Whitelist a host using check_client_access before the rbl check?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Whitelist a host using check_client_access before the rbl check?

Nicolas KOWALSKI-3
Hello,

I would like to whitelist a specific host, because it is currently
listed in the zen rbl, but I am unable to do so.

Here is a sample log of the rejected host connecting to my postfix:

Aug  4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug  4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug  4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<demisel.dyndns.org>
Aug  4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225]


- I added the following line (full postconf -n below) to the
smtpd_recipient_restrictions, before the rbl check:

check_client_access hash:/etc/postfix/client_access


- /etc/postfix/client_access contains:
demisel.dyndns.org OK


- the full configuration:

petole:~# postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
config_directory = /etc/postfix
disable_mime_output_conversion = yes
header_checks = regexp:/etc/postfix/header_checks
inet_protocols = all
local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps
mailbox_size_limit = 0
mailbox_transport = cyrus
maximal_queue_lifetime = 60d
message_size_limit = 0
mydestination = localhost, localhost.localdomain,       petole, petole.lan, petole.dyndns.org, petole.demisel.net
mydomain = $myhostname
myhostname = petole.dyndns.org
relay_domains = demisel.dyndns.org
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost = [mail.club-internet.fr]
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,       permit_sasl_authenticated,      reject_unauth_destination,     check_client_access hash:/etc/postfix/client_access,     reject_non_fqdn_sender, reject_non_fqdn_recipient,      reject_invalid_hostname,        reject_unknown_hostname,        reject_unknown_sender_domain,   reject_rbl_client zen.spamhaus.org,     permit
smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem
smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s



Any help would be appreciated,

Thanks,
--
Nicolas
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Charles Marcus
Let me give this one a try... I *think* i see the problem...

On 8/4/2008, Nicolas KOWALSKI ([hidden email]) wrote:
> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
> unavailable; Client host [86.68.96.225] blocked using
> zen.spamhaus.org;

THAT was the client...

  http://www.spamhaus.org/query/bl?ip=86.68.96.225;
> from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<demisel.dyndns.org>

THAT was the helo...

So, you're trying to whitelist a client using its helo...

Either use a helo access check, or use the right client, but only if you
are sure the client won't change (it is, after all, on a dynamic block)...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Stan Hoeppner
In reply to this post by Nicolas KOWALSKI-3
Hello Nicolas,

Try this:

Remove 'check_client_access hash:/etc/postfix/client_access' from
smtpd_recipient_restrictions.  Add the following line in main.cf
somewhere before/above smtpd_recipient_restrictions:

smtpd_client_restrictions = hash:/etc/postfix/client_access

And make sure you 'postmap /etc/postfix/client_access' any time you make
changes to the file.  And obviously, 'postfix reload' whenever you make
changes to main.cf.

Hope this helps.

Stan




Nicolas KOWALSKI wrote:

> Hello,
>
> I would like to whitelist a specific host, because it is currently
> listed in the zen rbl, but I am unable to do so.
>
> Here is a sample log of the rejected host connecting to my postfix:
>
> Aug  4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
> Aug  4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
> Aug  4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<demisel.dyndns.org>
> Aug  4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225]
>
>
> - I added the following line (full postconf -n below) to the
> smtpd_recipient_restrictions, before the rbl check:
>
> check_client_access hash:/etc/postfix/client_access
>
>
> - /etc/postfix/client_access contains:
> demisel.dyndns.org OK
>
>
> - the full configuration:
>
> petole:~# postconf -n
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> config_directory = /etc/postfix
> disable_mime_output_conversion = yes
> header_checks = regexp:/etc/postfix/header_checks
> inet_protocols = all
> local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps
> mailbox_size_limit = 0
> mailbox_transport = cyrus
> maximal_queue_lifetime = 60d
> message_size_limit = 0
> mydestination = localhost, localhost.localdomain,       petole, petole.lan, petole.dyndns.org, petole.demisel.net
> mydomain = $myhostname
> myhostname = petole.dyndns.org
> relay_domains = demisel.dyndns.org
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> relayhost = [mail.club-internet.fr]
> smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks,       permit_sasl_authenticated,      reject_unauth_destination,     check_client_access hash:/etc/postfix/client_access,     reject_non_fqdn_sender, reject_non_fqdn_recipient,      reject_invalid_hostname,        reject_unknown_hostname,        reject_unknown_sender_domain,   reject_rbl_client zen.spamhaus.org,     permit
> smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem
> smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
>
>
>
> Any help would be appreciated,
>
> Thanks,
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Brian Evans - Postfix List
Stan Hoeppner wrote:

> Hello Nicolas,
>
> Try this:
>
> Remove 'check_client_access hash:/etc/postfix/client_access' from
> smtpd_recipient_restrictions.  Add the following line in main.cf
> somewhere before/above smtpd_recipient_restrictions:
>
> smtpd_client_restrictions = hash:/etc/postfix/client_access
>
> And make sure you 'postmap /etc/postfix/client_access' any time you
> make changes to the file.  And obviously, 'postfix reload' whenever
> you make changes to main.cf.

This will not fix the OP's issue because client_restrictions occur
before recipient_restrictions.
This also does not deny any hosts with the line you posted above so it's
really worthless, due to the implied permit at the end of the
client_restrictions.

Since the check fails in recipient_restrictions, an exception must be
placed before the rbl_check there.

As Charles already pointed out, he was simply using the wrong check,  
even though a HELO whitelist is somewhat dangerous to trust (easily forged).

Brian

>
> Hope this helps.
>
> Stan
>
>
>
>
> Nicolas KOWALSKI wrote:
>> Hello,
>>
>> I would like to whitelist a specific host, because it is currently
>> listed in the zen rbl, but I am unable to do so.
>>
>> Here is a sample log of the rejected host connecting to my postfix:
>>
>> Aug  4 14:17:17 petole postfix/smtpd[23545]: connect from
>> 225.96.68-86.rev.gaoland.net[86.68.96.225]
>> Aug  4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
>> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
>> Aug  4 14:17:17 petole postfix/smtpd[23545]: TLS connection
>> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
>> with cipher ADH-AES256-SHA (256/256 bits)
>> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
>> unavailable; Client host [86.68.96.225] blocked using
>> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; 
>> from=<[hidden email]> to=<[hidden email]>
>> proto=ESMTP helo=<demisel.dyndns.org>
>> Aug  4 14:17:18 petole postfix/smtpd[23545]: disconnect from
>> 225.96.68-86.rev.gaoland.net[86.68.96.225]
>>
>>
>> - I added the following line (full postconf -n below) to the
>> smtpd_recipient_restrictions, before the rbl check:
>>
>> check_client_access hash:/etc/postfix/client_access
>>
>>
>> - /etc/postfix/client_access contains:
>> demisel.dyndns.org OK
>>
>>
>> - the full configuration:
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Nicolas KOWALSKI-3
In reply to this post by Charles Marcus
On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:

> Let me give this one a try... I *think* i see the problem...
>
> On 8/4/2008, Nicolas KOWALSKI ([hidden email]) wrote:
>> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
>> unavailable; Client host [86.68.96.225] blocked using
>> zen.spamhaus.org;
>
> THAT was the client...
>
>  http://www.spamhaus.org/query/bl?ip=86.68.96.225;
>> from=<[hidden email]> to=<[hidden email]>
>> proto=ESMTP helo=<demisel.dyndns.org>
>
> THAT was the helo...
>
> So, you're trying to whitelist a client using its helo...

But demisel.dyndns.org (currently) resolves to the above address
(86.68.96.225) ; why doesn't postfix get it?

--
Nicolas
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Brian Evans - Postfix List
Nicolas KOWALSKI wrote:

> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
>  
>> Let me give this one a try... I *think* i see the problem...
>>
>> On 8/4/2008, Nicolas KOWALSKI ([hidden email]) wrote:
>>    
>>> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
>>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
>>> unavailable; Client host [86.68.96.225] blocked using
>>> zen.spamhaus.org;
>>>      
>> THAT was the client...
>>
>>  http://www.spamhaus.org/query/bl?ip=86.68.96.225;
>>    
>>> from=<[hidden email]> to=<[hidden email]>
>>> proto=ESMTP helo=<demisel.dyndns.org>
>>>      
>> THAT was the helo...
>>
>> So, you're trying to whitelist a client using its helo...
>>    
>
> But demisel.dyndns.org (currently) resolves to the above address
> (86.68.96.225) ; why doesn't postfix get it?
>  
This is how it works:
Postfix receives a connect from an IP and does a lookup on that IP.
See what it returns yourself with 'host 86.68.96.225'

In your case, the client address was 225.96.68-86.rev.gaoland.net (which
is a unqualified RDNS entry for a dynamic pool).
This is the value that check_client_access can find (either name or IP)

The client said 'EHLO demisel.dyndns.org'.
This is the value that check_helo_access can find, though somewhat
unreliable to whitelist.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Nicolas KOWALSKI-3
On Mon, Aug 04, 2008 at 10:56:36AM -0400, Brian Evans - Postfix List wrote:

> Nicolas KOWALSKI wrote:
>> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
>>  
>>> On 8/4/2008, Nicolas KOWALSKI ([hidden email]) wrote:
>>>    
>>>> Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
>>>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
>>>> unavailable; Client host [86.68.96.225] blocked using
>>>> zen.spamhaus.org;
>>>>      
>>> THAT was the client...
>>>
>>>  http://www.spamhaus.org/query/bl?ip=86.68.96.225;
>>>    
>>>> from=<[hidden email]> to=<[hidden email]>
>>>> proto=ESMTP helo=<demisel.dyndns.org>
>>>>      
>>> THAT was the helo...
>>>
>>> So, you're trying to whitelist a client using its helo...
>>>    
>> But demisel.dyndns.org (currently) resolves to the above address  
>> (86.68.96.225) ; why doesn't postfix get it?  
> This is how it works:
> Postfix receives a connect from an IP and does a lookup on that IP.
> See what it returns yourself with 'host 86.68.96.225'
>
> In your case, the client address was 225.96.68-86.rev.gaoland.net (which  
> is a unqualified RDNS entry for a dynamic pool).
> This is the value that check_client_access can find (either name or IP)

Ok, I think I get it now.

