy of smtpd_recipient_restrictions
> >
> > >> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by
> > >> default.
> > >
> > >nothing in my main.cf is default by debian.  It's been painstakingly
> > >constructed over hears with contributions from this list.
> >
> > I guess that upgrade script configured smtpd_recipient_restrictions to
> > smtpd_relay_restrictions.
>
> That's a good guess, because I don't actually remember doing that...
> But it makes sense to have it the same...
>
> > Since it's postfix/submission/smtpd, isn't there anything strange in
> > master.cf ?
>
> Nothing I can see.  I'll pick this up Monday and post that.

Hi Matus, List

root@mail:/etc/postfix# ls master.cf
-rw-r--r-- 1 root root 6.4K 2016-01-13 10:43:01 master.cf

smtp      inet  n       -       -       -       -       smtpd -v
submission inet n       -       n       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_delay_reject=yes
#   -o receive_override_options=no_address_mappings
   -o always_add_missing_headers=yes
   -o content_filter=dksign:[127.0.0.1]:10028
   -o smtpd_enforce_tls=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_auth_only=yes
   -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject


No changes since years, and nothing funky I can see..

I have added -v to the smtpd and will try to debug it like that...

Cheers.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Viktor Dukhovni
On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:

> > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> > > >> >through debian versions), all mail coming in on
> > > >> >postfix/submission/smtpd is being rejected by the domain check in that
> > > >> >file, even though the user is sasl authenticated.

Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
which you don't override in the submission service definition:

> submission inet n       -       n       -       -       smtpd
>    -o syslog_name=postfix/submission
>    -o smtpd_delay_reject=yes
> #   -o receive_override_options=no_address_mappings
>    -o always_add_missing_headers=yes
>    -o content_filter=dksign:[127.0.0.1]:10028
>    -o smtpd_enforce_tls=yes
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_tls_security_level=encrypt
>    -o smtpd_tls_auth_only=yes
>    -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject

But you also don't override, "smtpd_helo_restrictions", ...

The boilerplate commented submission service in recent upstream Postfix
master.cf files reads:

    #submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_tls_auth_only=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Yours should look substantially similar (sans comments):

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Matus UHLAR - fantomas
In reply to this post by Matus UHLAR - fantomas
Hello,

Now I have notices inconsistency:

>>>On 10.01.20 12:42, Simon B wrote:
>>>>For as long as I can I remember, I have blocked connections purporting
>>>>to be my own domain/IP address using a postmapped file called
>>>>helo_checks.
[...]
>>>>Since upgrading to 2.11 yesterday (yes, I am on a path to move up
>>>>through debian versions), all mail coming in on
>>>>postfix/submission/smtpd is being rejected by the domain check in that
    ^^^^^^^^^^^^^^^^^^^^^^^^
>>>>file, even though the user is sasl authenticated.
>>>>
>>>>Can someone help me figure out why?


>On 10.01.20 14:50, Simon B wrote:
>>Quite difficult to get logs off the production environment onto my
>>office client, hence the redacted smtpd_recipient_restrictions

I'm afrasid that to resolve this issue you will help either to look up
properly or post the real main.cf and logs content.


>>Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from
                       ^^^^^^^^^^^^^^^^^^^^
>>localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command
>>rejected: Your server is misconfigured as you are not a member of this
>>domain; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>>helo=<mail.example.net>

On 10.01.20 15:52, Matus UHLAR - fantomas wrote:
>ok, this looks like recipient rejection, because of helo checks.

If this is the proper log, this looks like to be reject in
smtpd_recipient_restrictions ("rejectRCPT") based on helo check
(Helo command rejected).

according to what you have paster before, it should work properly

either your postfix does not use the configuration file
- did you build postfix or do you use one provided in your OS/distro?

or you have missed something, like duplicate smtpd_recipient_restrictions

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
In reply to this post by Viktor Dukhovni
On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
<[hidden email]> wrote:

>
> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
>
> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> > > > >> >through debian versions), all mail coming in on
> > > > >> >postfix/submission/smtpd is being rejected by the domain check in that
> > > > >> >file, even though the user is sasl authenticated.
>
> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
> which you don't override in the submission service definition:

Cause and effect in one simple sentence - thanks Viktor!

