Recipient verification with sending IP equal to probe IP

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Recipient verification with sending IP equal to probe IP

PeterDaem
Hi!

I am doing recipient address verification with reject_unverified _recipient  and it works pretty well, but i have
noticed that when the sending IP  is the same as the vrfy probing IP address, then this restriction is not applied.

does it make sense? 

i have this in in my main.cf:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
smtpd_recipient_restrictions =
                permit_mynetworks,
                reject_unauth_destination,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                reject_unverified _recipient
smtpd_sender_restrictions =
                permit_mynetworks,
                reject_unknown_sender_domain

There are no errors in the log, except some verify cache Berkeley bug that Wietse mentioned some time ago were safe to ignore:
  postfix/verify[2234]: close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)


Thanks!

-------
Pedro



Reply | Threaded
Open this post in threaded view
|

Re: Recipient verification with sending IP equal to probe IP

Wietse Venema
Pedro David Marco:
> Hi!
> I am doing recipient address verification with reject_unverified _recipient  and it works pretty well, but i havenoticed that when the sending IP  is the same as the vrfy probing IP address, then this restriction is not applied.
> does it make sense?
> i have this in in my main.cf:
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128smtpd_recipient_restrictions =
>                 permit_mynetworks,                reject_unauth_destination,                reject_unknown_recipient_domain,                reject_unauth_pipelining,                reject_unverified _recipientsmtpd_sender_restrictions =                permit_mynetworks,                reject_unknown_sender_domain
>
> There are no errors in the log, except some verify cache Berkeley bug that Wietse mentioned some time ago were safe to ignore:  postfix/verify[2234]: close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)
>

Type: "man 5 postconf", look for permit_mynetworks

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Recipient verification with sending IP equal to probe IP

PeterDaem
Thanks Wietse but the sending IP is not listed in $mytetworks...  

---
Pedro.


From: Wietse Venema <[hidden email]>
To: Postfix users <[hidden email]>
Sent: Thursday, December 15, 2016 1:15 PM
Subject: Re: Recipient verification with sending IP equal to probe IP

Pedro David Marco:
> Hi!
> I am doing recipient address verification with reject_unverified _recipient  and it works pretty well, but i havenoticed that when the sending IP  is the same as the vrfy probing IP address, then this restriction is not applied.
> does it make sense?
> i have this in in my main.cf:
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128smtpd_recipient_restrictions =
>                permit_mynetworks,                reject_unauth_destination,                reject_unknown_recipient_domain,                reject_unauth_pipelining,                reject_unverified _recipientsmtpd_sender_restrictions =                permit_mynetworks,                reject_unknown_sender_domain
>
> There are no errors in the log, except some verify cache Berkeley bug that Wietse mentioned some time ago were safe to ignore:  postfix/verify[2234]: close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)
>

Type: "man 5 postconf", look for permit_mynetworks


    Wietse


Reply | Threaded
Open this post in threaded view
|

Re: Recipient verification with sending IP equal to probe IP

Wietse Venema
Pedro David Marco:
> Thanks Wietse but the sending IP is not listed in $mytetworks... ?

Given your smtpd_mumble_restrictions rule, permit_mynetworks allows
a client to skip the reject_unverified_whatever check.

Oh, and of course this check does not apply at all for mail
that is received with the pickup daemon.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Recipient verification with sending IP equal to probe IP

PeterDaem


>Given your smtpd_mumble_restrictions rule, permit_mynetworks allows
>a client to skip the reject_unverified_whatever check.
> Wietse

why Wietse? permit_mynetworks is on first place and should basically only allow loopback according to
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128  


Thanks,

----
Pedro


Reply | Threaded
Open this post in threaded view
|

Re: Recipient verification with sending IP equal to probe IP

Wietse Venema
Pedro David Marco:
>
>
> >Given your smtpd_mumble_restrictions rule, permit_mynetworks allows
> >a client to skip the reject_unverified_whatever check.
> > Wietse
>
> why Wietse? permit_mynetworks is on first place and should basically only allow loopback according tomynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ?

No more assistance until you provide actual logging.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.