> The client said 'EHLO demisel.dyndns.org'.
> This is the value that check_helo_access can find, though somewhat  
> unreliable to whitelist.

I apparently have no other choices to whitelist-before-rbl such a
dynamic pool's host.

Thanks to all,
--
Nicolas
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Brian Evans - Postfix List
Nicolas KOWALSKI wrote:

>> The client said 'EHLO demisel.dyndns.org'.
>> This is the value that check_helo_access can find, though somewhat  
>> unreliable to whitelist.
>>    
>
> I apparently have no other choices to whitelist-before-rbl such a
> dynamic pool's host.
>
> Thanks to all,
>  
A *better* way is force them to Authenticate using SASL.

See http://www.postfix.org/SASL_README.html
Postfix supports either Cyrus or Dovecot SASL.

Brian


Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Brian Evans - Postfix List
Brian Evans - Postfix List wrote:

> Nicolas KOWALSKI wrote:
>>> The client said 'EHLO demisel.dyndns.org'.
>>> This is the value that check_helo_access can find, though somewhat  
>>> unreliable to whitelist.
>>>    
>>
>> I apparently have no other choices to whitelist-before-rbl such a
>> dynamic pool's host.
>>
>> Thanks to all,
>>  
> A *better* way is force them to Authenticate using SASL.
>
> See http://www.postfix.org/SASL_README.html
> Postfix supports either Cyrus or Dovecot SASL.
>
> Brian
>
>
P.S. This is if you fully trust and know this host
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Nicolas KOWALSKI-3
On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:

> Brian Evans - Postfix List wrote:
>> Nicolas KOWALSKI wrote:
>>>> The client said 'EHLO demisel.dyndns.org'.
>>>> This is the value that check_helo_access can find, though somewhat  
>>>> unreliable to whitelist.
>>>
>>> I apparently have no other choices to whitelist-before-rbl such a  
>>> dynamic pool's host.
>>>
>> A *better* way is force them to Authenticate using SASL.
>>
>> See http://www.postfix.org/SASL_README.html
>> Postfix supports either Cyrus or Dovecot SASL.
>>
> P.S. This is if you fully trust and know this host

Yes, I fully trust this host. Actually, it is the mx backup for my home
server:

$ host petole.dyndns.org
petole.dyndns.org has address 87.90.240.206
petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
petole.dyndns.org mail is handled by 5 petole.dyndns.org.

Can I use authentication for MX?

--
Nicolas
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Brian Evans - Postfix List
Nicolas KOWALSKI wrote:

> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
>  
>>> A *better* way is force them to Authenticate using SASL.
>>> See http://www.postfix.org/SASL_README.html
>>> Postfix supports either Cyrus or Dovecot SASL.
>>>
>>>      
>> P.S. This is if you fully trust and know this host
>>    
>
> Yes, I fully trust this host. Actually, it is the mx backup for my home
> server:
>
> $ host petole.dyndns.org
> petole.dyndns.org has address 87.90.240.206
> petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
> petole.dyndns.org mail is handled by 5 petole.dyndns.org.
>
> Can I use authentication for MX?
>
>  
I would highly recommend setting SASL up on both ends in this case. This
is much more secure and reliable than whitelisting a dynamic host.
See the above link for details.

If you implement this and have problems,  please post logs and new
'postconf -n' to this list.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist a host using check_client_access before the rbl check?

Nicolas KOWALSKI-3
On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote:

> Nicolas KOWALSKI wrote:
>> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
>>  
>>>> A *better* way is force them to Authenticate using SASL.
>>>> See http://www.postfix.org/SASL_README.html
>>>> Postfix supports either Cyrus or Dovecot SASL.
>>>>
>>> P.S. This is if you fully trust and know this host
>>
>> Yes, I fully trust this host. Actually, it is the mx backup for my home
>> server:
>>
>> $ host petole.dyndns.org
>> petole.dyndns.org has address 87.90.240.206
>> petole.dyndns.org mail is handled by 10 demisel.dyndns.org.
>> petole.dyndns.org mail is handled by 5 petole.dyndns.org.
>>
>> Can I use authentication for MX?
>>
> I would highly recommend setting SASL up on both ends in this case. This  
> is much more secure and reliable than whitelisting a dynamic host.
> See the above link for details.

Just to close this thread, we implemented SMTP AUTH over TLS between my
server and its secondary MX, and it works perfectly.

Thanks for your suggestions,
--
Nicolas