Whitelist some clients from helo restrictions

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Whitelist some clients from helo restrictions

mrobti
I use reject_unknown_helo_hostname even though it rejects legitimate
mail, it also catches a reasonable amount of bad things.

I want to whitelist some clients of course. I thought it should be easy:

/etc/postfix/main.cf
smtpd_helo_restrictions =
  reject_invalid_helo_hostname
  reject_non_fqdn_helo_hostname
  reject_unknown_helo_hostname
smtpd_client_restrictions =
  reject_unauth_pipelining
  check_client_access hash:/etc/postfix/ok_clients

/etc/postfix/ok_clients
999.999.999.999 OK
fqdn.exmaple.com OK

postmap /etc/postfix/ok_clients

postmap -q 999.999.999.999 /etc/postfix/ok_clients
OK

postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
OK

Yet, from this client I still get this:
NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450 4.7.1
<not.existing.host.name>: Helo command rejected: Host not found;

I test by hand and get rejected after RCPT TO (delayed restrictions as
postfix default):
HELO not.existing.host.name
MAIL FROM: <...>
RCPT TO: <...>
**REJECTED HERE**

Tried restarting postfix to be sure. What have I missed?
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist some clients from helo restrictions

Dominic Raferd
On 11 January 2018 at 10:15, MRob <[hidden email]> wrote:

> I use reject_unknown_helo_hostname even though it rejects legitimate mail,
> it also catches a reasonable amount of bad things.
>
> I want to whitelist some clients of course. I thought it should be easy:
>
> /etc/postfix/main.cf
> smtpd_helo_restrictions =
>  reject_invalid_helo_hostname
>  reject_non_fqdn_helo_hostname
>  reject_unknown_helo_hostname
> smtpd_client_restrictions =
>  reject_unauth_pipelining
>  check_client_access hash:/etc/postfix/ok_clients
>
> /etc/postfix/ok_clients
> 999.999.999.999 OK
> fqdn.exmaple.com OK
>
> postmap /etc/postfix/ok_clients
>
> postmap -q 999.999.999.999 /etc/postfix/ok_clients
> OK
>
> postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
> OK
>
> Yet, from this client I still get this:
> NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450 4.7.1
> <not.existing.host.name>: Helo command rejected: Host not found;
>
> I test by hand and get rejected after RCPT TO (delayed restrictions as
> postfix default):
> HELO not.existing.host.name
> MAIL FROM: <...>
> RCPT TO: <...>
> **REJECTED HERE**
>
> Tried restarting postfix to be sure. What have I missed?

All restriction lists are applied: approving mail as OK in one list
only skips subsequent test in that restriction list, it does not
affect test in other lists. So add line

check_client_access hash:/etc/postfix/ok_clients

at the top of smtpd_helo_restrictions, this will then bypass the
subsequent test in this list.

You can probably remove it from smtpd_client_restrictions if you want
and in any case as the last entry in the list it does nothing as the
end of each list is equivalent to a PERMIT result.
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist some clients from helo restrictions

Matus UHLAR - fantomas
In reply to this post by mrobti
On 11.01.18 10:15, MRob wrote:

>I use reject_unknown_helo_hostname even though it rejects legitimate
>mail, it also catches a reasonable amount of bad things.
>
>I want to whitelist some clients of course. I thought it should be easy:
>
>/etc/postfix/main.cf
>smtpd_helo_restrictions =
> reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname
> reject_unknown_helo_hostname
>smtpd_client_restrictions =
> reject_unauth_pipelining
> check_client_access hash:/etc/postfix/ok_clients

you must put "check_client_access hash:/etc/postfix/ok_clients" at the
begin, or at least before reject_unknown_helo_hostname

>Yet, from this client I still get this:
>NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450
>4.7.1 <not.existing.host.name>: Helo command rejected: Host not
>found;


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist some clients from helo restrictions

Wietse Venema
In reply to this post by mrobti
MRob:

> I use reject_unknown_helo_hostname even though it rejects legitimate
> mail, it also catches a reasonable amount of bad things.
>
> I want to whitelist some clients of course. I thought it should be easy:
>
> /etc/postfix/main.cf
> smtpd_helo_restrictions =
>   reject_invalid_helo_hostname
>   reject_non_fqdn_helo_hostname
>   reject_unknown_helo_hostname
> smtpd_client_restrictions =
>   reject_unauth_pipelining
>   check_client_access hash:/etc/postfix/ok_clients
>
> /etc/postfix/ok_clients
> 999.999.999.999 OK
> fqdn.exmaple.com OK
>
> postmap /etc/postfix/ok_clients
>
> postmap -q 999.999.999.999 /etc/postfix/ok_clients
> OK
>
> postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
> OK
>
> Yet, from this client I still get this:
> NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450 4.7.1
> <not.existing.host.name>: Helo command rejected: Host not found;
>
> I test by hand and get rejected after RCPT TO (delayed restrictions as
> postfix default):
> HELO not.existing.host.name
> MAIL FROM: <...>
> RCPT TO: <...>
> **REJECTED HERE**
>
> Tried restarting postfix to be sure. What have I missed?

You specified reject_XXX before ok_clients.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Whitelist some clients from helo restrictions

mrobti
In reply to this post by Dominic Raferd
On 2018-01-11 11:57, Dominic Raferd wrote:

> On 11 January 2018 at 10:15, MRob <[hidden email]> wrote:
>> I use reject_unknown_helo_hostname even though it rejects legitimate
>> mail,
>> it also catches a reasonable amount of bad things.
>>
>> I want to whitelist some clients of course. I thought it should be
>> easy:
>>
>> /etc/postfix/main.cf
>> smtpd_helo_restrictions =
>>  reject_invalid_helo_hostname
>>  reject_non_fqdn_helo_hostname
>>  reject_unknown_helo_hostname
>> smtpd_client_restrictions =
>>  reject_unauth_pipelining
>>  check_client_access hash:/etc/postfix/ok_clients
>>
>> /etc/postfix/ok_clients
>> 999.999.999.999 OK
>> fqdn.exmaple.com OK
>>
>> postmap /etc/postfix/ok_clients
>>
>> postmap -q 999.999.999.999 /etc/postfix/ok_clients
>> OK
>>
>> postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
>> OK
>>
>> Yet, from this client I still get this:
>> NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450
>> 4.7.1
>> <not.existing.host.name>: Helo command rejected: Host not found;
>>
>> I test by hand and get rejected after RCPT TO (delayed restrictions as
>> postfix default):
>> HELO not.existing.host.name
>> MAIL FROM: <...>
>> RCPT TO: <...>
>> **REJECTED HERE**
>>
>> Tried restarting postfix to be sure. What have I missed?
>
> All restriction lists are applied: approving mail as OK in one list
> only skips subsequent test in that restriction list, it does not
> affect test in other lists. So add line
>
> check_client_access hash:/etc/postfix/ok_clients
>
> at the top of smtpd_helo_restrictions, this will then bypass the
> subsequent test in this list.
>
> You can probably remove it from smtpd_client_restrictions if you want
> and in any case as the last entry in the list it does nothing as the
> end of each list is equivalent to a PERMIT result.

Oh, thank you -- misunderstood that each list is independent. I had
thought since all restrictions are delayed until after RCPT TO that
issuing an OK in one restriction list would affect the others that come
after it. Now I understand that's wrong. Thank you.