exception to the rule reject_unknown_client_hostname

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

exception to the rule reject_unknown_client_hostname

Francesc Peñalvez-2
exception to the rule reject_unknown_client_hostname since having it
active there are some ips that if they have inverse blocks me emails,
could you put some type of exception to certain ips that I really know
so that I do not block their mails?

--
*************************************************************************************************
Este mensaje y todos los archivos adjuntos son confidenciales y de uso exclusivo por parte
de su/sus destinatario/s. Si usted ha recibido este mensaje por error, le agradecemos que
lo notifique inmediatamente al remitente y destruya el mensaje. Queda prohibida cualquier
modificación, edición, uso o divulgación no autorizados. El Emisor no se hace responsable
de este mensaje si ha sido modificado, distorsionado, falsificado, infectado por un virus o
editado o difundido sin autorización.


***********************************************************************************************
This message and any attachments are confidential and intended for the named addressee(s) only.
If you have received this message in error, please notify immediately the sender, then delete
the message. Any unauthorized modification, edition, use or dissemination is prohibited.
The sender shall not be liable for this message if it has been modified, altered, falsified, infected
by a virus or even edited or disseminated without authorization.
***********************************************************************************************



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: exception to the rule reject_unknown_client_hostname

Bill Cole-3
On 15 Dec 2018, at 0:56, Francesc Peñalvez wrote:

> exception to the rule reject_unknown_client_hostname since having it
> active there are some ips that if they have inverse blocks me emails,
> could you put some type of exception to certain ips that I really know
> so that I do not block their mails?

The reject_unknown_client_hostname restriction directive resides in one
of the "smtpd_*_restrictions" restriction lists, most likely
smtpd_client_restrictions or smtpd_recipient_restrictions. It can be
overridden by a PERMIT result from any restriction directive preceding
it *in the same restriction list* which permits the mail.

This can get very complicated because each restriction list is run
independently, in a fixed logical order for each normal message
transaction: client, helo, sender, recipient, relay, data, end_of_data.
A REJECT result at any point is immediate and unconditional: later
restriction directives in the same list are not tested and later lists
are not run. An OK result from any restriction directive terminates
evaluation of the restriction list where it resides, but DOES NOT carry
over to later restriction lists.

So, your current config may include something like:

smtpd_recipient_restrictions = permit_mynetworks,
   [...],
   reject_unknown_recipient_domain, reject_unauth_destination,
   reject_unknown_client_hostname,
   [...]
   permit

You can override reject_unknown_client_hostname by adding an access map:

smtpd_recipient_restrictions = permit_mynetworks,
   [...],
   reject_unknown_recipient_domain, reject_unauth_destination,
   check_client_access cidr:/etc/postfix/trusted_ips.cidr,
   reject_unknown_client_hostname,
   [...]
   permit

Where the file /etc/postfix/trusted_ips.cidr contains lines like:

   # A Class C network full of unnamed hosts
   192.0.2.0/24   OK
   # One host belonging to a correspondent w/o control over their rDNS
   10.1.2.3
   # Microsoft's naming is flaky in this block
   52.96.0.0/12

You could use another class of map but CIDR makes the most sense for
this case because you're trying to exempt arbitrary client IPs from a
client IP restriction and CIDR does that in the most flexible and
obvious way.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: exception to the rule reject_unknown_client_hostname

Viktor Dukhovni
> On Dec 15, 2018, at 1:56 PM, Bill Cole <[hidden email]> wrote:
>
> The reject_unknown_client_hostname restriction directive resides in one of the "smtpd_*_restrictions" restriction lists, most likely smtpd_client_restrictions or smtpd_recipient_restrictions. It can be overridden by a PERMIT result from any restriction directive preceding it *in the same restriction list* which permits the mail.

There's a simpler model, namely to nest the restriction in a CIDR table:

  main.cf:
    cidr = cidr:${config_directory}/
    smtpd_recipient_restrictions =
      check_client_access ${cidr}client-access.cidr

  client-access.cidr:
    192.0.2.1    reject_unknown_reverse_client_hostname
    192.0.2.0/24 DUNNO avoid false positive risk
    0.0.0.0/0    reject_unknown_client_hostname

The CIDR table (order of entries matters, put the most specific rules
first) avoids to the need to white-list any addresses, "DUNNO" rules
short-circuit the lookup without a definite outcome, effectively
white-listing the address only from less specific rules in the same
table.

--
        Viktor.