> > submission inet n       -       n       -       -       smtpd
> >    -o syslog_name=postfix/submission
> >    -o smtpd_delay_reject=yes
> > #   -o receive_override_options=no_address_mappings
> >    -o always_add_missing_headers=yes
> >    -o content_filter=dksign:[127.0.0.1]:10028
> >    -o smtpd_enforce_tls=yes
> >    -o smtpd_sasl_auth_enable=yes
> >    -o smtpd_tls_security_level=encrypt
> >    -o smtpd_tls_auth_only=yes
> >    -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
>
> But you also don't override, "smtpd_helo_restrictions", ...

Thanks for the additional hint.

> The boilerplate commented submission service in recent upstream Postfix
> master.cf files reads:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     #  -o smtpd_tls_security_level=encrypt
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_tls_auth_only=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>
> Yours should look substantially similar (sans comments):

Now looks like this...

 10 submission inet n       -       n       -       -       smtpd
 11   -o syslog_name=postfix/submission
 12   -o smtpd_tls_security_level=encrypt
 13   -o smtpd_sasl_auth_enable=yes
 14   -o smtpd_tls_auth_only=yes
 15    -o smtpd_enforce_tls=yes
 16    -o smtpd_delay_reject=yes
 17    -o always_add_missing_headers=yes
 18    -o content_filter=dksign:[127.0.0.1]:10028
 19   -o smtpd_reject_unlisted_recipient=no
 20    -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
 21   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_plaintext_session,reject
 22   -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname
 23   -o smtpd_sender_restrictions=reject_non_fqdn_sender
 24   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 25   -o milter_macro_daemon_name=ORIGINATING

Which seems to have solved the problem - or at least just kicked it
down the road.  Now there's a slightly different format of the error
when receiving mail from the amavis filter...

Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1]
Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command
rejected: Host not found; from=<[hidden email]> to=<
[hidden email]> proto=ESMTP helo=<amavisd.example.net>
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT
(pip) (<[hidden email]>): 554 5.7.1 <amavisd.example.net>: Helo
command rejected: Host not found
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Negative SMTP resp.
to DATA: 554 5.5.1 Error: no valid recipients
Jan 15 11:39:31 mail postfix/smtpd[31588]: disconnect from localhost[127.0.0.1]
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) (!)kTBsiMtC7PPJ FWD
from <[hidden email]> -> <[hidden email]>, BODY=7BIT 554 5.7.1
from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <amavisd.example.net>:
Helo command rejected: Host not found
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Blocked MTA-BLOCKED
{RejectedInbound}, [127.0.0.1] [217.110.53.130] <[hidden email]> ->
<[hidden email]>, Message-ID:
<[hidden email]>,
mail_id: kTBsiMtC7PPJ, Hits: -5.2, size: 1093, 5595 ms
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) TIMING-SA total
5466 ms - parse: 1.86 (0.0%), extract_message_metadata: 3.8 (0.1%),
get_uri_detail_list: 0.31 (0.0%), tests_pri_-1000: 4.5 (0.1%),
tests_pri_-950: 1.14 (0.0%), tests_pri_-900: 0.91 (0.0%),
tests_pri_-400: 77 (1.4%), check_bayes: 76 (1.4%), b_tie_ro: 1.69
(0.0%), b_tokenize: 3.1 (0.1%), b_tok_get_all: 3.9 (0.1%),
b_comp_prob: 1.50 (0.0%), b_tok_touch_all: 63 (1.2%), b_finish: 0.65
(0.0%), tests_pri_0: 5223 (95.6%), check_spf: 0.23 (0.0%),
check_dkim_adsp: 3.3 (0.1%), check_dcc: 138 (2.5%), check_razor2: 5005
(91.6%), check_pyzor: 40 (0.7%), tests_pri_500: 3.1 (0.1%), learn: 141
(2.6%), b_learn: 140 (2.6%), b_tie_rw: 1.85 (0.0%), b_count_change: 99
(1.8%), get_report: 0.59 (0.0%)
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) size: 1093, TIMING
[total 5599 ms] - SMTP greeting: 2.0 (0%)0, SMTP EHLO: 0.8 (0%)0, SMTP
pre-MAIL: 0.2 (0%)0, SMTP pre-DATA-flush: 2.8 (0%)0, SMTP DATA: 36
(1%)1, check_init: 0.5 (0%)1, digest_hdr: 1.2 (0%)1, digest_body_dkim:
0.2 (0%)1, collect_info: 3.8 (0%)1, mime_decode: 8 (0%)1,
get-file-type1: 17 (0%)1, parts_decode: 0.3 (0%)1, check_header: 0.9
(0%)1, AV-scan-1: 3.5 (0%)1, spam-wb-list: 1.8 (0%)1, SA msg read: 0.6
(0%)1, SA parse: 2.9 (0%)1, SA check: 5461 (98%)99,
decide_mail_destiny: 7 (0%)99, notif-quar: 0.4 (0%)99, fwd-connect: 30
(1%)100, fwd-mail-pip: 5 (0%)100, fwd-rcpt-pip: 0.3 (0%)100,
fwd-data-chkpnt: 0.1 (0%)100, fwd-end-chkpnt: 1.0 (0%)100,
prepare-dsn: 1.7 (0%)100, report: 1.3 (0%)100, main_log_entry: 4.6
(0%)100, update_snmp: 2.0 (0%)100, SMTP pre-response: 0.3 (0%)100,
SMTP response: 0.2 (0%)100, unlink-1-files: 0.2 (0%)100, rundown: 0.6
(0%)100
Jan 15 11:39:31 mail postfix/smtp[31583]: 47yQMw5NBrz7L5SW:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=12,
delays=6.1/0.01/0/5.6, dsn=5.7.1, status=bounced (host
127.0.0.1[127.0.0.1] said: 554 5.7.1 id=02303-14 - Rejected by
next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1
<amavisd.example.net>: Helo command rejected: Host not found (in reply
to end of DATA command))

