hold after permit question

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

hold after permit question

Gary Smith-20
I have clients relaying email through a set of servers but I wanted to put a hold in there based on specific circumstances (such as they are sending too much data, so lets hold and inspect). I have a hash file (/etc/postfix/maps/hold) that is dynamically updated from a central server. So when the need calls, an entry domain.tld HOLD is added to the file and postmap'ed).

So, where do I need to put the hash file in the overall scheme of things in order to get it to hold after they have authed into the system? I was thinking of setting up an alternate port on localhost that basically has this:

smtpd_client_restrictions=hash:/etc/postfix/maps/hold,allow
smtpd_recipient_restrictions=hash:/etc/postfix/maps/hold,allow
relay_host=

and then have the default relay_host be localhost:alternateport

Does that make sense? Is there a better way to do this?

our existing config (outbound only email server):
postconf -n:

alias_maps = hash:/etc/postfix/custom/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
message_strip_characters = \0
myhostname =
mynetworks = /etc/postfix/custom/mynetworks
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_domains = $mydestination, hash:/etc/postfix/relay
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,reject
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file =
smtpd_tls_key_file =
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_8bitmime = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/maps/rate_limit_transport,hash:/etc/postfix/maps/transport
unknown_local_recipient_reject_code = 550


Reply | Threaded
Open this post in threaded view
|

RE: hold after permit question

Gary Smith-20


> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Gary Smith
> Sent: Thursday, February 10, 2011 8:34 PM
> To: '[hidden email]'
> Subject: hold after permit question
>
> I have clients relaying email through a set of servers but I wanted to put a
> hold in there based on specific circumstances (such as they are sending too
> much data, so lets hold and inspect). I have a hash file
> (/etc/postfix/maps/hold) that is dynamically updated from a central server. So
> when the need calls, an entry domain.tld HOLD is added to the file and
> postmap'ed).
>
> So, where do I need to put the hash file in the overall scheme of things in
> order to get it to hold after they have authed into the system? I was thinking
> of setting up an alternate port on localhost that basically has this:
>
> smtpd_client_restrictions=hash:/etc/postfix/maps/hold,allow
> smtpd_recipient_restrictions=hash:/etc/postfix/maps/hold,allow
> relay_host=
>

Okay, playing around, this looks like it works how I would like it. The hold seems to take place after the authenticated connection on the sender address, which is what we want. Also, for the incoming email server, everything is pretty much reject so I put the hold at the end, before the default implicit permit. What I really need is a reject_unauthenticated_sender so I can just do reject_unauthenticated_sender,hash:/etc/postfix/maps/hold/,permit (or something like that) for the smtpd_client_restrictions.  Also, if you could eyeball any obvious problems with the incoming server smtpd_recipient_restrictions, I'll take any feedback.

Does smtpd_recipeint_restrictions make sense here for authentication connections?

Outgoing server:
smtpd_sender_restrictions=hash:/etc/postfix/maps/hold,permit
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject


Incoming server:
smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_unknown_sender_domain,
   reject_unauth_destination,
   hash:/etc/postfix/custom/access, <-- this has some specific internal blocks (reject some senders that spam our clients)
   hash:/etc/postfix/custom/postmaster, <-- postmaster@ accept, abuse@ accept, etc
   reject_non_fqdn_recipient,
   reject_unlisted_recipient,
   reject_unknown_sender_domain,
   reject_invalid_hostname,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client rhsbl.ahbl.org,
   check_policy_service inet:10.0.40.4:21111, <-- sqlgrey
   reject_unauth_pipelining,
   hash:/etc/postfix/maps/hold

Reply | Threaded
Open this post in threaded view
|

Re: hold after permit question

Noel Jones-2
On 2/10/2011 11:58 PM, Gary Smith wrote:

