Selective *non*-enforcement of FQDN rules?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Selective *non*-enforcement of FQDN rules?

Michael G. Reed
        I've been looking around to see how I can deal with a
particular site that doesn't report a FQDN in the HELO/EHLO line.  I
have smtpd_recipient_restrictions containing:

        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_non_fqdn_hostname

to help with SPAM issues.  I want these enforced for everyone EXCEPT
one site (heck, one IP) that needs to talk to me (but I've been unable
to get their admin to fix their broken configuration).  Is this
possible or am I just missing something really obvious?  Any pointers
would be greatly appreciated.  Thanks!

-Michael

Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

Wietse Venema
Michael G. Reed:

> I've been looking around to see how I can deal with a
> particular site that doesn't report a FQDN in the HELO/EHLO line.  I
> have smtpd_recipient_restrictions containing:
>
>         reject_non_fqdn_sender
>         reject_non_fqdn_recipient
>         reject_non_fqdn_hostname
>
> to help with SPAM issues.  I want these enforced for everyone EXCEPT
> one site (heck, one IP) that needs to talk to me (but I've been unable
> to get their admin to fix their broken configuration).  Is this
> possible or am I just missing something really obvious?  Any pointers
> would be greatly appreciated.  Thanks!

Perhaps:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        ...
        check_client_access pcre:/etc/postfix/client_pcre
        ...

/etc/postfix/client_pcre:
    192.168.0.1/32 dunno
    0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
    ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...

Not intuitive, but effective.

man 5 access
man 5 cidr_table

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

Wietse Venema
Wietse Venema:

> Michael G. Reed:
> > I've been looking around to see how I can deal with a
> > particular site that doesn't report a FQDN in the HELO/EHLO line.  I
> > have smtpd_recipient_restrictions containing:
> >
> >         reject_non_fqdn_sender
> >         reject_non_fqdn_recipient
> >         reject_non_fqdn_hostname
> >
> > to help with SPAM issues.  I want these enforced for everyone EXCEPT
> > one site (heck, one IP) that needs to talk to me (but I've been unable
> > to get their admin to fix their broken configuration).  Is this
> > possible or am I just missing something really obvious?  Any pointers
> > would be greatly appreciated.  Thanks!

Sorry, I used PCRE instead of CIDR. Corrected version follows.

        Wietse

Perhaps:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        ...
        check_client_access cidr:/etc/postfix/client_cidr
        ...

/etc/postfix/client_cidr:
    192.168.0.1/32 dunno
    0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
    ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...

Not intuitive, but effective.

man 5 access
man 5 cidr_table

        Wietse



Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

Michael G. Reed
        Worked like a champ.  (for anyone else interested, put "OK"
for "dunno" below and you're good to go :).  Thanks!

-Michael

On Fri, 22 Aug 2008, Wietse Venema wrote:
|> Wietse Venema:
|> > Michael G. Reed:
|> > > I've been looking around to see how I can deal with a
|> > > particular site that doesn't report a FQDN in the HELO/EHLO line.  I
|> > > have smtpd_recipient_restrictions containing:
|> > >
|> > >         reject_non_fqdn_sender
|> > >         reject_non_fqdn_recipient
|> > >         reject_non_fqdn_hostname
|> > >
|> > > to help with SPAM issues.  I want these enforced for everyone EXCEPT
|> > > one site (heck, one IP) that needs to talk to me (but I've been unable
|> > > to get their admin to fix their broken configuration).  Is this
|> > > possible or am I just missing something really obvious?  Any pointers
|> > > would be greatly appreciated.  Thanks!
|>
|> Sorry, I used PCRE instead of CIDR. Corrected version follows.
|>
|> Wietse
|>
|> Perhaps:
|>
|> /etc/postfix/main.cf:
|>     smtpd_recipient_restrictions =
|> ...
|> check_client_access cidr:/etc/postfix/client_cidr
|> ...
|>
|> /etc/postfix/client_cidr:
|>     192.168.0.1/32 dunno
|>     0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
|>     ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
|>
|> Not intuitive, but effective.
|>
|> man 5 access
|> man 5 cidr_table
|>
|> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

Wietse Venema
Michael G. Reed:
> Worked like a champ.  (for anyone else interested, put "OK"
> for "dunno" below and you're good to go :).  Thanks!
>

DO NOT PUT OK THERE!!! YOU MAY BECOME AN OPEN RELAY!!

        Wietse

>
> On Fri, 22 Aug 2008, Wietse Venema wrote:
> |> Wietse Venema:
> |> > Michael G. Reed:
> |> > > I've been looking around to see how I can deal with a
> |> > > particular site that doesn't report a FQDN in the HELO/EHLO line.  I
> |> > > have smtpd_recipient_restrictions containing:
> |> > >
> |> > >         reject_non_fqdn_sender
> |> > >         reject_non_fqdn_recipient
> |> > >         reject_non_fqdn_hostname
> |> > >
> |> > > to help with SPAM issues.  I want these enforced for everyone EXCEPT
> |> > > one site (heck, one IP) that needs to talk to me (but I've been unable
> |> > > to get their admin to fix their broken configuration).  Is this
> |> > > possible or am I just missing something really obvious?  Any pointers
> |> > > would be greatly appreciated.  Thanks!
> |>
> |> Sorry, I used PCRE instead of CIDR. Corrected version follows.
> |>
> |> Wietse
> |>
> |> Perhaps:
> |>
> |> /etc/postfix/main.cf:
> |>     smtpd_recipient_restrictions =
> |> ...
> |> check_client_access cidr:/etc/postfix/client_cidr
> |> ...
> |>
> |> /etc/postfix/client_cidr:
> |>     192.168.0.1/32 dunno
> |>     0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
> |>     ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
> |>
> |> Not intuitive, but effective.
> |>
> |> man 5 access
> |> man 5 cidr_table
> |>
> |> Wietse
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

d.hill
In reply to this post by Michael G. Reed
On Fri, 22 Aug 2008, Michael G. Reed wrote:

