Trouble filtering incoming mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trouble filtering incoming mail

Robert Senger-2
Hi all,

I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.

Relevant configuration snippets see below.
 
1. "access denied" actions

In the logs, I see several messages like these:

Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from s1.namares.eu[93.189.46.48]
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT from s1.namares.eu[93.189.46.48]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail.namares.eu>
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6

Postfix immediately says "access denied". I see these lines for a small
number of domains, and only these three lines, nothing else. There's no
reason logged, as it is if other filtering options trigger (e.g. "Helo
command rejected: need fully-qualified hostname"). So, what is going on
here? None of the affected domains is listed in any access restrictions
file/db. At least one inportant domain (a big business social network,
popular in Germany) is affected and this is a problem for us.

2. Filtering by sender domain not working

I am trying to reject emails coming in from certain domains (e.g.
.sxxt.de, see below), but I can't get it to work. I've put the domains
into sender_access and recipient_access files, ran postmap, but emails
still go through.

I already tried to put sender_access and recipient_access into
smtpd_sender_restrictions and smtpd_recipient_restrictions in different
combinations/order, but no luck. I never see "550" in the logs. Why?

Thanks for help.

Robert


Access restrictions:

root@prokyon:/etc/postfix# cat sender_access
[hidden email]         550 Blacklisted
info.sxxt.de                    550 Blacklisted
[hidden email]                  550 Blacklisted
e.sxxt.de                       550 Blacklisted

root@prokyon:/etc/postfix# cat sender_access
[hidden email]         550 Blacklisted

root@prokyon:/etc/postfix# cat client_access
debian.org OK

root@prokyon:/etc/postfix# cat helo_access
maxx.maxx.shmoo.com OK


Smtp configuration:

master.cf (snippet):
smtp       inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=no
  -o { smtpd_client_restrictions    = check_client_access hash:/etc/postfix/client_access,
                                      reject_unknown_client_hostname,
                                      reject_unauth_pipelining,
                                      permit }
  -o { smtpd_helo_restrictions      = check_helo_access hash:/etc/postfix/helo_access,
                                      reject_invalid_helo_hostname,
                                      reject_non_fqdn_helo_hostname,
                                      reject_unknown_helo_hostname,
                                      reject_unauth_pipelining,
                                      permit }
  -o { smtpd_sender_restrictions    = reject_unknown_sender_domain,
                                      reject_non_fqdn_sender,
                                      permit }
  -o { smtpd_relay_restrictions     = reject_unauth_destination,
                                      reject_unauth_pipelining,
                                      permit }
  -o { smtpd_recipient_restrictions = reject_unauth_destination,
                                      reject_unauth_pipelining,
                                      check_sender_access hash:/etc/postfix/sender_access,
                                      check_recipient_access hash:/etc/postfix/recipient_access,
                                      check_policy_service unix:/var/run/postgrey/postgrey.sock,
                                      check_policy_service unix:private/policy-spf,
                                      permit }
  -o { milter_macro_daemon_name = ORIGINATING }
  -o { smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                       unix:/var/run/opendmarc/opendmarc.sock,
                       unix:/var/run/clamav/clamav-milter.ctl,
                       unix:/var/run/spamass/spamass.sock }



--
Robert Senger


Reply | Threaded
Open this post in threaded view
|

Re: Trouble filtering incoming mail

Dominic Raferd


On Fri, 15 Nov 2019, 17:59 Robert Senger, <[hidden email]> wrote:
Hi all,

I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.

Relevant configuration snippets see below.

1. "access denied" actions

In the logs, I see several messages like these:

Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from s1.namares.eu[93.189.46.48]
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT from s1.namares.eu[93.189.46.48]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail.namares.eu>
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6

Postfix immediately says "access denied". I see these lines for a small
number of domains, and only these three lines, nothing else. There's no
reason logged, as it is if other filtering options trigger (e.g. "Helo
command rejected: need fully-qualified hostname"). So, what is going on
here? None of the affected domains is listed in any access restrictions
file/db. At least one inportant domain (a big business social network,
popular in Germany) is affected and this is a problem for us.

2. Filtering by sender domain not working

I am trying to reject emails coming in from certain domains (e.g.
.sxxt.de, see below), but I can't get it to work. I've put the domains
into sender_access and recipient_access files, ran postmap, but emails
still go through.

I already tried to put sender_access and recipient_access into
smtpd_sender_restrictions and smtpd_recipient_restrictions in different
combinations/order, but no luck. I never see "550" in the logs. Why?

The access is denied because of 'Recipient address rejected' so I would look there for a solution...
Reply | Threaded
Open this post in threaded view
|

Re: Trouble filtering incoming mail

Robert Senger-2
Am Freitag, den 15.11.2019, 18:44 +0000 schrieb Dominic Raferd:

> On Fri, 15 Nov 2019, 17:59 Robert Senger, <
> [hidden email]> wrote:
>
> > Hi all,
> >
> > I am having some trouble with filtering incoming mail. First, I do
> > not
> > understand certain "access denied" actions. Second, I cannot get
> > filtering by sender domain to work correctly.
> >
> > Relevant configuration snippets see below.
> >
> > 1. "access denied" actions
> >
> > In the logs, I see several messages like these:
> >
> > Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from
> > s1.namares.eu
> > [93.189.46.48]
> > Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT
> > from
> > s1.namares.eu[93.189.46.48]: 554 5.7.1 <[hidden email]>:
> > Recipient address rejected: Access denied; from=<[hidden email]>
> > to=<
> > [hidden email]> proto=ESMTP helo=<mail.namares.eu>
> > Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from
> > s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1
> > quit=1
> > commands=4/6
> >
> > Postfix immediately says "access denied". I see these lines for a
> > small
> > number of domains, and only these three lines, nothing else.
> > There's no
> > reason logged, as it is if other filtering options trigger (e.g.
> > "Helo
> > command rejected: need fully-qualified hostname"). So, what is
> > going on
> > here? None of the affected domains is listed in any access
> > restrictions
> > file/db. At least one inportant domain (a big business social
> > network,
> > popular in Germany) is affected and this is a problem for us.
> >
> > 2. Filtering by sender domain not working
> >
> > I am trying to reject emails coming in from certain domains (e.g.
> > .sxxt.de, see below), but I can't get it to work. I've put the
> > domains
> > into sender_access and recipient_access files, ran postmap, but
> > emails
> > still go through.
> >
> > I already tried to put sender_access and recipient_access into
> > smtpd_sender_restrictions and smtpd_recipient_restrictions in
> > different
> > combinations/order, but no luck. I never see "550" in the logs.
> > Why?
> >
>
> The access is denied because of 'Recipient address rejected' so I
> would
> look there for a solution...

Hm, the recipient address is (in this case) my own address and receives
dozens of regular emails every day from other domains without any
trouble... That's why I am confused.

Robert


--
Robert Senger


Reply | Threaded
Open this post in threaded view
|

Re: Trouble filtering incoming mail

Noel Jones-2
In reply to this post by Robert Senger-2
On 11/15/2019 11:58 AM, Robert Senger wrote:

> Hi all,
>
> I am having some trouble with filtering incoming mail. First, I do not
> understand certain "access denied" actions. Second, I cannot get
> filtering by sender domain to work correctly.
>
> Relevant configuration snippets see below.
>  
> 1. "access denied" actions
>
> In the logs, I see several messages like these:
>
> Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from s1.namares.eu[93.189.46.48]
> Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT from s1.namares.eu[93.189.46.48]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail.namares.eu>
> Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
>
> Postfix immediately says "access denied". I see these lines for a small
> number of domains, and only these three lines, nothing else. There's no
> reason logged, as it is if other filtering options trigger (e.g. "Helo
> command rejected: need fully-qualified hostname"). So, what is going on
> here? None of the affected domains is listed in any access restrictions
> file/db. At least one inportant domain (a big business social network,
> popular in Germany) is affected and this is a problem for us.

Looks like this is a REJECT in a check_recipient_access table.
Access denied; is a reject from a smtpd access table.  Recipient
address rejected; tells us it's a check_recipient_access table.


>
> 2. Filtering by sender domain not working
>
> I am trying to reject emails coming in from certain domains (e.g.
> .sxxt.de, see below), but I can't get it to work. I've put the domains
> into sender_access and recipient_access files, ran postmap, but emails
> still go through.
>

With the default setting of parent_domain_matches_subdomains, all
you need is
sxxxt.de  REJECT blacklisted


If you've removed smtpd_access_maps from
parent_domain_matches_subdomains, then use
.sxxxt.de  REJECT blacklisted

See:
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

> I already tried to put sender_access and recipient_access into
> smtpd_sender_restrictions and smtpd_recipient_restrictions in different
> combinations/order, but no luck. I never see "550" in the logs. Why?
>
> Thanks for help.
>
> Robert
>
>
> Access restrictions:
>
> root@prokyon:/etc/postfix# cat sender_access
> [hidden email]         550 Blacklisted
> info.sxxt.de                    550 Blacklisted
> [hidden email]                  550 Blacklisted
> e.sxxt.de                       550 Blacklisted

I would strongly recommend using REJECT instead of an explicit 5xx
code in access maps to prevent accidents. If the intention is to
differentiate log lines, add a comment after the REJECT.   See the
"Accept Actions" section of:
http://www.postfix.org/access.5.html

>
> root@prokyon:/etc/postfix# cat sender_access
> [hidden email]         550 Blacklisted
>
> root@prokyon:/etc/postfix# cat client_access
> debian.org OK
>
> root@prokyon:/etc/postfix# cat helo_access
> maxx.maxx.shmoo.com OK

Be aware that whitelisting by helo name is insecure. Helo names are
easily and frequently forged.


>
>
> Smtp configuration:
>
> master.cf (snippet):

Is there some good reason you've put all this in master.cf instead
of main.cf like everyone else?  This can make postfix harder to
debug by having (possibly conflicting) settings in multiple files.

Check what postfix sees by using "postconf -nf" and "postconf -Mf"



> smtp       inet n       -       n       -       -       smtpd
>    -o smtpd_tls_security_level=may
>    -o smtpd_sasl_auth_enable=no
>    -o { smtpd_client_restrictions    = check_client_access hash:/etc/postfix/client_access,
>                                        reject_unknown_client_hostname,
>                                        reject_unauth_pipelining,
>                                        permit }
>    -o { smtpd_helo_restrictions      = check_helo_access hash:/etc/postfix/helo_access,
>                                        reject_invalid_helo_hostname,
>                                        reject_non_fqdn_helo_hostname,
>                                        reject_unknown_helo_hostname,
>                                        reject_unauth_pipelining,
>                                        permit }
>    -o { smtpd_sender_restrictions    = reject_unknown_sender_domain,
>                                        reject_non_fqdn_sender,
>                                        permit }
>    -o { smtpd_relay_restrictions     = reject_unauth_destination,
>                                        reject_unauth_pipelining,
>                                        permit }
>    -o { smtpd_recipient_restrictions = reject_unauth_destination,
>                                        reject_unauth_pipelining,
>                                        check_sender_access hash:/etc/postfix/sender_access,
>                                        check_recipient_access hash:/etc/postfix/recipient_access,
>                                        check_policy_service unix:/var/run/postgrey/postgrey.sock,
>                                        check_policy_service unix:private/policy-spf,
>                                        permit }
>    -o { milter_macro_daemon_name = ORIGINATING }
>    -o { smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
>                         unix:/var/run/opendmarc/opendmarc.sock,
>                         unix:/var/run/clamav/clamav-milter.ctl,
>                         unix:/var/run/spamass/spamass.sock }
>
>
>



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Trouble filtering incoming mail

Robert Senger-2
Am Freitag, den 15.11.2019, 12:54 -0600 schrieb Noel Jones:

> On 11/15/2019 11:58 AM, Robert Senger wrote:
> > Hi all,
> >
> > I am having some trouble with filtering incoming mail. First, I do
> > not
> > understand certain "access denied" actions. Second, I cannot get
> > filtering by sender domain to work correctly.
> >
> > Relevant configuration snippets see below.
> >  
> > 1. "access denied" actions
> > [...]
> >
> Looks like this is a REJECT in a check_recipient_access table.
> Access denied; is a reject from a smtpd access table.  Recipient
> address rejected; tells us it's a check_recipient_access table.
>
I reordered things and reviewed access tables, will check logs if that
issue is gone now.

> > 2. Filtering by sender domain not working
> >
> > [...]
> I would strongly recommend using REJECT instead of an explicit 5xx
> code in access maps to prevent accidents. If the intention is to
> differentiate log lines, add a comment after the REJECT.   See the
> "Accept Actions" section of:
> http://www.postfix.org/access.5.html
Done that.

> > root@prokyon:/etc/postfix# cat sender_access
> > [hidden email]         550 Blacklisted
> >
> > root@prokyon:/etc/postfix# cat client_access
> > debian.org OK
> >
> > root@prokyon:/etc/postfix# cat helo_access
> > maxx.maxx.shmoo.com OK
> Be aware that whitelisting by helo name is insecure. Helo names are
> easily and frequently forged.
I've added these whitelists several years ago, for whatever reason I do
not remember, removed now.

>
> >
> > Smtp configuration:
> >
> > master.cf (snippet):
>
> Is there some good reason you've put all this in master.cf instead
> of main.cf like everyone else?  This can make postfix harder to
> debug by having (possibly conflicting) settings in multiple files.
>
> Check what postfix sees by using "postconf -nf" and "postconf -Mf"

I don't remember exactly why. At first, I found it confusing having
stuff in main.cf and other in master.cf that belong together (milters,
policy services). Second, I think years ago I had trouble with
milters/policy services that should be active on smtp, but not on
submission or vice versa, so I moved everything to master.cf to have it
strictly separate for smtp, smtps and submission. I do not have any
options present in both main.cf and master.cf that could conflict.

Don't know what is best practice here.

Thanks for the help, sender_access now seems to work (tested once). The
"access denied" issue needs some more time investigation.

Robert


--
Robert Senger