Despite the fact that I changed those receiver settings in master.cf to:

118 #The amavis reciever
119 127.0.0.1:10025 inet n - - - - smtpd
120         -o content_filter=
121         -o local_recipient_maps=
122         -o relay_recipient_maps=
123         -o smtpd_restriction_classes=
124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
125   -o smtpd_helo_restrictions=permit_mynetworks
126         -o smtpd_sender_restrictions=
127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
128         -o mynetworks=127.0.0.0/8
129         -o strict_rfc821_envelopes=yes
130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
131         -o smtp_bind_address=127.0.0.1

At the moment nothing is going through amavis in either direction, so
that's a problem...

Cheers.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Matus UHLAR - fantomas
>> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
>> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
>> > > > >> >through debian versions), all mail coming in on
>> > > > >> >postfix/submission/smtpd is being rejected by the domain check in that
>> > > > >> >file, even though the user is sasl authenticated.

>On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
><[hidden email]> wrote:
>> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
>> which you don't override in the submission service definition:

On 15.01.20 13:19, Simon B wrote:
>Cause and effect in one simple sentence - thanks Viktor!

if you use debian, the default smtpd_relay_restrictions should contain:

smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination

which is the default value. It's added in postfix postinst script.

...unless you have overridden it, in such case it contains what you put
there.

>Now looks like this...
>
> 10 submission inet n       -       n       -       -       smtpd
> 11   -o syslog_name=postfix/submission

>Which seems to have solved the problem - or at least just kicked it
>down the road.  Now there's a slightly different format of the error
>when receiving mail from the amavis filter...
>
>Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1]
>Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from
>localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command
>rejected: Host not found; from=<[hidden email]> to=<
>[hidden email]> proto=ESMTP helo=<amavisd.example.net>

note that this says "postfix/smtpd" and thus it's not related to master.cf
definition of submission above, then would say "postfix/submission/smtpd"

>Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT
>(pip) (<[hidden email]>): 554 5.7.1 <amavisd.example.net>: Helo
>command rejected: Host not found