> Worked like a champ.  (for anyone else interested, put "OK"
> for "dunno" below and you're good to go :).  Thanks!

Take CAREFUL consideration in using "OK". It can open your server up like
a can of worms. Telling Postfix OK will bypass all further restrictions in
whatever smtpd_*_restrictions section you have it listed in.

According to 'man 5 access', DUNNO will pretend the lookup key was not
found and continue on with the next restriction.

> On Fri, 22 Aug 2008, Wietse Venema wrote:
> |> Wietse Venema:
> |> > Michael G. Reed:
> |> > > I've been looking around to see how I can deal with a
> |> > > particular site that doesn't report a FQDN in the HELO/EHLO line.  I
> |> > > have smtpd_recipient_restrictions containing:
> |> > >
> |> > >         reject_non_fqdn_sender
> |> > >         reject_non_fqdn_recipient
> |> > >         reject_non_fqdn_hostname
> |> > >
> |> > > to help with SPAM issues.  I want these enforced for everyone EXCEPT
> |> > > one site (heck, one IP) that needs to talk to me (but I've been unable
> |> > > to get their admin to fix their broken configuration).  Is this
> |> > > possible or am I just missing something really obvious?  Any pointers
> |> > > would be greatly appreciated.  Thanks!
> |>
> |> Sorry, I used PCRE instead of CIDR. Corrected version follows.
> |>
> |> Wietse
> |>
> |> Perhaps:
> |>
> |> /etc/postfix/main.cf:
> |>     smtpd_recipient_restrictions =
> |> ...
> |> check_client_access cidr:/etc/postfix/client_cidr
> |> ...
> |>
> |> /etc/postfix/client_cidr:
> |>     192.168.0.1/32 dunno
> |>     0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
> |>     ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
> |>
> |> Not intuitive, but effective.
> |>
> |> man 5 access
> |> man 5 cidr_table
> |>
> |> Wietse
>
>

-d
Reply | Threaded
Open this post in threaded view
|

Re: Selective *non*-enforcement of FQDN rules?

Michael G. Reed
        Ah!  My bad (really, really bad :).  I did a quick search of
the man pages and didn't look too carefully (darn case sensitivity on
searching).  Thank you (and Wietse, I saw your message too and
immediatelly slammed down my server to fix it) for catching that
before it blew up!

-Michael

On Sat, 23 Aug 2008, Duane Hill wrote:
|> On Fri, 22 Aug 2008, Michael G. Reed wrote:
|>
|> > Worked like a champ.  (for anyone else interested, put "OK"
|> > for "dunno" below and you're good to go :).  Thanks!
|>
|> Take CAREFUL consideration in using "OK". It can open your server up like
|> a can of worms. Telling Postfix OK will bypass all further restrictions in
|> whatever smtpd_*_restrictions section you have it listed in.
|>
|> According to 'man 5 access', DUNNO will pretend the lookup key was not
|> found and continue on with the next restriction.
|>
|> > On Fri, 22 Aug 2008, Wietse Venema wrote:
|> > |> Wietse Venema:
|> > |> > Michael G. Reed:
|> > |> > > I've been looking around to see how I can deal with a
|> > |> > > particular site that doesn't report a FQDN in the HELO/EHLO line.  I
|> > |> > > have smtpd_recipient_restrictions containing:
|> > |> > >
|> > |> > >         reject_non_fqdn_sender
|> > |> > >         reject_non_fqdn_recipient
|> > |> > >         reject_non_fqdn_hostname
|> > |> > >
|> > |> > > to help with SPAM issues.  I want these enforced for everyone EXCEPT
|> > |> > > one site (heck, one IP) that needs to talk to me (but I've been unable
|> > |> > > to get their admin to fix their broken configuration).  Is this
|> > |> > > possible or am I just missing something really obvious?  Any pointers
|> > |> > > would be greatly appreciated.  Thanks!
|> > |>
|> > |> Sorry, I used PCRE instead of CIDR. Corrected version follows.
|> > |>
|> > |> Wietse
|> > |>
|> > |> Perhaps:
|> > |>
|> > |> /etc/postfix/main.cf:
|> > |>     smtpd_recipient_restrictions =
|> > |> ...
|> > |> check_client_access cidr:/etc/postfix/client_cidr
|> > |> ...
|> > |>
|> > |> /etc/postfix/client_cidr:
|> > |>     192.168.0.1/32 dunno
|> > |>     0.0.0.0/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
|> > |>     ::/0 reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
|> > |>
|> > |> Not intuitive, but effective.
|> > |>
|> > |> man 5 access
|> > |> man 5 cidr_table
|> > |>
|> > |> Wietse