>
>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]]
>> On Behalf Of Gary Smith
>> Sent: Thursday, February 10, 2011 8:34 PM
>> To: '[hidden email]'
>> Subject: hold after permit question
>>
>> I have clients relaying email through a set of servers but I wanted to put a
>> hold in there based on specific circumstances (such as they are sending too
>> much data, so lets hold and inspect). I have a hash file
>> (/etc/postfix/maps/hold) that is dynamically updated from a central server. So
>> when the need calls, an entry domain.tld HOLD is added to the file and
>> postmap'ed).
>>
>> So, where do I need to put the hash file in the overall scheme of things in
>> order to get it to hold after they have authed into the system? I was thinking
>> of setting up an alternate port on localhost that basically has this:
>>
>> smtpd_client_restrictions=hash:/etc/postfix/maps/hold,allow
>> smtpd_recipient_restrictions=hash:/etc/postfix/maps/hold,allow
>> relay_host=
>>
>
> Okay, playing around, this looks like it works how I would like it. The hold seems to take place after the authenticated connection on the sender address, which is what we want. Also, for the incoming email server, everything is pretty much reject so I put the hold at the end, before the default implicit permit. What I really need is a reject_unauthenticated_sender so I can just do reject_unauthenticated_sender,hash:/etc/postfix/maps/hold/,permit (or something like that) for the smtpd_client_restrictions.  Also, if you could eyeball any obvious problems with the incoming server smtpd_recipient_restrictions, I'll take any feedback.
>

HOLD always take place last, and only accepted mail is put on
HOLD.  Since this server is for user submission and all mail
is either authenticated or rejected, it doesn't matter too
much where you put the hold.

> Does smtpd_recipeint_restrictions make sense here for authentication connections?
>
> Outgoing server:
> smtpd_sender_restrictions=hash:/etc/postfix/maps/hold,permit
> smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Caution: if someone ever sets the non-standard
'smtpd_delay_reject=no' the above line will reject connections
before the user has a chance to authenticate.  In this case I
suggest removing smtpd_client_restrictions.

> smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject

This line is sufficient to limit access to mynetworks and
authenticated users.

>
>
> Incoming server:
> smtpd_recipient_restrictions =
>     permit_mynetworks,
>     reject_unknown_sender_domain,
>     reject_unauth_destination,
>     hash:/etc/postfix/custom/access,<-- this has some specific internal blocks (reject some senders that spam our clients)
>     hash:/etc/postfix/custom/postmaster,<-- postmaster@ accept, abuse@ accept, etc

The above two hash tables use deprecated syntax where
check_recipient_access is assumed.  Far better to explicitly
state what the table is checking.

    check_recipient_access hash:/etc/postfix/custom/access
    check_recipient_access hash:/etc/postfix/custom/postmaster

Even better, combine the files into a single table to save
some memory.


>     reject_non_fqdn_recipient,
>     reject_unlisted_recipient,
>     reject_unknown_sender_domain,

no need to repeat this restriction.

>     reject_invalid_hostname,
>     reject_rbl_client zen.spamhaus.org,
>     reject_rbl_client bl.spamcop.net,
>     reject_rbl_client rhsbl.ahbl.org,
>     check_policy_service inet:10.0.40.4:21111,<-- sqlgrey
>     reject_unauth_pipelining,
>     hash:/etc/postfix/maps/hold
>



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: hold after permit question

Gary Smith-20
> HOLD always take place last, and only accepted mail is put on
> HOLD.  Since this server is for user submission and all mail
> is either authenticated or rejected, it doesn't matter too
> much where you put the hold.

Good to know. I probably asked the same question years ago, but this helps.

> > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>
> Caution: if someone ever sets the non-standard
> 'smtpd_delay_reject=no' the above line will reject connections
> before the user has a chance to authenticate.  In this case I
> suggest removing smtpd_client_restrictions.

I'll fix that. So I really only need permit_sasl_authenticated for smtpd_sender_restrictions then?

>
> > smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject
>
> This line is sufficient to limit access to mynetworks and
> authenticated users.
>

Do I even need this at all if I'm using smtpd_sender_restrictions since this is an outgoing only server?

> >
> >
> > Incoming server:
> > smtpd_recipient_restrictions =
> >     permit_mynetworks,
> >     reject_unknown_sender_domain,
> >     reject_unauth_destination,
> >     hash:/etc/postfix/custom/access,<-- this has some specific internal
> blocks (reject some senders that spam our clients)
> >     hash:/etc/postfix/custom/postmaster,<-- postmaster@ accept, abuse@
> accept, etc
>
> The above two hash tables use deprecated syntax where
> check_recipient_access is assumed.  Far better to explicitly
> state what the table is checking.
>

Good to know. This set of rules seems to get carried forward with upgrades over time. I'll tweak accordingly.