>Despite the fact that I changed those receiver settings in master.cf to:
>
>118 #The amavis reciever
>119 127.0.0.1:10025 inet n - - - - smtpd
>120         -o content_filter=
>121         -o local_recipient_maps=
>122         -o relay_recipient_maps=
>123         -o smtpd_restriction_classes=
>124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
>125   -o smtpd_helo_restrictions=permit_mynetworks
>126         -o smtpd_sender_restrictions=
>127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
>128         -o mynetworks=127.0.0.0/8
>129         -o strict_rfc821_envelopes=yes
>130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>131         -o smtp_bind_address=127.0.0.1
>
>At the moment nothing is going through amavis in either direction, so
>that's a problem...

are you sure amavis sends mail through port 10025?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Wed, 15 Jan 2020 at 13:40, Matus UHLAR - fantomas <[hidden email]> wrote:

>
> >> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
> >> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> >> > > > >> >through debian versions), all mail coming in on
> >> > > > >> >postfix/submission/smtpd is being rejected by the domain check in that
> >> > > > >> >file, even though the user is sasl authenticated.
>
> >On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
> ><[hidden email]> wrote:
> >> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
> >> which you don't override in the submission service definition:
>
> On 15.01.20 13:19, Simon B wrote:
> >Cause and effect in one simple sentence - thanks Viktor!
>
> if you use debian, the default smtpd_relay_restrictions should contain:
>
> smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination

That results in this
Jan 15 13:32:53 mail postfix/smtpd[743]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 451 4.3.5 Server configuration error;

> which is the default value. It's added in postfix postinst script.
>
> ...unless you have overridden it, in such case it contains what you put
> there.
>
> >Now looks like this...
> >
> > 10 submission inet n       -       n       -       -       smtpd
> > 11   -o syslog_name=postfix/submission
>
> >Which seems to have solved the problem - or at least just kicked it
> >down the road.  Now there's a slightly different format of the error
> >when receiving mail from the amavis filter...
> >
> >Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1]
> >Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from
> >localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command
> >rejected: Host not found; from=<[hidden email]> to=<
> >[hidden email]> proto=ESMTP helo=<amavisd.example.net>
>
> note that this says "postfix/smtpd" and thus it's not related to master.cf
> definition of submission above, then would say "postfix/submission/smtpd"

Correct.  The submission problem is now solved.  The problem is now
receiving mail back from amavis.

> >Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT
> >(pip) (<[hidden email]>): 554 5.7.1 <amavisd.example.net>: Helo
> >command rejected: Host not found
>
> >Despite the fact that I changed those receiver settings in master.cf to:
> >
> >118 #The amavis reciever
> >119 127.0.0.1:10025 inet n - - - - smtpd
> >120         -o content_filter=
> >121         -o local_recipient_maps=
> >122         -o relay_recipient_maps=
> >123         -o smtpd_restriction_classes=
> >124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
> >125   -o smtpd_helo_restrictions=permit_mynetworks
> >126         -o smtpd_sender_restrictions=
> >127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
> >128         -o mynetworks=127.0.0.0/8
> >129         -o strict_rfc821_envelopes=yes
> >130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> >131         -o smtp_bind_address=127.0.0.1
> >
> >At the moment nothing is going through amavis in either direction, so
> >that's a problem...
>
> are you sure amavis sends mail through port 10025?

Hi Matus,

Yes, very sure.

if I turn on -v logging for that hop, I am concerned about these lines
in the log.

Jan 15 13:09:01 mail postfix/smtpd[466]: < localhost[127.0.0.1]: EHLO
amavisd.localhost
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: localhost: no match
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: 127.0.0.1: no match
and
Jan 15 13:09:01 mail postfix/smtpd[466]: generic_checks: name=permit_mynetworks
Jan 15 13:09:01 mail postfix/smtpd[466]: permit_mynetworks: localhost 127.0.0.1
Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostname: localhost ~?
127.0.0.0/8
Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostaddr: 127.0.0.1 ~?
127.0.0.0/8
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match:
permit_mynetworks: no match
culminating in
Jan 15 13:09:01 mail postfix/smtpd[466]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 <amavisd.localhost>: Helo command
rejected: Host not found; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<amavisd.localhost>


permit_mynetworks should be permitting that, not offering no match.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Dominic Raferd


