REJECT and "optional text" question...

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

REJECT and "optional text" question...

PeterDaem


Hello,

I have a sender restriction like this:

smtpd_sender_restrictions =
                permit_mynetworks
                check_client_access hash:/etc/postfix/special_clients

and in special_clients file:

205.201.128.108    REJECT You are blacklisted



What i see is that it works and the client gets rejected BUT with the message "Access denied" and not "You are blacklisted"..

example log:

2016 Jul 23 04:11:05 host1 postfix/smtpd[10484]: NOQUEUE: reject: RCPT from mail108.us4.mcsv.net[205.201.128.108]: 554 5.7.1 <bounce-mc.us11_44614205.940081-mpar=[hidden email]>: Sender address rejected: Access denied; from=<bounce-mc.us11_44614205.940081-mpar=[hidden email]> to=<mpar=iblhelper.net> proto=ESMTP helo=<mail108.us4.mcsv.net>


any idea why, please?

Thanks!

Pedreter.


Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

Wietse Venema
Pedro David Marco:
>                 check_client_access hash:/etc/postfix/special_clients

This is check_CLIENT_access, which rejects a CLIENT.

> Sender address rejected: Access denied;

That is blocked by check_SENDER_access, which rejects a SENDER.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

PeterDaem
Thanks Wietse...


yes, i have a check_sender_access - after-  the check_client_access, but
i must be doing something wrong because the reject should have been done by
the check_client_access:

                check_client_access hash:/etc/postfix/special_clients        
                check_sender_access regexp:/etc/postfix/special_senders

Postfix does not complain at all about files fomat but...
Wietse, is the syntax correct? (for special_clients file)

205.201.128.108    REJECT You are blacklisted

i have also tried...

205.201.128.0/24     REJECT You are blacklisted

how do i reject  from that IP with that text???

Thanks!

Pedreter.



From: Wietse Venema <[hidden email]>
To: Postfix users <[hidden email]>
Sent: Tuesday, July 26, 2016 12:03 PM
Subject: Re: REJECT and "optional text" question...

Pedro David Marco:
>                check_client_access hash:/etc/postfix/special_clients

This is check_CLIENT_access, which rejects a CLIENT.


> Sender address rejected: Access denied;


That is blocked by check_SENDER_access, which rejects a SENDER.

    Wietse



Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

Bill Cole-3
On 26 Jul 2016, at 7:52, Pedro David Marco wrote:

> Thanks Wietse...
>
> yes, i have a check_sender_access - after-  the check_client_access,
> buti must be doing something wrong because the reject should have been
> done bythe check_client_access:
>                 check_client_access
> hash:/etc/postfix/special_clients        
>                 check_sender_access
> regexp:/etc/postfix/special_senders

Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.

> Postfix does not complain at all about files fomat but...Wietse, is
> the syntax correct? (for special_clients file)
> 205.201.128.108    REJECT You are blacklisted

That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.

> i have also tried...
>
> 205.201.128.0/24     REJECT You are blacklisted

That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted

> how do i reject  from that IP with that text???

Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.
Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

PeterDaem
Thanks Bill...

this is my restrictions config:




From: Bill Cole <[hidden email]>
To: Postfix users <[hidden email]>
Sent: Tuesday, July 26, 2016 3:00 PM
Subject: Re: REJECT and "optional text" question...

On 26 Jul 2016, at 7:52, Pedro David Marco wrote:

> Thanks Wietse...
>
> yes, i have a check_sender_access - after-  the check_client_access,
> buti must be doing something wrong because the reject should have been
> done bythe check_client_access:
>                 check_client_access
> hash:/etc/postfix/special_clients        
>                 check_sender_access
> regexp:/etc/postfix/special_senders

Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.

> Postfix does not complain at all about files fomat but...Wietse, is
> the syntax correct? (for special_clients file)
> 205.201.128.108    REJECT You are blacklisted

That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.

> i have also tried...
>
> 205.201.128.0/24     REJECT You are blacklisted

That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted


> how do i reject  from that IP with that text???


Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.



Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

Bill Cole-3
On 26 Jul 2016, at 9:24, Pedro David Marco wrote:

> Thanks Bill...
> this is my restrictions config:
>
>
>       From: Bill Cole <[hidden email]>
>  To: Postfix users <[hidden email]>
>  Sent: Tuesday, July 26, 2016 3:00 PM
>  Subject: Re: REJECT and "optional text" question...
[remainder of quoted text removed]

I think something went wrong with your copy/paste, since there's no
restrictions config to be found in that message.
Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

PeterDaem
In reply to this post by Bill Cole-3
Thanks Bill...

these are my restrictions...

smtpd_restriction_classes =
                clase_spamtrap-spam

clase_spamtrap-spam =
                check_client_access regexp:/etc/postfix/spamtrap-spam,
                permit

smtpd_sender_restrictions =
                permit_mynetworks,
                check_sender_access hash:/etc/postfix/wl_senders,
                check_sender_access hash:/etc/postfix/wl_recipients,
                check_client_access hash:/etc/postfix/bl_clients,
                check_client_access hash:/etc/postfix/special_clients,
                reject_unknown_reverse_client_hostname,
                reject_unknown_sender_domain,
                check_sender_access regexp:/etc/postfix/
special_senders,
               
smtpd_recipient_restrictions =
                permit_mynetworks,
                reject_unauth_destination,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
               

My understading is that order is ok...

and yes, i use postmap for files that need it...

Thanks!

Pedreter.


From: Bill Cole <[hidden email]>
To: Postfix users <[hidden email]>
Sent: Tuesday, July 26, 2016 3:00 PM
Subject: Re: REJECT and "optional text" question...

On 26 Jul 2016, at 7:52, Pedro David Marco wrote:

> Thanks Wietse...
>
> yes, i have a check_sender_access - after-  the check_client_access,
> buti must be doing something wrong because the reject should have been
> done bythe check_client_access:
>                 check_client_access
> hash:/etc/postfix/special_clients        
>                 check_sender_access
> regexp:/etc/postfix/special_senders

Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.

> Postfix does not complain at all about files fomat but...Wietse, is
> the syntax correct? (for special_clients file)
> 205.201.128.108    REJECT You are blacklisted

That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.

> i have also tried...
>
> 205.201.128.0/24     REJECT You are blacklisted

That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted


> how do i reject  from that IP with that text???


Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.



Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

PeterDaem
In reply to this post by Bill Cole-3
Sorry, my fault...


From: Bill Cole <[hidden email]>
To: Postfix users <[hidden email]>
Sent: Tuesday, July 26, 2016 3:28 PM
Subject: Re: REJECT and "optional text" question...

On 26 Jul 2016, at 9:24, Pedro David Marco wrote:


> Thanks Bill...
> this is my restrictions config:
>
>
>      From: Bill Cole <[hidden email]>
>  To: Postfix users <[hidden email]>
>  Sent: Tuesday, July 26, 2016 3:00 PM
>  Subject: Re: REJECT and "optional text" question...

[remainder of quoted text removed]

I think something went wrong with your copy/paste, since there's no
restrictions config to be found in that message.



Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

Bastian Blank-3
In reply to this post by PeterDaem
On Tue, Jul 26, 2016 at 01:33:53PM +0000, Pedro David Marco wrote:
> Thanks Bill...
> these are my restrictions...

You have been asked to provide the output of "postconf -n", not random
snippets.  Also please learn how to quote.

Bastian

--
The joys of love made her human and the agonies of love destroyed her.
                -- Spock, "Requiem for Methuselah", stardate 5842.8
Reply | Threaded
Open this post in threaded view
|

Re: REJECT and "optional text" question...

/dev/rob0
On Tue, Jul 26, 2016 at 08:33:32PM +0200, Bastian Blank wrote:
> On Tue, Jul 26, 2016 at 01:33:53PM +0000, Pedro David Marco wrote:
> > Thanks Bill...
> > these are my restrictions...
>
> You have been asked to provide the output of "postconf -n", not
> random snippets.  Also please learn how to quote.

Quite right.  With complete information as DEBUG_README.html#mail
recommends, this would have been cleared up by now.

But I'm going to shift the focus a bit.  Here was the log from the
OP:

> 2016 Jul 23 04:11:05 host1 postfix/smtpd[10484]: NOQUEUE: reject:
> RCPT from mail108.us4.mcsv.net[205.201.128.108]: 554 5.7.1
> <bounce-mc.us11_44614205.940081-mpar=[hidden email]>:
> Sender address rejected: Access denied;
> from=<bounce-mc.us11_44614205.940081-mpar=[hidden email]>
> to=<mpar=iblhelper.net> proto=ESMTP helo=<mail108.us4.mcsv.net>

That's Mailchimp, not just some random spammer.  No, I'm not a chimp
fanboy nor an apologist for ESPs, but this is one ESP which does take
complaints seriously.

Have you [Pedreter] tried complaining to them?  If the sender is
truly spamming you without a valid signup, Mailchimp are likely to
terminate the account.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: