What am I missing in this client check???

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What am I missing in this client check???

Bill Cole-3
I fear that I've misunderstood something for a very long time...

Why might hwsrv-205226.hostwindsdns.com not be hitting the (redundant, I
think) entries here?

    bigsky:~ root# postmap -vs /etc/postfix/client_checks
    postmap: name_mask: ipv4
    postmap: inet_addr_local: configured 5 IPv4 addresses
    postmap: Compiled against Berkeley DB version 1
    postmap: dict_open: hash:/etc/postfix/client_checks
    getresponse.com 550 5.7.1 GetResponse spam unwanted
    user.veloxzone.com.br 550 5.7.1 Veloxzone users may not mail here
    link 550 5.7.1 Get a real domain, spammy
    hostwindsdns.com 550 5.7.1 Too many brute force attacks from your
hosting provider
    .hostwindsdns.com 550 5.7.1 Too many brute force attacks from your
hosting provider
    salsalabs.net 550 5.7.1 SalsaLabs has shitty list management
practices.
    newsletterbroadcast.net 550 5.7.1 Hostway's spamming services not
welcome here
    siteprotect.com 550 5.7.1 Hostway's spamming services not welcome
here
    checkmail.io 550 5.7.1 Address Verification is a fraudulent
business. GFY & DIAF

    bigsky:~ root# echo $?
    0

    bigsky:~ root# postmap -q hwsrv-205226.hostwindsdns.com -v
/etc/postfix/client_checks
    postmap: name_mask: ipv4
    postmap: inet_addr_local: configured 5 IPv4 addresses
    postmap: Compiled against Berkeley DB version 1
    postmap: dict_open: hash:/etc/postfix/client_checks

    bigsky:~ root# echo $?
    1

Canonical config outputs follow:

    bigsky:~ root# postconf -nf
    body_checks = pcre:/opt/local/etc/postfix/body_checks
    bounce_size_limit = 50000
    command_directory = /opt/local/sbin
    compatibility_level = 2
    daemon_directory = /opt/local/libexec/postfix
    data_directory = /opt/local/var/lib/postfix
    debug_peer_level = 3
    debug_peer_list = 127.0.0.1
    debugger_command = PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin;
export
        PATH; (echo cont; echo where) | gdb
$daemon_directory/$process_name
        $process_id 2>&1
 >$config_directory/$process_name.$process_id.log & sleep 5
    default_database_type = hash
    default_destination_concurrency_limit = 10
    disable_vrfy_command = yes
    enable_long_queue_ids = yes
    header_checks = regexp:/opt/local/etc/postfix/header_checks
    home_mailbox = Maildir/
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = _postfix
    mailq_path = /opt/local/bin/mailq
    manpage_directory = /opt/local/share/man
    message_size_limit = 40960000
    milter_command_timeout = 120s
    milter_connect_timeout = 45s
    milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
    mydestination = $myhostname, localhost.$mydomain_fallback
    mydomain = scconsult.com
    mydomain_fallback = scconsult.com
    myhostname = toaster.scconsult.com
    mynetworks = 192.168.254.0/24
    mynetworks_style = subnet
    myorigin = $myhostname
    newaliases_path = /opt/local/bin/newaliases
    postscreen_access_list = permit_mynetworks
    postscreen_disable_vrfy_command = yes
    postscreen_dnsbl_action = enforce
    postscreen_dnsbl_sites = cbl.abuseat.org=127.0.0.2*2
        zen.spamhaus.org=127.0.0.2*2 zen.spamhaus.org=127.0.0.3*2
        zen.spamhaus.org=127.0.0.4*2 zen.spamhaus.org=127.0.0.10*2
        zen.spamhaus.org=127.0.0.11*2 korea.services.net=127.0.0.2*2
        blackholes.scconsult.com=127.0.0.2*1
sbcdyn.scconsult.com=127.0.0.2*1
        psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_ttl = 10m
    postscreen_greet_action = drop
    postscreen_helo_required = $smtpd_helo_required
    postscreen_whitelist_interfaces = !127.0.0.2,static:all
    proxy_interfaces = 67.149.19.3, 67.149.19.4, 67.149.19.5
    queue_directory = /opt/local/var/spool/postfix
    readme_directory = /opt/local/share/postfix/readme
    recipient_delimiter = -
    sample_directory = /opt/local/share/postfix/sample
    sender_bcc_maps = pcre:/etc/postfix/sender_bccs
    sendmail_path = /opt/local/sbin/sendmail
    setgid_group = _postdrop
    sewers = check_recipient_access
pcre:/opt/local/etc/postfix/sewer-recipients
        check_sender_access pcre:/opt/local/etc/postfix/sewer-senders
    smtp_connection_cache_destinations =
    smtp_dns_support_level = dnssec
    smtp_generic_maps = regexp:/opt/local/etc/postfix/generic
    smtp_tls_CAfile = /opt/local/etc/openssl/cert.pem
    smtp_tls_loglevel = 1
    smtp_tls_security_level = dane
    smtpd_authorized_xclient_hosts = localhost
    smtpd_client_auth_rate_limit = 5
    smtpd_client_connection_count_limit = 20
    smtpd_client_connection_rate_limit = 6
    smtpd_client_message_rate_limit = 15
    smtpd_client_new_tls_session_rate_limit = 5
    smtpd_client_recipient_rate_limit = 20
    smtpd_client_restrictions = check_client_access
        hash:/opt/local/etc/postfix/client_checks, permit
    smtpd_data_restrictions =
        reject_multi_recipient_bounce,reject_unauth_pipelining,permit
    smtpd_delay_open_until_valid_rcpt = no
    smtpd_error_sleep_time = 3
    smtpd_hard_error_limit = 5
    smtpd_helo_required = yes
    smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock
    smtpd_recipient_restrictions = permit_mynetworks,
check_recipient_access
        pcre:/opt/local/etc/postfix/rcpt_overrides, check_helo_access
        pcre:/opt/local/etc/postfix/helo_checks, check_client_ns_access
        pcre:/opt/local/etc/postfix/shitns,
check_reverse_client_hostname_ns_access
        pcre:/opt/local/etc/postfix/shitns, check_helo_ns_access
        pcre:/opt/local/etc/postfix/shitns, check_sender_ns_access
        pcre:/opt/local/etc/postfix/shitns, check_sender_access
        pcre:/opt/local/etc/postfix/badsenders,
reject_unknown_sender_domain,
        reject_invalid_helo_hostname, reject_non_fqdn_sender,
        reject_non_fqdn_recipient, reject_unknown_recipient_domain,
        reject_unauth_destination, check_sender_access
        pcre:/opt/local/etc/postfix/goodsenders,
        reject_unknown_reverse_client_hostname, check_sender_mx_access
        cidr:/opt/local/etc/postfix/bogus_mx.cidr, reject_rbl_client
        cbl.abuseat.org=127.0.0.2, reject_rbl_client
zen.spamhaus.org=127.0.0.2,
        reject_rbl_client zen.spamhaus.org=127.0.0.3, reject_rbl_client
        zen.spamhaus.org=127.0.0.4, reject_rbl_client
zen.spamhaus.org=127.0.0.10,
        reject_rbl_client zen.spamhaus.org=127.0.0.11, reject_rbl_client
        korea.services.net=127.0.0.2, check_recipient_access
        pcre:/opt/local/etc/postfix/recipient_checks.regex,
reject_rbl_client
        blackholes.scconsult.com=127.0.0.2, reject_rbl_client
        sbcdyn.scconsult.com=127.0.0.2, reject_rbl_client
        ix.dnsbl.manitu.net=127.0.0.2, reject_rbl_client
psbl.surriel.com=127.0.0.2,
        check_sender_access hash:/opt/local/etc/postfix/sender_checks,
        check_client_access hash:/opt/local/etc/postfix/client_checks,
        check_client_access
pcre:/opt/local/etc/postfix/client_checks.regex, permit
    smtpd_reject_unlisted_sender = yes
    smtpd_relay_restrictions =
    smtpd_restriction_classes = sewers,spamtargets
    smtpd_sasl_auth_enable = no
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_soft_error_limit = 2
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /private/etc/ssl/certs/dovecot.pem
    smtpd_tls_key_file = /private/etc/ssl/private/dovecot.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_protocols = !SSLv2
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtputf8_enable = yes
    spamtargets = check_sender_access
pcre:/opt/local/etc/postfix/spamtarget-senders
    tls_random_source = dev:/dev/urandom
    unknown_address_reject_code = 553
    unknown_client_reject_code = 550
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = hash:/opt/local/etc/postfix/virtual

