check_sender_access / whitelisting

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

check_sender_access / whitelisting

Zbigniew Szalbot-9
Hello,

I have the following in my smtpd_sender_restrictions

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unlisted_recipient,
   reject_unauth_destination,
   reject_invalid_hostname,
   reject_unverified_recipient,
   reject_rbl_client zen.spamhaus.org

I would like to whitelist specific senders which are caught by
zen.spamhaus.org.

Having read http://www.postfix.org/postconf.5.html#check_sender_access
I believe I should insert the following option before reject_rbl_client
zen.spamhaus.org

check_sender_access hash:/usr/local/etc/postfix/access

However, what is not clear to me is how would I whitelist the below host

May 18 23:05:31 relay postfix/smtpd[2763]: NOQUEUE: reject: RCPT from
unknown[122.160.228.35]: 554 5.7.1 Service unavailable; Client host
[122.160.228.35] blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=122.160.228.35; from=<>
to=<[hidden email]> proto=SMTP
helo=<ABCSMTP1.abcconsultants.net>

Should I be using IP or helo? Helo would not be safe, would it?

Or maybe check_sender_mx_access is actually designed to do this job?

In any case I would appreciate your advice and also what the typical
entry of such a hash table should look like.

Many thanks in advance!

--
Zbigniew Szalbot
www.lc-words.com
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

Noel Jones-2
Zbigniew Szalbot wrote:
> Hello,
>
> I have the following in my smtpd_sender_restrictions
>

For a typical whitelist you shouldn't whitelist the sender
email address, rather whitelist the client IP or hostname.

> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   reject_non_fqdn_hostname,
>   reject_non_fqdn_sender,
>   reject_non_fqdn_recipient,
>   reject_unlisted_recipient,
>   reject_unauth_destination,

HERE insert:
     check_client_access hash:/etc/postfix/client_whitelist

>   reject_invalid_hostname,
>   reject_unverified_recipient,
>   reject_rbl_client zen.spamhaus.org
>
> I would like to whitelist specific senders which are caught by
> zen.spamhaus.org.
>
> Having read http://www.postfix.org/postconf.5.html#check_sender_access
> I believe I should insert the following option before reject_rbl_client
> zen.spamhaus.org
>
> check_sender_access hash:/usr/local/etc/postfix/access
>
> However, what is not clear to me is how would I whitelist the below host
>
> May 18 23:05:31 relay postfix/smtpd[2763]: NOQUEUE: reject: RCPT from
> unknown[122.160.228.35]: 554 5.7.1 Service unavailable; Client host
> [122.160.228.35] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=122.160.228.35; from=<>
> to=<[hidden email]> proto=SMTP
> helo=<ABCSMTP1.abcconsultants.net>
>
> Should I be using IP or helo? Helo would not be safe, would it?
>

the client_whitelist file mentioned above would contain

# client_whitelist file.
122.160.228.35  OK

> Or maybe check_sender_mx_access is actually designed to do this job?
>

No, that's not useful here.

> In any case I would appreciate your advice and also what the typical
> entry of such a hash table should look like.
>
> Many thanks in advance!
>

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

Ralf Hildebrandt
In reply to this post by Zbigniew Szalbot-9
* Zbigniew Szalbot <[hidden email]>:
> Hello,
>
> I have the following in my smtpd_sender_restrictions
>
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
What for? Remove these.

> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   reject_non_fqdn_hostname,
>   reject_non_fqdn_sender,
>   reject_non_fqdn_recipient,
>   reject_unlisted_recipient,
>   reject_unauth_destination,
>   reject_invalid_hostname,
>   reject_unverified_recipient,

    check_client_access hash:/etc/postfix/zen_whitelist

>   reject_rbl_client zen.spamhaus.org
>
> I would like to whitelist specific senders which are caught by  
> zen.spamhaus.org.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
I wonder why no company starts his manual with the words `We thank you
for buying this piece of shit. We have done our best to make this junk
as annoying as possible, and we assure that it will give you a
headache for the next two months. However, if you feel satisfied with
it, we will contact you for an expensive replacement.'
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

Zbigniew Szalbot-9
In reply to this post by Noel Jones-2
Hello,

> the client_whitelist file mentioned above would contain
>
> # client_whitelist file.
> 122.160.228.35  OK

Excellent! Thank you very much - it is so much appreciated!