On Wed, 15 Jan 2020 at 13:36, Simon B <[hidden email]> wrote:
On Wed, 15 Jan 2020 at 13:40, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> >> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
> >> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> >> > > > >> >through debian versions), all mail coming in on
> >> > > > >> >postfix/submission/smtpd is being rejected by the domain check in that
> >> > > > >> >file, even though the user is sasl authenticated.
>
> >On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
> ><[hidden email]> wrote:
> >> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
> >> which you don't override in the submission service definition:
>
> On 15.01.20 13:19, Simon B wrote:
> >Cause and effect in one simple sentence - thanks Viktor!
>
> if you use debian, the default smtpd_relay_restrictions should contain:
>
> smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination

That results in this
Jan 15 13:32:53 mail postfix/smtpd[743]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 451 4.3.5 Server configuration error;

> which is the default value. It's added in postfix postinst script.
>
> ...unless you have overridden it, in such case it contains what you put
> there.
>
> >Now looks like this...
> >
> > 10 submission inet n       -       n       -       -       smtpd
> > 11   -o syslog_name=postfix/submission
>
> >Which seems to have solved the problem - or at least just kicked it
> >down the road.  Now there's a slightly different format of the error
> >when receiving mail from the amavis filter...
> >
> >Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1]
> >Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from
> >localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command
> >rejected: Host not found; from=<[hidden email]> to=<
> >[hidden email]> proto=ESMTP helo=<amavisd.example.net>
>
> note that this says "postfix/smtpd" and thus it's not related to master.cf
> definition of submission above, then would say "postfix/submission/smtpd"

Correct.  The submission problem is now solved.  The problem is now
receiving mail back from amavis.

> >Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT
> >(pip) (<[hidden email]>): 554 5.7.1 <amavisd.example.net>: Helo
> >command rejected: Host not found
>
> >Despite the fact that I changed those receiver settings in master.cf to:
> >
> >118 #The amavis reciever
> >119 127.0.0.1:10025 inet n - - - - smtpd
> >120         -o content_filter=
> >121         -o local_recipient_maps=
> >122         -o relay_recipient_maps=
> >123         -o smtpd_restriction_classes=
> >124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
> >125   -o smtpd_helo_restrictions=permit_mynetworks
> >126         -o smtpd_sender_restrictions=
> >127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
> >128         -o mynetworks=127.0.0.0/8
> >129         -o strict_rfc821_envelopes=yes
> >130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> >131         -o smtp_bind_address=127.0.0.1
> >
> >At the moment nothing is going through amavis in either direction, so
> >that's a problem...
>
> are you sure amavis sends mail through port 10025?

Hi Matus,

Yes, very sure.

if I turn on -v logging for that hop, I am concerned about these lines
in the log.

Jan 15 13:09:01 mail postfix/smtpd[466]: < localhost[127.0.0.1]: EHLO
amavisd.localhost
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: localhost: no match
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: 127.0.0.1: no match
and
Jan 15 13:09:01 mail postfix/smtpd[466]: generic_checks: name=permit_mynetworks
Jan 15 13:09:01 mail postfix/smtpd[466]: permit_mynetworks: localhost 127.0.0.1
Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostname: localhost ~?
127.0.0.0/8
Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostaddr: 127.0.0.1 ~?
127.0.0.0/8
Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match:
permit_mynetworks: no match
culminating in
Jan 15 13:09:01 mail postfix/smtpd[466]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 <amavisd.localhost>: Helo command
rejected: Host not found; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<amavisd.localhost>


permit_mynetworks should be permitting that, not offering no match.

Is amavis running on the local machine? The smtpd process listening for amavis seems unable to match amavis's ip either to local host or to 127.0.0.1.

As as workaround you could change the 'permit_mynetworks' setting on this smtpd process to 'permit'. If you have firewalled port 10025 it should be reasonably safe I think?
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Wed, 15 Jan 2020 at 15:57, Dominic Raferd <[hidden email]> wrote:

>
>
>
> On Wed, 15 Jan 2020 at 13:36, Simon B <[hidden email]> wrote:
>>
>> On Wed, 15 Jan 2020 at 13:40, Matus UHLAR - fantomas <[hidden email]> wrote:
>> >
>> > >> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
>> > >> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
>> > >> > > > >> >through debian versions), all mail coming in on
>> > >> > > > >> >postfix/submission/smtpd is being rejected by the domain check in that
>> > >> > > > >> >file, even though the user is sasl authenticated.
>> >
>> > >On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
>> > ><[hidden email]> wrote:
>> > >> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
>> > >> which you don't override in the submission service definition:
>> >
>> > On 15.01.20 13:19, Simon B wrote:
>> > >Cause and effect in one simple sentence - thanks Viktor!
>> >
>> > if you use debian, the default smtpd_relay_restrictions should contain:
>> >
>> > smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
>>
>> That results in this
>> Jan 15 13:32:53 mail postfix/smtpd[743]: NOQUEUE: reject: RCPT from
>> localhost[127.0.0.1]: 451 4.3.5 Server configuration error;

>> > >Despite the fact that I changed those receiver settings in master.cf to:
>> > >
>> > >118 #The amavis reciever
>> > >119 127.0.0.1:10025 inet n - - - - smtpd
>> > >120         -o content_filter=
>> > >121         -o local_recipient_maps=
>> > >122         -o relay_recipient_maps=
>> > >123         -o smtpd_restriction_classes=
>> > >124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
>> > >125   -o smtpd_helo_restrictions=permit_mynetworks
>> > >126         -o smtpd_sender_restrictions=
>> > >127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> > >128         -o mynetworks=127.0.0.0/8
>> > >129         -o strict_rfc821_envelopes=yes
>> > >130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>> > >131         -o smtp_bind_address=127.0.0.1
>> > >
>> > >At the moment nothing is going through amavis in either direction, so
>> > >that's a problem...
>> >
>> > are you sure amavis sends mail through port 10025?
>>
>> Hi Matus,
>>
>> Yes, very sure.
>>
>> if I turn on -v logging for that hop, I am concerned about these lines
>> in the log.
>>
>> Jan 15 13:09:01 mail postfix/smtpd[466]: < localhost[127.0.0.1]: EHLO
>> amavisd.localhost
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: localhost: no match
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: 127.0.0.1: no match
>> and
>> Jan 15 13:09:01 mail postfix/smtpd[466]: generic_checks: name=permit_mynetworks
>> Jan 15 13:09:01 mail postfix/smtpd[466]: permit_mynetworks: localhost 127.0.0.1
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostname: localhost ~?
>> 127.0.0.0/8
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostaddr: 127.0.0.1 ~?
>> 127.0.0.0/8
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match:
>> permit_mynetworks: no match
>> culminating in
>> Jan 15 13:09:01 mail postfix/smtpd[466]: NOQUEUE: reject: RCPT from
>> localhost[127.0.0.1]: 554 5.7.1 <amavisd.localhost>: Helo command
>> rejected: Host not found; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<amavisd.localhost>
>>
>>
>> permit_mynetworks should be permitting that, not offering no match.
>
>
> Is amavis running on the local machine? The smtpd process listening for amavis seems unable to match amavis's ip either to local host or to 127.0.0.1.
>
> As as workaround you could change the 'permit_mynetworks' setting on this smtpd process to 'permit'. If you have firewalled port 10025 it should be reasonably safe I think?

Hi Dominic,

So, there was an error in my previous response to Matus - but not a fatal one.

Amavis listens on 10024, and postfix listens on 10025

That means mail comes in on 587, it goes to amavis on 10024 and comes
back on 10025 before going out.

I currently have
#The amavis reciever
127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=permit_mynetworks
  -o smtpd_helo_restrictions=permit
        -o smtpd_sender_restrictions=
  -o smtpd_relay_restrictions=permit_mynetworks,defer_unauth_destination
   -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient
        -o mynetworks=127.0.0.0/8,[::1]/128
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtp_bind_address=127.0.0.1

and mail is flowing.  I am not happy since the solution to the
original problem has been to make smtpd_helo_restrictions=permit and
even though it's internal we operate a zero-trust policy, and "permit"
is not that.

Thanks for your help, and thanks to Viktor and Matus too.

Regards

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Jaroslaw Rafa
Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze:
>
> Amavis listens on 10024, and postfix listens on 10025
>
> That means mail comes in on 587, it goes to amavis on 10024 and comes
> back on 10025 before going out.
[...]
> and mail is flowing.  I am not happy since the solution to the
> original problem has been to make smtpd_helo_restrictions=permit and
> even though it's internal we operate a zero-trust policy, and "permit"
> is not that.