    bigsky:~ root# postconf -Mf
    smtp       inet  n       -       n       -       1       postscreen
    smtpd      pass  -       -       n       -       -       smtpd
    dnsblog    unix  -       -       n       -       0       dnsblog
    tlsproxy   unix  -       -       n       -       0       tlsproxy
    submission inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix/submit
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
    pickup     unix  n       -       n       60      1       pickup
    cleanup    unix  n       -       n       -       0       cleanup
    qmgr       unix  n       -       n       300     1       qmgr
    tlsmgr     unix  -       -       n       1000?   1       tlsmgr
    rewrite    unix  -       -       n       -       -      
trivial-rewrite
    bounce     unix  -       -       n       -       0       bounce
    defer      unix  -       -       n       -       0       bounce
    trace      unix  -       -       n       -       0       bounce
    verify     unix  -       -       n       -       1       verify
    flush      unix  n       -       n       1000?   0       flush
    proxymap   unix  -       -       n       -       -       proxymap
    proxywrite unix  -       -       n       -       1       proxymap
    smtp       unix  -       -       n       -       -       smtp
        -o myhostname=bigsky.scconsult.com
    relay      unix  -       -       n       -       -       smtp
        -o myhostname=bigsky.scconsult.com
    showq      unix  n       -       n       -       -       showq
    error      unix  -       -       n       -       -       error
    retry      unix  -       -       n       -       -       error
    discard    unix  -       -       n       -       -       discard
    local      unix  -       n       n       -       -       local
    virtual    unix  -       n       n       -       -       virtual
    lmtp       unix  -       -       n       -       -       lmtp
    anvil      unix  -       -       n       -       1       anvil
    scache     unix  -       -       n       -       1       scache






--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: What am I missing in this client check???

Viktor Dukhovni
On Tue, Nov 28, 2017 at 08:57:05PM -0500, Bill Cole wrote:

> I fear that I've misunderstood something for a very long time...
>
> Why might hwsrv-205226.hostwindsdns.com not be hitting the (redundant, I
> think) entries here?

The postmap(1) command does not support any of the partial key
lookups performed by Postfix when doing access(5), transport(5),
virtual(5), generic(5), ... lookups.  Indeed not all these higher-level
map types generate partial keys in the same way.  So postmap cannot
without further (not-yet implemented options) know how to do these
lookups.

>    bigsky:~ root# postmap -vs /etc/postfix/client_checks
>    .hostwindsdns.com 550 5.7.1 Too many brute force attacks from your hosting provider

That's a partial key.

>    bigsky:~ root# postmap -q hwsrv-205226.hostwindsdns.com -v /etc/postfix/client_checks

This key is not present (verbatim) in the lookup table.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: What am I missing in this client check???

Bill Cole-3
On 28 Nov 2017, at 21:09 (-0500), Viktor Dukhovni wrote:

> On Tue, Nov 28, 2017 at 08:57:05PM -0500, Bill Cole wrote:
>
>> I fear that I've misunderstood something for a very long time...
>>
>> Why might hwsrv-205226.hostwindsdns.com not be hitting the
>> (redundant, I
>> think) entries here?
>
> The postmap(1) command does not support any of the partial key
> lookups performed by Postfix when doing access(5), transport(5),
> virtual(5), generic(5), ... lookups.  Indeed not all these
> higher-level
> map types generate partial keys in the same way.  So postmap cannot
> without further (not-yet implemented options) know how to do these
> lookups.

Which also answers my unasked question: "Why isn't there a postmap
option to specify a lookup strategy?"

Thanks, Viktor. I have confirmed the desired behavior elsewise:

bigsky:~ root# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 toaster.scconsult.com ESMTP Postfix
xclient name=hwsrv-205226.hostwindsdns.com
220 toaster.scconsult.com ESMTP Postfix
ehlo hwsrv-205226.hostwindsdns.com
250-toaster.scconsult.com
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from:<>
250 2.1.0 Ok
rcpt to:<[hidden email]>
550 5.7.1 <hwsrv-205226.hostwindsdns.com[127.0.0.1]>: Client host
rejected: Too many brute force attacks from your hosting provider
quit
221 2.0.0 Bye
Connection closed by foreign host.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole