Whitelisting by recipient domain name

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Whitelisting by recipient domain name

Steve-415
Hi,

I've been looking at some archive posts regarding white listing by
intended recipient domain.

Say for example I wish to white list any incoming mail for:
[hidden email] - is this actually possible?

Thinking about the stages of the SMTP conversation this is not going to
be available until the RCPT TO is given, so any white list (if it is
possible) would need to go in smtpd_recipient_restrictions. That is what
common sense would tell me.

I can already see that any earlier client, helo or sender restrictions
probably can't be white listed by recipient domain - but should it work
at the smtpd_recipient_restriction level?

Perhaps what I am actually asking is;

Should this work?
Could it be extended to effect a whole domain (not just [hidden email],
but *@example.com)
In lieu of smtpd_delay_reject = yes could this be applied to earlier
restrictions?


Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Noel Jones-2
Steve wrote:
> Hi,
>
> I've been looking at some archive posts regarding white listing by
> intended recipient domain.
>
> Say for example I wish to white list any incoming mail for:
> [hidden email] - is this actually possible?

Yes, this is one reason some people like to put all their
restrictions under smtpd_recipient_restrictions.

>
> Thinking about the stages of the SMTP conversation this is not going to
> be available until the RCPT TO is given, so any white list (if it is
> possible) would need to go in smtpd_recipient_restrictions. That is what
> common sense would tell me.

With the default smtpd_delay_reject=yes, recipient information
is available during smtpd_{client, helo, sender}_restrictions.

But then you have to specify your whitelist multiple times.
It's usually easier to just put all your restrictions in
smtpd_recipient_restrictions.

>
> I can already see that any earlier client, helo or sender restrictions
> probably can't be white listed by recipient domain - but should it work
> at the smtpd_recipient_restriction level?
>
> Perhaps what I am actually asking is;
>
> Should this work?
> Could it be extended to effect a whole domain (not just [hidden email],
> but *@example.com)

Yes, you can whitelist a whole domain.  See the access(5) man
page for details.  Your lookup table would contain
example.com  OK

> In lieu of smtpd_delay_reject = yes could this be applied to earlier
> restrictions?

The default setting of smtpd_delay_reject=yes is required if
you want to whitelist recipeints during
smtpd_{client,helo,sender}_restrictions.

But it's easier to just put all your restrictions under
smtpd_recipient_restrictions.

Oh, be sure to put any whitelists after
reject_unauth_destination, such as:
smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   ... whitelist goes here ...
   ... UCE checks here ...



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Steve-415
On Sun, 2009-06-28 at 14:38 -0500, Noel Jones wrote:

> Steve wrote:
> > Hi,
> >
> > I've been looking at some archive posts regarding white listing by
> > intended recipient domain.
> >
> > Say for example I wish to white list any incoming mail for:
> > [hidden email] - is this actually possible?
>
> Yes, this is one reason some people like to put all their
> restrictions under smtpd_recipient_restrictions.
>
> >
> > Thinking about the stages of the SMTP conversation this is not going to
> > be available until the RCPT TO is given, so any white list (if it is
> > possible) would need to go in smtpd_recipient_restrictions. That is what
> > common sense would tell me.
>
> With the default smtpd_delay_reject=yes, recipient information
> is available during smtpd_{client, helo, sender}_restrictions.
>
> But then you have to specify your whitelist multiple times.
> It's usually easier to just put all your restrictions in
> smtpd_recipient_restrictions.
>
> >
> > I can already see that any earlier client, helo or sender restrictions
> > probably can't be white listed by recipient domain - but should it work
> > at the smtpd_recipient_restriction level?
> >
> > Perhaps what I am actually asking is;
> >
> > Should this work?
> > Could it be extended to effect a whole domain (not just [hidden email],
> > but *@example.com)
>
> Yes, you can whitelist a whole domain.  See the access(5) man
> page for details.  Your lookup table would contain
> example.com  OK
>
> > In lieu of smtpd_delay_reject = yes could this be applied to earlier
> > restrictions?
>
> The default setting of smtpd_delay_reject=yes is required if
> you want to whitelist recipeints during
> smtpd_{client,helo,sender}_restrictions.
>
> But it's easier to just put all your restrictions under
> smtpd_recipient_restrictions.
>
> Oh, be sure to put any whitelists after
> reject_unauth_destination, such as:
> smtpd_recipient_restrictions =
>    permit_mynetworks
>    permit_sasl_authenticated
>    reject_unauth_destination
>    ... whitelist goes here ...
>    ... UCE checks here ...
>
>
>
>    -- Noel Jones

Thanks you kindly Noel. Much appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Steve-415
On Sun, 2009-06-28 at 20:44 +0100, Steve wrote:

> On Sun, 2009-06-28 at 14:38 -0500, Noel Jones wrote:
> > Steve wrote:
> > > Hi,
> > >
> > > I've been looking at some archive posts regarding white listing by
> > > intended recipient domain.
> > >
> > > Say for example I wish to white list any incoming mail for:
> > > [hidden email] - is this actually possible?
> >
> > Yes, this is one reason some people like to put all their
> > restrictions under smtpd_recipient_restrictions.
> >
> > >
> > > Thinking about the stages of the SMTP conversation this is not going to
> > > be available until the RCPT TO is given, so any white list (if it is
> > > possible) would need to go in smtpd_recipient_restrictions. That is what
> > > common sense would tell me.
> >
> > With the default smtpd_delay_reject=yes, recipient information
> > is available during smtpd_{client, helo, sender}_restrictions.
> >
> > But then you have to specify your whitelist multiple times.
> > It's usually easier to just put all your restrictions in
> > smtpd_recipient_restrictions.
> >
> > >
> > > I can already see that any earlier client, helo or sender restrictions
> > > probably can't be white listed by recipient domain - but should it work
> > > at the smtpd_recipient_restriction level?
> > >
> > > Perhaps what I am actually asking is;
> > >
> > > Should this work?
> > > Could it be extended to effect a whole domain (not just [hidden email],
> > > but *@example.com)
> >
> > Yes, you can whitelist a whole domain.  See the access(5) man
> > page for details.  Your lookup table would contain
> > example.com  OK
> >
> > > In lieu of smtpd_delay_reject = yes could this be applied to earlier
> > > restrictions?
> >
> > The default setting of smtpd_delay_reject=yes is required if
> > you want to whitelist recipeints during
> > smtpd_{client,helo,sender}_restrictions.
> >
> > But it's easier to just put all your restrictions under
> > smtpd_recipient_restrictions.
> >
> > Oh, be sure to put any whitelists after
> > reject_unauth_destination, such as:
> > smtpd_recipient_restrictions =
> >    permit_mynetworks
> >    permit_sasl_authenticated
> >    reject_unauth_destination
> >    ... whitelist goes here ...
> >    ... UCE checks here ...
> >
> >
> >
> >    -- Noel Jones
>
> Thanks you kindly Noel. Much appreciated.
The one observation I've made is there is no way of spotting in the logs
that the mail was subjected to a whitelist. For example;

map:
example.com OK putting text here does not log it

I'm guessing I can do this
example.com WARN whitelisted
example.com OK

But is there a way to get OK to write to the log without the extra
'warn' line?

Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Jan P. Kessler-2

> The one observation I've made is there is no way of spotting in the logs
> that the mail was subjected to a whitelist. For example;
>
> map:
> example.com OK putting text here does not log it
>
> I'm guessing I can do this
> example.com WARN whitelisted
> example.com OK
>
> But is there a way to get OK to write to the log without the extra
> 'warn' line?
>  


You might use the PREPEND action to add a certain header.

Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Noel Jones-2
In reply to this post by Steve-415
Steve wrote:
> The one observation I've made is there is no way of spotting in the logs
> that the mail was subjected to a whitelist. For example;
>
> map:
> example.com OK putting text here does not log it
>
> I'm guessing I can do this
> example.com WARN whitelisted
> example.com OK

Only one action is allowed per lookup.  If you want to note in
the logs or use PREPEND to add a header indicating the mail
was whitelisted, you'll need two lookup tables - first to WARN
or PREPEND, then another table to OK.

I suppose you can use smtpd_restriction_classes to create a
LOG_OK class, something like
smtpd_restriction_classes = LOG_OK
LOG_OK =
   check_client_access regexp:/etc/postfix/mylog
   permit

# mylog
/^/ WARN whitelisted

Then use "LOG_OK" rather than OK in your access tables.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Steve-415
On Mon, 2009-06-29 at 09:19 -0500, Noel Jones wrote:

>
> Only one action is allowed per lookup.  If you want to note in
> the logs or use PREPEND to add a header indicating the mail
> was whitelisted, you'll need two lookup tables - first to WARN
> or PREPEND, then another table to OK.
>
> I suppose you can use smtpd_restriction_classes to create a
> LOG_OK class, something like
> smtpd_restriction_classes = LOG_OK
> LOG_OK =
>    check_client_access regexp:/etc/postfix/mylog
>    permit
>
> # mylog
> /^/ WARN whitelisted
>
> Then use "LOG_OK" rather than OK in your access tables.
>
I've given that a go - fingers crossed :-)


Reply | Threaded
Open this post in threaded view
|

RE: Whitelisting by recipient domain name

Bob001
In reply to this post by Steve-415


-----Original Message-----
From: Noel Jones <[hidden email]>
Sent: Monday, June 29, 2009 7:19 AM
To: [hidden email]; postfix users list <[hidden email]>
Subject: Re: Whitelisting by recipient domain name

Steve wrote:
> The one observation I've made is there is no way of spotting in the logs
> that the mail was subjected to a whitelist. For example;
>
> map:
> example.com OK putting text here does not log it
>
> I'm guessing I can do this
> example.com WARN whitelisted
> example.com OK

Only one action is allowed per lookup.  If you want to note in
the logs or use PREPEND to add a header indicating the mail
was whitelisted, you'll need two lookup tables - first to WARN
or PREPEND, then another table to OK.

