enabling xforward in ehlo

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

enabling xforward in ehlo

Robert Moskowitz
Postfix 2.10.1

I have spent some time today searching postfix documentation for enabling xforward in smtpd. I am not seeing it in the response to the EHLO when I telnet into localhost 25.  I cannot find any reference to what to put in master.cf (or main.cf) to do this.

I THINK I need this to deal with amavis's policy bank of MYNET so that hosts within my network list will not get flagged as Open Relay.  (like a sendmail test from localhost).

All I have found is that the amavis entry in master.cf has:

amavis unix	-	-	y	-	2	lmtp
	-o lmtp_data_done_timeout=1200
	-o lmtp_send_xforward_command=yes
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20

But that seems to be AFTER postfix sending the IP address into amavis.

thanks for the assistance

Reply | Threaded
Open this post in threaded view
|

Re: enabling xforward in ehlo

Viktor Dukhovni

> On Apr 24, 2017, at 5:14 PM, Robert Moskowitz <[hidden email]> wrote:
>
> I have spent some time today searching postfix documentation for enabling xforward in smtpd. I am not seeing it in the response to the EHLO when I telnet into localhost 25.  I cannot find any reference to what to put in master.cf (or main.cf) to do this.

http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: enabling xforward in ehlo

Robert Moskowitz


On 04/24/2017 11:35 PM, Viktor Dukhovni wrote:
>> On Apr 24, 2017, at 5:14 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>> I have spent some time today searching postfix documentation for enabling xforward in smtpd. I am not seeing it in the response to the EHLO when I telnet into localhost 25.  I cannot find any reference to what to put in master.cf (or main.cf) to do this.
> http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts
>
I read that too.  Can I specify $mynetworks ?

And I just checked again on my old host, and it does not show xforward
on the ELHO, but does not exhibit this Open relay problem. Looking more
to be some change in amavis.

But still interested in the way to work with
smtpd_authorized_xforward_hosts because I don't get it from this explanation

thanks
.


Reply | Threaded
Open this post in threaded view
|

Re: enabling xforward in ehlo

Viktor Dukhovni

> On Apr 24, 2017, at 5:43 PM, Robert Moskowitz <[hidden email]> wrote:
>
>> http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts
>>
> I read that too.  Can I specify $mynetworks ?

Quote:

       Specify a list of network/netmask patterns, separated by commas and/or
       whitespace. The mask specifies the number of bits in the network part
       of a host address. You can also specify hostnames or .domain names (the
       initial dot causes the domain to match any name below it),
       "/file/name" or "type:table" patterns.  A "/file/name" pattern is
       replaced by its contents; a "type:table" lookup table is matched when a
       table entry matches a lookup string (the lookup result is ignored).
       Continue long lines by starting the next line with whitespace. Specify
       "!pattern" to exclude an address or network block from the list. The
       form "!/file/name" is supported only in Postfix version 2.4 and later.

       Note: IP version 6 address information must be specified inside [] in
       the smtpd_authorized_xforward_hosts value, and in files specified with
       "/file/name".  IP version 6 addresses contain the ":" character, and
       would otherwise be confused with a "type:table" pattern.

As with the vast majority of Postfix parameters, "$variable" expansion
applies.  However, you generally should not use $mynetworks here.  More
typically that should just be "127.0.0.1" for allowing xforward data to
flow across a local SMTP content filter.  Even if some xforward systems
are truly separate upstream hosts, I'd recommend settings this separately
from mynetworks.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: enabling xforward in ehlo

Robert Moskowitz


On 04/24/2017 11:54 PM, Viktor Dukhovni wrote:

>> On Apr 24, 2017, at 5:43 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>>> http://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts
>>>
>> I read that too.  Can I specify $mynetworks ?
> Quote:
>
>         Specify a list of network/netmask patterns, separated by commas and/or
>         whitespace. The mask specifies the number of bits in the network part
>         of a host address. You can also specify hostnames or .domain names (the
>         initial dot causes the domain to match any name below it),
>         "/file/name" or "type:table" patterns.  A "/file/name" pattern is
>         replaced by its contents; a "type:table" lookup table is matched when a
>         table entry matches a lookup string (the lookup result is ignored).
>         Continue long lines by starting the next line with whitespace. Specify
>         "!pattern" to exclude an address or network block from the list. The
>         form "!/file/name" is supported only in Postfix version 2.4 and later.
>
>         Note: IP version 6 address information must be specified inside [] in
>         the smtpd_authorized_xforward_hosts value, and in files specified with
>         "/file/name".  IP version 6 addresses contain the ":" character, and
>         would otherwise be confused with a "type:table" pattern.
>
> As with the vast majority of Postfix parameters, "$variable" expansion
> applies.  However, you generally should not use $mynetworks here.  More
> typically that should just be "127.0.0.1" for allowing xforward data to
> flow across a local SMTP content filter.  Even if some xforward systems
> are truly separate upstream hosts, I'd recommend settings this separately
> from mynetworks.
>
Thanks Viktor,

I did: postconf -e smtpd_authorized_xforward_hosts="127.0.0.1"

postfix reload

then

sendmail -i [hidden email] <
/usr/share/doc/amavisd-new-2.10.1/test-messages/README

And amavis is complaining about Open relay.  So looks very much like
amavis is just not getting this right.

Apr 24 18:04:58 z9m9z amavis[29479]: (29479-02) LMTP [127.0.0.1]:10024
/var/spool/amavisd/tmp/amavis-20170424T102114-29479-kiPcalrA:
<[hidden email]> -> <[hidden email]> SIZE=1424
Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by localhost
(z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with
LMTP for <[hidden email]>; Mon, 24 Apr 2017 18:04:58 -0400 (EDT)

Apr 24 18:04:58 z9m9z amavis[29479]: (29479-02) Checking: f4bZ8Ga89YJd
[127.0.0.1] <[hidden email]> -> <[hidden email]>

Apr 24 18:04:58 z9m9z amavis[29479]: (29479-02) Open relay? Nonlocal
recips but not originating: [hidden email]