hostnames in postscreen_access_list

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

hostnames in postscreen_access_list

John Fawcett
Hi

I was recently trying to whitelist a client hostname that frequently
changes ip.

From the documentation check_client_access restriction for use with
smtpd allows to specify access table lookups which contains hostnames.

postscreen_access_list does not seem to allow hostnames in lookup tables.

Is my understanding correct? Is there a reason why hostnames should not
be supported in postscreen_access_list lookup tables?

thanks

John

Reply | Threaded
Open this post in threaded view
|

Re: hostnames in postscreen_access_list

Noel Jones-2
On 11/26/2018 1:53 PM, John Fawcett wrote:

> Hi
>
> I was recently trying to whitelist a client hostname that frequently
> changes ip.
>
> From the documentation check_client_access restriction for use with
> smtpd allows to specify access table lookups which contains hostnames.
>
> postscreen_access_list does not seem to allow hostnames in lookup tables.
>
> Is my understanding correct? Is there a reason why hostnames should not
> be supported in postscreen_access_list lookup tables?
>
> thanks
>
> John
>


Yes, postscreen by design deals only with IP addresses.  This is
because of the intended use as a lightweight and high speed
front-end for postfix.

You didn't mention why this client changes IP frequently, or what
problem you're trying to solve.  You might get better suggestions if
you explain the problem you're having in detail.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: hostnames in postscreen_access_list

Wietse Venema
In reply to this post by John Fawcett
John Fawcett:

> Hi
>
> I was recently trying to whitelist a client hostname that frequently
> changes ip.
>
> >From the documentation check_client_access restriction for use with
> smtpd allows to specify access table lookups which contains hostnames.
>
> postscreen_access_list does not seem to allow hostnames in lookup tables.
>
> Is my understanding correct? Is there a reason why hostnames should not
> be supported in postscreen_access_list lookup tables?

Yes, it is working as documented and it is working as intended.

If you have clients in blacklisted networks, they should connect
to a different address or port, and be required to authenticate.

postscreen only makes requests to well-managed DNSXL servers that
the local system admin specifies in main.cf, and it makes the request
only if the client did not pass the postscreen DNSBL check recently.
If a DNSXL server specifies a very small or very large TTL, then
postscreen clamps the TTL to a more reasonable value.

The basic idea of postcreen is that 'good' clients must have only
millisecond delays as postscreen looks up their status from postscreen
cache. That is a lot less delay than when postscreen has to do
FQRDNS on EVERY DAMNED CLIENT CONNECTION, with reverse and forward DNS
requests to DNS servers that are often not competently managed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

hostnames in postscreen_access_list

John Fawcett
In reply to this post by Noel Jones-2
On 26/11/2018 23:18, Noel Jones wrote:

> On 11/26/2018 1:53 PM, John Fawcett wrote:
>> Hi
>>
>> I was recently trying to whitelist a client hostname that frequently
>> changes ip.
>>
>> From the documentation check_client_access restriction for use with
>> smtpd allows to specify access table lookups which contains hostnames.
>>
>> postscreen_access_list does not seem to allow hostnames in lookup tables.
>>
>> Is my understanding correct? Is there a reason why hostnames should not
>> be supported in postscreen_access_list lookup tables?
>>
>> thanks
>>
>> John
>>
>
> Yes, postscreen by design deals only with IP addresses.  This is
> because of the intended use as a lightweight and high speed
> front-end for postfix.
>
> You didn't mention why this client changes IP frequently, or what
> problem you're trying to solve.  You might get better suggestions if
> you explain the problem you're having in detail.
>
>
>
>   -- Noel Jones

Thanks Noel for the confirmation.

The reason the ip changes frequently is because it's an xDSL line with a
dynamic ip. Some devices on the network need to send emails to my mail
server which can go out over this connection. My ISP correctly lists the
dynamic ips in PBL. I use zen.spamhaus.org list on my mail server which
includes PBL so I am blacklisting email arriving from the xDSL line. I
wanted to make an exception by whitelisting my own ips. For my fixed ips
there is no problem I just list them in an access file. For my dynamic
ip I could not do that easily. I could just use the email relay of my
ISP on these devices, but the the thing is they don't use the xDSL
exclusively. Therefore the only solution I see is to use an
authenticated connection to the mail server.

John


Reply | Threaded
Open this post in threaded view
|

Re: hostnames in postscreen_access_list

John Fawcett
In reply to this post by Wietse Venema
On 27/11/2018 00:09, Wietse Venema wrote:

> John Fawcett:
>> Hi
>>
>> I was recently trying to whitelist a client hostname that frequently
>> changes ip.
>>
>> >From the documentation check_client_access restriction for use with
>> smtpd allows to specify access table lookups which contains hostnames.
>>
>> postscreen_access_list does not seem to allow hostnames in lookup tables.
>>
>> Is my understanding correct? Is there a reason why hostnames should not
>> be supported in postscreen_access_list lookup tables?
> Yes, it is working as documented and it is working as intended.
>
> If you have clients in blacklisted networks, they should connect
> to a different address or port, and be required to authenticate.
>
> postscreen only makes requests to well-managed DNSXL servers that
> the local system admin specifies in main.cf, and it makes the request
> only if the client did not pass the postscreen DNSBL check recently.
> If a DNSXL server specifies a very small or very large TTL, then
> postscreen clamps the TTL to a more reasonable value.
>
> The basic idea of postcreen is that 'good' clients must have only
> millisecond delays as postscreen looks up their status from postscreen
> cache. That is a lot less delay than when postscreen has to do
> FQRDNS on EVERY DAMNED CLIENT CONNECTION, with reverse and forward DNS
> requests to DNS servers that are often not competently managed.
>
> Wietse

Thanks Wietse for explaining the logic behind it and I'll go the route
of authentication.

John

Reply | Threaded
Open this post in threaded view
|

Re: hostnames in postscreen_access_list

Matus UHLAR - fantomas
In reply to this post by John Fawcett
On 27.11.18 21:48, John Fawcett wrote:

>The reason the ip changes frequently is because it's an xDSL line with a
>dynamic ip. Some devices on the network need to send emails to my mail
>server which can go out over this connection. My ISP correctly lists the
>dynamic ips in PBL. I use zen.spamhaus.org list on my mail server which
>includes PBL so I am blacklisting email arriving from the xDSL line. I
>wanted to make an exception by whitelisting my own ips. For my fixed ips
>there is no problem I just list them in an access file. For my dynamic
>ip I could not do that easily. I could just use the email relay of my
>ISP on these devices, but the the thing is they don't use the xDSL
>exclusively. Therefore the only solution I see is to use an
>authenticated connection to the mail server.

connection to alternative ports wher authentication is required and
postscreen and blacklists are not used it exactly what is needed in these
cases. Those ports were even designed for this purpose...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them