Does Amavis actually connect to 127.0.0.1 when injecting mail back to
Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks

It can also be that Amavis doesn't connect to 127.0.0.1, but to some other
IP on your server - then you need to put that IP in $mynetworks too, or
reconfigure Amavis so that it connects to 127.0.0.1

If it works with "permit", it should also work with "permit_mynetworks",
provided that the value of $mynetworks includes the actual IP Amavis is
connecting to.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <[hidden email]> wrote:

>
> Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze:
> >
> > Amavis listens on 10024, and postfix listens on 10025
> >
> > That means mail comes in on 587, it goes to amavis on 10024 and comes
> > back on 10025 before going out.
> [...]
> > and mail is flowing.  I am not happy since the solution to the
> > original problem has been to make smtpd_helo_restrictions=permit and
> > even though it's internal we operate a zero-trust policy, and "permit"
> > is not that.
>
> Does Amavis actually connect to 127.0.0.1 when injecting mail back to
> Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks
>
> It can also be that Amavis doesn't connect to 127.0.0.1, but to some other
> IP on your server - then you need to put that IP in $mynetworks too, or
> reconfigure Amavis so that it connects to 127.0.0.1

I don't know where else it could connect...  In master.cf it is defined

119 #The amavis reciever
120 127.0.0.1:10025 inet n - - - - smtpd

> If it works with "permit", it should also work with "permit_mynetworks",
> provided that the value of $mynetworks includes the actual IP Amavis is
> connecting to.

it should, but it isn't - hence the reason I have asked here for help.

# postconf -n | grep -n mynetworks
36:mynetworks = 127.0.0.0/8, [::1]/128
37:mynetworks_style = host

Regards

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Dominic Raferd

On Wed, 15 Jan 2020 at 16:50, Simon B <[hidden email]> wrote:
On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <[hidden email]> wrote:
>
> Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze:
> >
> > Amavis listens on 10024, and postfix listens on 10025
> >
> > That means mail comes in on 587, it goes to amavis on 10024 and comes
> > back on 10025 before going out.
> [...]
> > and mail is flowing.  I am not happy since the solution to the
> > original problem has been to make smtpd_helo_restrictions=permit and
> > even though it's internal we operate a zero-trust policy, and "permit"
> > is not that.
>
> Does Amavis actually connect to 127.0.0.1 when injecting mail back to
> Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks
>
> It can also be that Amavis doesn't connect to 127.0.0.1, but to some other
> IP on your server - then you need to put that IP in $mynetworks too, or
> reconfigure Amavis so that it connects to 127.0.0.1

I don't know where else it could connect...  In master.cf it is defined

119 #The amavis reciever
120 127.0.0.1:10025 inet n - - - - smtpd

> If it works with "permit", it should also work with "permit_mynetworks",
> provided that the value of $mynetworks includes the actual IP Amavis is
> connecting to.

it should, but it isn't - hence the reason I have asked here for help.

# postconf -n | grep -n mynetworks
36:mynetworks = 127.0.0.0/8, [::1]/128
37:mynetworks_style = host

Try removing 'mynetworks' from definitions since it overwrites 'mynetworks_style=host' which should already restrict the definition of mynetworks to the local machine (and might do so in a more correct way?)
Try adding 'reject' after 'permit_mynetworks' at the end of one of the restriction lists (for smtpd-from-amavis) e.g. smtpd_client_restrictions - this gives you the full protection
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Simon Brereton-3
On Wed, 15 Jan 2020 at 18:00, Dominic Raferd <[hidden email]> wrote:

>
>
> On Wed, 15 Jan 2020 at 16:50, Simon B <[hidden email]> wrote:
>>
>> On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <[hidden email]> wrote:
>> >
>> > Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze:
>> > >
>> > > Amavis listens on 10024, and postfix listens on 10025
>> > >
>> > > That means mail comes in on 587, it goes to amavis on 10024 and comes
>> > > back on 10025 before going out.
>> > [...]
>> > > and mail is flowing.  I am not happy since the solution to the
>> > > original problem has been to make smtpd_helo_restrictions=permit and
>> > > even though it's internal we operate a zero-trust policy, and "permit"
>> > > is not that.
>> >
>> > Does Amavis actually connect to 127.0.0.1 when injecting mail back to
>> > Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks
>> >
>> > It can also be that Amavis doesn't connect to 127.0.0.1, but to some other
>> > IP on your server - then you need to put that IP in $mynetworks too, or
>> > reconfigure Amavis so that it connects to 127.0.0.1
>>
>> I don't know where else it could connect...  In master.cf it is defined
>>
>> 119 #The amavis reciever
>> 120 127.0.0.1:10025 inet n - - - - smtpd
>>
>> > If it works with "permit", it should also work with "permit_mynetworks",
>> > provided that the value of $mynetworks includes the actual IP Amavis is
>> > connecting to.
>>
>> it should, but it isn't - hence the reason I have asked here for help.
>>
>> # postconf -n | grep -n mynetworks
>> 36:mynetworks = 127.0.0.0/8, [::1]/128
>> 37:mynetworks_style = host
>
>
> Try removing 'mynetworks' from definitions since it overwrites 'mynetworks_style=host' which should already restrict the definition of mynetworks to the local machine (and might do so in a more correct way?)
> Try adding 'reject' after 'permit_mynetworks' at the end of one of the restriction lists (for smtpd-from-amavis) e.g. smtpd_client_restrictions - this gives you the full protection

Thanks.  That works and meets our objectives.

Appreciate the fantastic support.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix HELO checks

Matus UHLAR - fantomas
>>> On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <[hidden email]> wrote:
>>> > Does Amavis actually connect to 127.0.0.1 when injecting mail back to
>>> > Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks
>>> >
>>> > It can also be that Amavis doesn't connect to 127.0.0.1, but to some other
>>> > IP on your server - then you need to put that IP in $mynetworks too, or
>>> > reconfigure Amavis so that it connects to 127.0.0.1

>> On Wed, 15 Jan 2020 at 16:50, Simon B <[hidden email]> wrote:
>>> I don't know where else it could connect...  In master.cf it is defined
>>>
>>> 119 #The amavis reciever
>>> 120 127.0.0.1:10025 inet n - - - - smtpd

I would temporarily add:
   -o syslog_name=postfix/amavis

to verify in logs that the mail was received via this port
(localhost:10025 is the builtin default in amavis).

>>> > If it works with "permit", it should also work with "permit_mynetworks",
>>> > provided that the value of $mynetworks includes the actual IP Amavis is
>>> > connecting to.
>>>
>>> it should, but it isn't - hence the reason I have asked here for help.
>>>
>>> # postconf -n | grep -n mynetworks
>>> 36:mynetworks = 127.0.0.0/8, [::1]/128
>>> 37:mynetworks_style = host

note that mynetworks is overridden by -o option in master.cf:

118 #The amavis reciever
119 127.0.0.1:10025 inet n - - - - smtpd
120         -o content_filter=
121         -o local_recipient_maps=
122         -o relay_recipient_maps=
123         -o smtpd_restriction_classes=
124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
125   -o smtpd_helo_restrictions=permit_mynetworks
126         -o smtpd_sender_restrictions=
127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
128         -o mynetworks=127.0.0.0/8
129         -o strict_rfc821_envelopes=yes
130         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
131         -o smtp_bind_address=127.0.0.1

so, either this config does not apply (e.g. you forgot whitespace at the
beginninf of one of those lines), or there's something strange

>On Wed, 15 Jan 2020 at 18:00, Dominic Raferd <[hidden email]> wrote:
>> Try removing 'mynetworks' from definitions since it overwrites
>> 'mynetworks_style=host' which should already restrict the definition of
>> mynetworks to the local machine (and might do so in a more correct way?)

yes, however that should be completely irelevant since only localhost can
connect to 127.0.0.1:10025

>> Try adding 'reject' after 'permit_mynetworks' at the end of one of the
>> restriction lists (for smtpd-from-amavis) e.g.  smtpd_client_restrictions
>> - this gives you the full protection

irelevant because of the same reason.

On 15.01.20 18:32, Simon B wrote:
>Thanks.  That works and meets our objectives.

the downside is we still don't know what is (or was) wrong.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."