I suppose you can use smtpd_restriction_classes to create a
LOG_OK class, something like
smtpd_restriction_classes = LOG_OK
LOG_OK =
   check_client_access regexp:/etc/postfix/mylog
   permit

# mylog
/^/ WARN whitelisted



[The entire original message is not included]
Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

Steve-415
In reply to this post by Noel Jones-2
On Mon, 2009-06-29 at 09:19 -0500, Noel Jones wrote:

> Steve wrote:
> > The one observation I've made is there is no way of spotting in the logs
> > that the mail was subjected to a whitelist. For example;
> >
> > map:
> > example.com OK putting text here does not log it
> >
> > I'm guessing I can do this
> > example.com WARN whitelisted
> > example.com OK
>
> Only one action is allowed per lookup.  If you want to note in
> the logs or use PREPEND to add a header indicating the mail
> was whitelisted, you'll need two lookup tables - first to WARN
> or PREPEND, then another table to OK.
>
> I suppose you can use smtpd_restriction_classes to create a
> LOG_OK class, something like
> smtpd_restriction_classes = LOG_OK
> LOG_OK =
>    check_client_access regexp:/etc/postfix/mylog
>    permit
>
> # mylog
> /^/ WARN whitelisted
>
> Then use "LOG_OK" rather than OK in your access tables.
>
>
>    -- Noel Jones

I can confirm this does exactly what is needed - thank you Noel. In
addition I also have to white list the domain in Spamassassin for it to
come on through.

The only thing breaking near perfect white listing flow is the Postfix
header and body checks. It's a real shame these cannot be skipped over
for trusted / white listed clients - but as I told my wife "You can't
have everything" :-)

Thanks once more Noel. Really appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting by recipient domain name

mouss-4
In reply to this post by Steve-415
Steve a écrit :

> On Sun, 2009-06-28 at 20:44 +0100, Steve wrote:
>> On Sun, 2009-06-28 at 14:38 -0500, Noel Jones wrote:
>>> Steve wrote:
>>>> Hi,
>>>>
>>>> I've been looking at some archive posts regarding white listing by
>>>> intended recipient domain.
>>>>
>>>> Say for example I wish to white list any incoming mail for:
>>>> [hidden email] - is this actually possible?
>>> Yes, this is one reason some people like to put all their
>>> restrictions under smtpd_recipient_restrictions.
>>>
>>>> Thinking about the stages of the SMTP conversation this is not going to
>>>> be available until the RCPT TO is given, so any white list (if it is
>>>> possible) would need to go in smtpd_recipient_restrictions. That is what
>>>> common sense would tell me.
>>> With the default smtpd_delay_reject=yes, recipient information
>>> is available during smtpd_{client, helo, sender}_restrictions.
>>>
>>> But then you have to specify your whitelist multiple times.
>>> It's usually easier to just put all your restrictions in
>>> smtpd_recipient_restrictions.
>>>
>>>> I can already see that any earlier client, helo or sender restrictions
>>>> probably can't be white listed by recipient domain - but should it work
>>>> at the smtpd_recipient_restriction level?
>>>>
>>>> Perhaps what I am actually asking is;
>>>>
>>>> Should this work?
>>>> Could it be extended to effect a whole domain (not just [hidden email],
>>>> but *@example.com)
>>> Yes, you can whitelist a whole domain.  See the access(5) man
>>> page for details.  Your lookup table would contain
>>> example.com  OK
>>>
>>>> In lieu of smtpd_delay_reject = yes could this be applied to earlier
>>>> restrictions?
>>> The default setting of smtpd_delay_reject=yes is required if
>>> you want to whitelist recipeints during
>>> smtpd_{client,helo,sender}_restrictions.
>>>
>>> But it's easier to just put all your restrictions under
>>> smtpd_recipient_restrictions.
>>>
>>> Oh, be sure to put any whitelists after
>>> reject_unauth_destination, such as:
>>> smtpd_recipient_restrictions =
>>>    permit_mynetworks
>>>    permit_sasl_authenticated
>>>    reject_unauth_destination
>>>    ... whitelist goes here ...
>>>    ... UCE checks here ...
>>>
>>>
>>>
>>>    -- Noel Jones
>> Thanks you kindly Noel. Much appreciated.
> The one observation I've made is there is no way of spotting in the logs
> that the mail was subjected to a whitelist. For example;
>
> map:
> example.com OK putting text here does not log it
>
> I'm guessing I can do this
> example.com WARN whitelisted
> example.com OK


no, this doens't work if it's in the same map. if a match is found...

>
> But is there a way to get OK to write to the log without the extra
> 'warn' line?
>

use two checks. one that warns and one that does what you want.

if you want more control with fewer checks, use a policy service.