access - Postfix SMTP server access table

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

access - Postfix SMTP server access table

Ublun
 /etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
#
[hidden email]    OK
[hidden email]           REJECT
marketing@              REJECT
theboss@                OK
deals.marketing.com     REJECT
somedomain.com          OK

in meinem Fall wird marketing@ aber nicht REJECT auch nicht nach einem, postmap /etc/postfix/sender_access
Reply | Threaded
Open this post in threaded view
|

Re: access - Postfix SMTP server access table

Kai Fürstenberg
Am 26.01.2019 um 13:24 schrieb Ublun:

>  /etc/postfix/sender_access
> #
> # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
> #
> [hidden email]    OK
> [hidden email]           REJECT
> marketing@              REJECT
> theboss@                OK
> deals.marketing.com     REJECT
> somedomain.com          OK
>
> in meinem Fall wird marketing@ aber nicht REJECT auch nicht nach einem, postmap /etc/postfix/sender_access
an die falsche Stelle eingebunden? Vorher schon angenommen?
Ohne postconf -n und logs kann man das nicht sagen.

Kleiner Tip: Bei sender_access niemals OK nehmen, sondern eher DUNNO,
wenn noch weitere Tests laufen sollen.
... oder "permit_auth_destination".

Ansonsten habe ich gerade keine Glaskugel bei mir.

--
Kai Fürstenberg

PM an: kai at fuerstenberg punkt ws

Reply | Threaded
Open this post in threaded view
|

Re: access - Postfix SMTP server access table

Ublun
In reply to this post by Ublun

Danke, hier mal das Log zu "whatifitworks@" im access table und mein postconf -fn

gruss David

Jan 28 13:10:15 ubox postfix/smtpd[8348]: connect from mail-40136.protonmail.ch[185.70.40.136]
Jan 28 13:10:16 ubox postfix/smtpd[8348]: 0976720796: client=mail-40136.protonmail.ch[185.70.40.136]
Jan 28 13:10:16 ubox postfix/cleanup[8352]: 0976720796: message-id=[hidden email]
Jan 28 13:10:16 ubox opendkim[1053]: 0976720796: s=default d=protonmail.com SSL
Jan 28 13:10:16 ubox postfix/qmgr[7734]: 0976720796: from=[hidden email], size=2328, nrcpt=1 (queue active)
Jan 28 13:10:16 ubox postfix/smtpd[8348]: disconnect from mail-40136.protonmail.ch[185.70.40.136] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 28 13:10:37 ubox postfix/local[8353]: 0976720796: to=<info.ublun@ubox>, orig_to=[hidden email], relay=local, delay=21, delays=0.45/0.01/0/21, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Jan 28 13:10:37 ubox postfix/qmgr[7734]: 0976720796: removed

postconf -fn
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
message_size_limit = 50240000
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, ubox, localhost.ublun.com, localhost
myhostname = ubox.ublun.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_client_restrictions = permit_sasl_authenticated check_client_access
    hash:/etc/postfix/sender_access permit_inet_interfaces
    reject_unknown_reverse_client_hostname
smtpd_enforce_tls = yes
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_unauth_destination reject_unknown_reverse_client_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
    defer_unauth_destination reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

Am 26.01.19 um 13:24 schrieb Ublun:
 /etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
#
[hidden email]    OK
[hidden email]           REJECT
marketing@              REJECT
theboss@                OK
deals.marketing.com     REJECT
somedomain.com          OK

in meinem Fall wird marketing@ aber nicht REJECT auch nicht nach einem, postmap /etc/postfix/sender_access
Reply | Threaded
Open this post in threaded view
|

Re: access - Postfix SMTP server access table

Kai Fürstenberg
Hallo David,

Am 28.01.2019 um 13:39 schrieb Ublun:

> Danke, hier mal das Log zu "whatifitworks@" im access table und mein
> postconf -fn>
> gruss David
>
> Jan 28 13:10:15 ubox postfix/smtpd[8348]: connect from
> mail-40136.protonmail.ch[185.70.40.136]
> Jan 28 13:10:16 ubox postfix/smtpd[8348]: 0976720796:
> client=mail-40136.protonmail.ch[185.70.40.136]
> Jan 28 13:10:16 ubox postfix/cleanup[8352]: 0976720796:
> message-id=<lnE8slyFjsk3xbA8iOaL4-Ot1XNYpeHJhukXxcKB_0OPY2bUrOey9gE54FE_5pubnLaEAFqpXFlOUlVXBRNj2jT34M4UYKwtuhkylqWE5wA=@protonmail.com>
>
> Jan 28 13:10:16 ubox opendkim[1053]: 0976720796: s=default
> d=protonmail.com SSL
> Jan 28 13:10:16 ubox postfix/qmgr[7734]: 0976720796:
> from=<[hidden email]>, size=2328, nrcpt=1 (queue active)
> Jan 28 13:10:16 ubox postfix/smtpd[8348]: disconnect from
> mail-40136.protonmail.ch[185.70.40.136] ehlo=2 starttls=1 mail=1 rcpt=1
> data=1 quit=1 commands=7
> Jan 28 13:10:37 ubox postfix/local[8353]: 0976720796:
> to=<info.ublun@ubox>, orig_to=<[hidden email]>, relay=local, delay=21,
> delays=0.45/0.01/0/21, dsn=2.0.0, status=sent (delivered to command:
> /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
> Jan 28 13:10:37 ubox postfix/qmgr[7734]: 0976720796: removed
>
> postconf -fn
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> home_mailbox = Maildir/
> inet_interfaces = all
> inet_protocols = all
> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
> mailbox_size_limit = 0
> message_size_limit = 50240000
> milter_default_action = accept
> milter_protocol = 2
> mydestination = $myhostname, ubox, localhost.ublun.com, localhost
> myhostname = ubox.ublun.com
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> non_smtpd_milters = inet:localhost:8891
> readme_directory = no
> recipient_delimiter = +
> sender_bcc_maps = hash:/etc/postfix/bcc
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_tls_security_options = noanonymous
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_client_restrictions = permit_sasl_authenticated check_client_access
>     hash:/etc/postfix/sender_access permit_inet_interfaces
>     reject_unknown_reverse_client_hostname
> smtpd_enforce_tls = yes
> smtpd_milters = inet:localhost:8891
> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
>     reject_unauth_destination reject_unknown_reverse_client_hostname
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>     defer_unauth_destination reject_unknown_reverse_client_hostname
> smtpd_sasl_auth_enable = yes
> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> Am 26.01.19 um 13:24 schrieb Ublun:
>>  /etc/postfix/sender_access
>> #
>> # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
>> #
>> [hidden email]    OK
>> [hidden email]           REJECT
>> marketing@              REJECT
>> theboss@                OK
>> deals.marketing.com     REJECT
>> somedomain.com          OK
>>
>> in meinem Fall wird marketing@ aber nicht REJECT auch nicht nach einem, postmap /etc/postfix/sender_access

zunächst: whatifitworks@ steht nicht in deiner Liste drin. Die Adresse
wird also ignoriert und die Mail korrekterweise zugestellt.

Weiterhin kannst du deine Restriktionen ein wenig aufräumen und
übersichtlicher machen:

Du hast smtpd_delay_reject per default auf "yes". Dadurch werden alle
Restriktionen erst nach dem RCPT TO bearbeitet.

Du kannst also alles in die smtpd_recipient_restrictions setzen, die
Relay-restrictions funktionieren meist per default und müssen nur in
besonderen Fällen bearbeitet werden.

--
Kai Fürstenberg

PM an: kai at fuerstenberg punkt ws

Reply | Threaded
Open this post in threaded view
|

Re: access - Postfix SMTP server access table

Alex JOST
In reply to this post by Ublun
Am 28.01.2019 um 13:39 schrieb Ublun:
> Danke, hier mal das Log zu "whatifitworks@" im access table und mein
> postconf -fn
> smtpd_client_restrictions = permit_sasl_authenticated check_client_access
>      hash:/etc/postfix/sender_access permit_inet_interfaces
>      reject_unknown_reverse_client_hostname

'check_client_access' ist in diesem Zusammenhang falsch. Um nach der
E-Mail-Adresse des Absenders zu filtern brauchst Du 'check_sender_access'.

   http://www.postfix.org/postconf.5.html#check_client_access
   http://www.postfix.org/postconf.5.html#check_sender_access

--
Alex JOST
Reply | Threaded
Open this post in threaded view
|

Re: access - Postfix SMTP server access table

Ublun
Ja Alex das war die Lösung und greift es jetzt auch,

besten Dank - David


Am 28.01.19 um 14:39 schrieb Alex JOST:

> Am 28.01.2019 um 13:39 schrieb Ublun:
>> Danke, hier mal das Log zu "whatifitworks@" im access table und mein
>> postconf -fn
>> smtpd_client_restrictions = permit_sasl_authenticated
>> check_client_access
>>      hash:/etc/postfix/sender_access permit_inet_interfaces
>>      reject_unknown_reverse_client_hostname
>
> 'check_client_access' ist in diesem Zusammenhang falsch. Um nach der
> E-Mail-Adresse des Absenders zu filtern brauchst Du
> 'check_sender_access'.
>
>   http://www.postfix.org/postconf.5.html#check_client_access
>   http://www.postfix.org/postconf.5.html#check_sender_access
>