--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

Zbigniew Szalbot-9
In reply to this post by Ralf Hildebrandt
Hello again,

Ralf Hildebrandt:

>> I have the following in my smtpd_sender_restrictions
>>
>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> What for? Remove these.


I thought this means that authenticated users and users on my network (localhost) are excluded from further checks? Is this redundant?


Thanks!
--
Zbigniew Szalbot
www.lc-words.com
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

Ralf Hildebrandt
* Zbigniew Szalbot <[hidden email]>:

> Hello again,
>
> Ralf Hildebrandt:
>
>>> I have the following in my smtpd_sender_restrictions
>>>
>>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
>> What for? Remove these.
>
>
> I thought this means that authenticated users and users on my network (localhost) are excluded from further checks? Is this redundant?

Redundant.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

mouss-2
In reply to this post by Zbigniew Szalbot-9
Zbigniew Szalbot wrote:

> Hello,
>
> I have the following in my smtpd_sender_restrictions
>
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   reject_non_fqdn_hostname,
>   reject_non_fqdn_sender,
>   reject_non_fqdn_recipient,
>   reject_unlisted_recipient,
>   reject_unauth_destination,
>   reject_invalid_hostname,
>   reject_unverified_recipient,
>   reject_rbl_client zen.spamhaus.org
>
> I would like to whitelist specific senders which are caught by
> zen.spamhaus.org.
>
> Having read http://www.postfix.org/postconf.5.html#check_sender_access
> I believe I should insert the following option before
> reject_rbl_client zen.spamhaus.org
>
> check_sender_access hash:/usr/local/etc/postfix/access
>
> However, what is not clear to me is how would I whitelist the below host
>
> May 18 23:05:31 relay postfix/smtpd[2763]: NOQUEUE: reject: RCPT from
> unknown[122.160.228.35]: 554 5.7.1 Service unavailable; Client host
> [122.160.228.35] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=122.160.228.35; from=<>
> to=<[hidden email]> proto=SMTP
> helo=<ABCSMTP1.abcconsultants.net>
>


$ host 22.160.228.35
Host 35.228.160.22.in-addr.arpa not found: 3(NXDOMAIN)

so host does not exist ;-p

$ host ABCSMTP1.abcconsultants.net
Host ABCSMTP1.abcconsultants.net not found: 3(NXDOMAIN)

so helo does not exist either...

can't you get them to fix their helo at least? (if they can fix their
rDNS, it would be marvelous, but let's not dream too much).

If you get real mail from this host, then you should whitelist the IP.

> Should I be using IP or helo? Helo would not be safe, would it?

helo and sender are easily forged. host IP is harder to forge, though
not impossible.


>
> Or maybe check_sender_mx_access is actually designed to do this job?


why care? if the IP sends your mail that you want to receive, and you
cannot get the IP owner to fix their stuff, then the only thing you can
do is whitelist the IP. all the rest is literature.


>
> In any case I would appreciate your advice and also what the typical
> entry of such a hash table should look like.
>
> Many thanks in advance!
>

Reply | Threaded
Open this post in threaded view
|

Re: check_sender_access / whitelisting

mouss-2
In reply to this post by Zbigniew Szalbot-9
Zbigniew Szalbot wrote:

> Hello again,
>
> Ralf Hildebrandt:
>
>>> I have the following in my smtpd_sender_restrictions
>>>
>>> smtpd_sender_restrictions = permit_sasl_authenticated,
>>> permit_mynetworks
>> What for? Remove these.
>
>
> I thought this means that authenticated users and users on my network
> (localhost) are excluded from further checks? Is this redundant?

what it says is:

- if it's from my networks, then permit
- if it is authenticated, then permit
- otherwise, permit (this is the default)

can you see any case where the result wouldn't be a "permit"?