>     check_recipient_access hash:/etc/postfix/custom/access
>     check_recipient_access hash:/etc/postfix/custom/postmaster
 
Postmaster is a static file, access gets updates dynamically based on rules from a central server, otherwise I would

> Even better, combine the files into a single table to save
> some memory.
>
>
> >     reject_non_fqdn_recipient,
> >     reject_unlisted_recipient,
> >     reject_unknown_sender_domain,
>
> no need to repeat this restriction.

which restriction?

>
> >     reject_invalid_hostname,
> >     reject_rbl_client zen.spamhaus.org,
> >     reject_rbl_client bl.spamcop.net,
> >     reject_rbl_client rhsbl.ahbl.org,
> >     check_policy_service inet:10.0.40.4:21111,<-- sqlgrey
> >     reject_unauth_pipelining,
> >     hash:/etc/postfix/maps/hold
> >

Reply | Threaded
Open this post in threaded view
|

Re: hold after permit question

Noel Jones-2
On 2/11/2011 10:55 AM, Gary Smith wrote:

>>> smtpd_recipient_restrictions =
>> permit_mynetworks,permit_sasl_authenticated,reject
>>
>> This line is sufficient to limit access to mynetworks and
>> authenticated users.
>>
>
> Do I even need this at all if I'm using smtpd_sender_restrictions since this is an outgoing only server?


You must have permit_sasl_authenticated in
smtpd_recipient_restrictions to allow users to relay.
Typically on the outgoing only server, only
smtpd_recipient_restrictions is used and the other
smtpd_*_restrictions sections are empty.


>>>      reject_non_fqdn_recipient,
>>>      reject_unlisted_recipient,
>>>      reject_unknown_sender_domain,
>>
>> no need to repeat this restriction.
>
> which restriction?

The one that's repeated  ;)
reject_unknown_sender_domain is listed twice.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: hold after permit question

Gary Smith-20
 
> You must have permit_sasl_authenticated in
> smtpd_recipient_restrictions to allow users to relay.
> Typically on the outgoing only server, only
> smtpd_recipient_restrictions is used and the other
> smtpd_*_restrictions sections are empty.
>

Gotcha

>
> The one that's repeated  ;)
> reject_unknown_sender_domain is listed twice.

Um, if you put the restriction twice doesn't it give it a greater effect? ;)


>
>
>    -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: hold after permit question

Noel Jones-2
On 2/11/2011 11:36 AM, Gary Smith wrote:

>
>> You must have permit_sasl_authenticated in
>> smtpd_recipient_restrictions to allow users to relay.
>> Typically on the outgoing only server, only
>> smtpd_recipient_restrictions is used and the other
>> smtpd_*_restrictions sections are empty.
>>
>
> Gotcha
>
>>
>> The one that's repeated  ;)
>> reject_unknown_sender_domain is listed twice.
>
> Um, if you put the restriction twice doesn't it give it a greater effect? ;)

To increase the effect, google for the
reject_unknown_sender_domain_dammit feature patch.

Other than that, once is sufficient.

    -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: hold after permit question

/dev/rob0
On Fri, Feb 11, 2011 at 11:58:10AM -0600, Noel Jones wrote:
> On 2/11/2011 11:36 AM, Gary Smith wrote:
> >Um, if you put the restriction twice doesn't it give it a
> >greater effect? ;)
>
> To increase the effect, google for the
> reject_unknown_sender_domain_dammit feature patch.

This opens up a whole new realm of possible *_dammit feature
requests. Maybe we can get that FORCEFUL_README draft ready by
the end of March?

Hmmm, some of the reject_* features could become eject_* ...
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: hold after permit question

Noel Jones-2
On 2/11/2011 1:22 PM, /dev/rob0 wrote:

> On Fri, Feb 11, 2011 at 11:58:10AM -0600, Noel Jones wrote:
>> On 2/11/2011 11:36 AM, Gary Smith wrote:
>>> Um, if you put the restriction twice doesn't it give it a
>>> greater effect? ;)
>>
>> To increase the effect, google for the
>> reject_unknown_sender_domain_dammit feature patch.
>
> This opens up a whole new realm of possible *_dammit feature
> requests. Maybe we can get that FORCEFUL_README draft ready by
> the end of March?
>
> Hmmm, some of the reject_* features could become eject_* ...


damn feature creep...