Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

deoren
Hi,

I've read over several threads here in the mailing list archives and
have found authoritative answers from Viktor and Wietse re how Postfix
treats unverified PTR/A DNS records in relation to check_*_access
checks, but I believe I am overlooking where this is explicitly covered
in the documentation.


Viktor:

 > Postfix does not use unverified PTR records in access checks
that can return "OK", that would be a major security hole.
 >
 > Anyone can set their PTR records to point to any name of their
choice, but they cannot as easily get the owner of that name
to confirm that the original IP address is theirs.

Wietse:

 > For security reasons Postfix does not allow you to whitelist a client
hostname with incorrect PTR/A DNS records. Not even when you use
check_reverse_client_hostname_access instead of check_client_access.
 > If you must whitelist, use the IP address.

I've focused specifically on these pages/areas, though I've wandered
from there onto other related pages in my search:

* http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
* http://www.postfix.org/postconf.5.html#check_client_access
* http://www.postfix.org/SMTPD_ACCESS_README.html
* http://www.postfix.org/access.5.html

I see lots of info covering how look-ups/checks are performed, but I
didn't find anything spelled out as clearly as either of Wietse's or
Viktor's answers.

Can someone point me to the relevant documentation section which covers
this specific scenario? I feel like I'm looking right over it.

Thank you for your help.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

Wietse Venema
deoren:

> Hi,
>
> I've read over several threads here in the mailing list archives and
> have found authoritative answers from Viktor and Wietse re how Postfix
> treats unverified PTR/A DNS records in relation to check_*_access
> checks, but I believe I am overlooking where this is explicitly covered
> in the documentation.
>
>
> Viktor:
>
>  > Postfix does not use unverified PTR records in access checks
> that can return "OK", that would be a major security hole.
>  >
>  > Anyone can set their PTR records to point to any name of their
> choice, but they cannot as easily get the owner of that name
> to confirm that the original IP address is theirs.
>
> Wietse:
>
>  > For security reasons Postfix does not allow you to whitelist a client
> hostname with incorrect PTR/A DNS records. Not even when you use
> check_reverse_client_hostname_access instead of check_client_access.
>  > If you must whitelist, use the IP address.
>
> I've focused specifically on these pages/areas, though I've wandered
> from there onto other related pages in my search:

I suggest that you look at Postfix features that focus on 'unknown'
client names:

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

These descriptions also discuss permanent versus temporary errors.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

deoren
On 6/28/17 1:32 PM, Wietse Venema wrote:

> I suggest that you look at Postfix features that focus on 'unknown'
> client names:
>
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>
> These descriptions also discuss permanent versus temporary errors.
>
> Wietse
>

Thank you for your reply.

I use the first restriction in my setup, but was surprised whenever a
check_client_access entry I added for a vendor's mail server (with an
'OK' result) still resulted in mail being rejected from that server's
"client name".

It was only after I turned to Google and searched the lists here that I
found the answer. Both yours and Viktor's answers made sense, I just
didn't encounter it in the documentation (not that explicit anyway).

Is your answer a combination of multiple points, or is this statement
covered in more detail somewhere?

 > For security reasons Postfix does not allow you to whitelist a
client hostname with incorrect PTR/A DNS records

Thank you for your time and my apologies if I'm unclear.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

Wietse Venema
deoren:

> On 6/28/17 1:32 PM, Wietse Venema wrote:
>
> > I suggest that you look at Postfix features that focus on 'unknown'
> > client names:
> >
> > http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> > http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
> >
> > These descriptions also discuss permanent versus temporary errors.
>
> Thank you for your reply.
>
> I use the first restriction in my setup, but was surprised whenever a
> check_client_access entry I added for a vendor's mail server (with an
> 'OK' result) still resulted in mail being rejected from that server's
> "client name".

Yes, the text should be repeated in other places. There are about
seven check_client*access features, and only check_reverse_client_*
may use a client hostname that failed validation.

> Is your answer a combination of multiple points, or is this statement
> covered in more detail somewhere?

The two http links point to the instances of the text that I was
able to find quickly. There may be other instances: I did not have
time for an exhaustive search.

>  > For security reasons Postfix does not allow you to whitelist a
> client hostname with incorrect PTR/A DNS records

Is that a question?

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

deoren
On 6/28/17 3:18 PM, Wietse Venema wrote:

> deoren:
>> On 6/28/17 1:32 PM, Wietse Venema wrote:
>>
>>> I suggest that you look at Postfix features that focus on 'unknown'
>>> client names:
>>>
>>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>>> http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>>>
>>> These descriptions also discuss permanent versus temporary errors.
>>
>> Thank you for your reply.
>>
>> I use the first restriction in my setup, but was surprised whenever a
>> check_client_access entry I added for a vendor's mail server (with an
>> 'OK' result) still resulted in mail being rejected from that server's
>> "client name".
>
> Yes, the text should be repeated in other places. There are about
> seven check_client*access features, and only check_reverse_client_*
> may use a client hostname that failed validation.

Thank you for noting that. I took another look at the documentation
(postconf.5.html) and I see where it notes the following for
check_reverse_client_hostname_access:

 > unverified reverse client hostname, parent domains, client IP
address, or networks obtained by stripping least significant octets

Is this directive the equivalent of check_client_access, except that it
allows the use of an unverified DNS entry in the checks?

>
>> Is your answer a combination of multiple points, or is this statement
>> covered in more detail somewhere?
>
> The two http links point to the instances of the text that I was
> able to find quickly. There may be other instances: I did not have
> time for an exhaustive search.
>
>>   > For security reasons Postfix does not allow you to whitelist a
>> client hostname with incorrect PTR/A DNS records
>
> Is that a question?

No, sorry, I was attempting to quote your answer to another thread on
this mailing list. There a similar question was raised and you gave that
answer. Viktor's response on another thread was very similar to yours.

While both answers were direct and covered the specific details spot on,
I failed to locate those specific details in the documentation. I
believe its there, but either I'm overlooking it (likely), or the
information needed to come to the same understanding as the answers that
you both gave is spread thinly across applicable directives instead of
specified in such a direct manner for the specific directives.

For example, when looking at the check_client_access directive I had no
idea that it would not apply hostname checks to a remote client that
fails either of PTR or A verification checks. It makes sense that it
refuses to honor the value, but I didn't see it clearly noted anywhere.

I mean no insult, I'm just trying to wrap my head around this and want
to read further about the various verification checks that Postfix
applies. If the documentation wasn't already covering this specific case
in explicit detail, I was going to look into how to go about
contributing a patch to the documentation so that it would be covered.
I'm not really qualified to speak authoritatively on the subject, but I
could make provide minor tweaks that someone else could cleanup for
final commit.

Thank you for your time.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?

Wietse Venema
deoren:

> On 6/28/17 3:18 PM, Wietse Venema wrote:
> > deoren:
> >> On 6/28/17 1:32 PM, Wietse Venema wrote:
> >>
> >>> I suggest that you look at Postfix features that focus on 'unknown'
> >>> client names:
> >>>
> >>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> >>> http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
> >>>
> >>> These descriptions also discuss permanent versus temporary errors.
> >>
> >> Thank you for your reply.
> >>
> >> I use the first restriction in my setup, but was surprised whenever a
> >> check_client_access entry I added for a vendor's mail server (with an
> >> 'OK' result) still resulted in mail being rejected from that server's
> >> "client name".
> >
> > Yes, the text should be repeated in other places. There are about
> > seven check_client*access features, and only check_reverse_client_*
> > may use a client hostname that failed validation.
>
> Thank you for noting that. I took another look at the documentation
> (postconf.5.html) and I see where it notes the following for
> check_reverse_client_hostname_access:
>
>  > unverified reverse client hostname, parent domains, client IP
> address, or networks obtained by stripping least significant octets
>
> Is this directive the equivalent of check_client_access, except that it
> allows the use of an unverified DNS entry in the checks?

It uses the 'unverified' reverse client hostname. I have no better
words to express that. There is no mention of DNS records, for the
simple reason that Postfix does not make DNS queries to determine
the client address->name or name->address mapping.

        Wietse
Loading...