nice reject

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

nice reject

A. Schulze
Hi,

a smtpd_recipient_restrictions for a submission service usually end
with explicit "reject". That result in a smtp response string
   554 5.7.1 <recipient>: Recipient address rejected: Access denied

Sometimes it's helpful to have a more detailed error,
"please authenticate", "go away", "goto http://here.you.get/help", or  
any other descriptive text.

currently I do this with a separate file.

  ...
  smtpd_recipient_restrictions =
    check_foo_to_allow_something,
    check_recipient_access pcre:$config_directory/nice_reject.pcre
    # never reached
    reject

  nice_reject.pcre:
    /.*/ REJECT you did this or that wrong, call +49 ... for assistance

It would be nice if I could specify this direct as argument to reject  
in main.cf.

<wish>
  smtpd_recipient_restrictions =
    check_foo_to_allow_something,
    reject "you did this or that wrong, call +49 ... for assistance"
</wish>

Is that possible?
At least the configuration would be much [easier|more precise].


Andreas


Reply | Threaded
Open this post in threaded view
|

Re: nice reject

Noel Jones-2
On 11/21/2014 2:25 PM, A. Schulze wrote:

> Hi,
>
> a smtpd_recipient_restrictions for a submission service usually end
> with explicit "reject". That result in a smtp response string
>   554 5.7.1 <recipient>: Recipient address rejected: Access denied
>
> Sometimes it's helpful to have a more detailed error,
> "please authenticate", "go away", "goto http://here.you.get/help",
> or any other descriptive text.
>
> currently I do this with a separate file.
>
>  ...
>  smtpd_recipient_restrictions =
>    check_foo_to_allow_something,
>    check_recipient_access pcre:$config_directory/nice_reject.pcre
>    # never reached
>    reject
>
>  nice_reject.pcre:
>    /.*/ REJECT you did this or that wrong, call +49 ... for assistance
>
> It would be nice if I could specify this direct as argument to
> reject in main.cf.
>
> <wish>
>  smtpd_recipient_restrictions =
>    check_foo_to_allow_something,
>    reject "you did this or that wrong, call +49 ... for assistance"
> </wish>
>
> Is that possible?
> At least the configuration would be much [easier|more precise].
>
>
> Andreas
>
>


We use the built-in feature for this:
http://www.postfix.org/postconf.5.html#smtpd_reject_footer

It's a really nice idea, but in practice few people ever use the
contact or correction info provided in a reject message -- some
end-user mail programs seem to go to great effort to hide
potentially helpful info from the user, so a lot of people never see it.

A couple times a year someone actually uses our online contact form,
seldom enough that I'm always surprised.  But it makes me feel
better to know it's always there, waiting to help some poor soul.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: nice reject

A. Schulze

Noel Jones:

> We use the built-in feature for this:
> http://www.postfix.org/postconf.5.html#smtpd_reject_footer
Aha, good point

>
> It's a really nice idea, but in practice few people ever use the
> contact or correction info provided in a reject message -- some
> end-user mail programs seem to go to great effort to hide
> potentially helpful info from the user, so a lot of people never see it.
>
> A couple times a year someone actually uses our online contact form,
> seldom enough that I'm always surprised.  But it makes me feel
> better to know it's always there, waiting to help some poor soul.

mostly I don't look at MX but on dedicated submission points...

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: nice reject

Wietse Venema
In reply to this post by A. Schulze
A. Schulze:
> <wish>
>   smtpd_recipient_restrictions =
>     check_foo_to_allow_something,
>     reject "you did this or that wrong, call +49 ... for assistance"
> </wish>
>
> Is that possible?

smtpd_recipient_restrictions does not support free text and the
main.cf parser does not support quotes.

Fortunately, neither is needed.

An improved "static" table would do the job:

    check_recipient_access static:{reject you did this or that ...}

I'll post a patch in a little while. This takes four lines of code.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: nice reject

A. Schulze

wietse:

> An improved "static" table would do the job:
>
>     check_recipient_access static:{reject you did this or that ...}
>
> I'll post a patch in a little while. This takes four lines of code.

Don't hurry, the system I'm currently working on isn't up to date anyway.
The perspective is enough for now. Thanks!

Andreas

Reply | Threaded
Open this post in threaded view
|

PATCH: static:{reject text ...} (was: nice reject)

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:

> A. Schulze:
> > <wish>
> >   smtpd_recipient_restrictions =
> >     check_foo_to_allow_something,
> >     reject "you did this or that wrong, call +49 ... for assistance"
> > </wish>
> >
> > Is that possible?
>
> smtpd_recipient_restrictions does not support free text and the
> main.cf parser does not support quotes.
>
> Fortunately, neither is needed.
>
> An improved "static" table would do the job:
>
>     check_recipient_access static:{reject you did this or that ...}
>
> I'll post a patch in a little while. This takes four lines of code.

Four lines would be cheating. It takes more lines when done right.
Below is a patch for Postfix 2.12 versions after 20141005.

        Wietse

*** /var/tmp/postfix-2.12-20141119/src/util/dict_static.c 2012-01-07 10:37:11.000000000 -0500
--- src/util/dict_static.c 2014-11-21 17:17:40.000000000 -0500
***************
*** 37,42 ****
--- 37,43 ----
 
  #include "mymalloc.h"
  #include "msg.h"
+ #include "stringops.h"
  #include "dict.h"
  #include "dict_static.h"
 
***************
*** 56,69 ****
 
  /* dict_static_open - make association with static variable */
 
! DICT   *dict_static_open(const char *name, int unused_flags, int dict_flags)
  {
      DICT   *dict;
 
      dict = dict_alloc(DICT_TYPE_STATIC, name, sizeof(*dict));
      dict->lookup = dict_static_lookup;
      dict->close = dict_static_close;
      dict->flags = dict_flags | DICT_FLAG_FIXED;
      dict->owner.status = DICT_OWNER_TRUSTED;
!     return (DICT_DEBUG (dict));
  }
--- 57,98 ----
 
  /* dict_static_open - make association with static variable */
 
! DICT   *dict_static_open(const char *name, int open_flags, int dict_flags)
  {
      DICT   *dict;
+     const char *err;
+     char   *cp, *saved_name = 0;
 
+     /*
+      * Let the optimizer worry about eliminating redundant code.
+      */
+ #define DICT_STATIC_OPEN_RETURN(d) do { \
+         DICT *__d = (d); \
+         if (saved_name != 0) \
+             myfree(saved_name); \
+         return (__d); \
+     } while (0)
+
+     /*
+      * Optionally strip surrounding braces and whitespace.
+      */
+     if (name[0] == CHARS_BRACE[0]) {
+ saved_name = cp = mystrdup(name);
+ if ((err = extpar(&cp, CHARS_BRACE, EXTPAR_FLAG_STRIP)) != 0)
+    DICT_STATIC_OPEN_RETURN(dict_surrogate(DICT_TYPE_STATIC, name,
+   open_flags, dict_flags,
+   "bad %s:name syntax: %s",
+   DICT_TYPE_STATIC, err));
+ name = cp;
+     }
+
+     /*
+      * Bundle up the request.
+      */
      dict = dict_alloc(DICT_TYPE_STATIC, name, sizeof(*dict));
      dict->lookup = dict_static_lookup;
      dict->close = dict_static_close;
      dict->flags = dict_flags | DICT_FLAG_FIXED;
      dict->owner.status = DICT_OWNER_TRUSTED;
!     DICT_STATIC_OPEN_RETURN(DICT_DEBUG (dict));
  }
Reply | Threaded
Open this post in threaded view
|

Re: nice reject

Christian Rößner
In reply to this post by Wietse Venema

> Am 21.11.2014 um 22:06 schrieb Wietse Venema <[hidden email]>:
>
> check_recipient_access static:{reject you did this or that ...}
>
> I'll post a patch in a little while. This takes four lines of code.

I would love to see this. I use current snapshots here, so I can use it, if it has been implemented.

Thanks

Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com


signature.asc (506 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: static:{reject text ...} (was: nice reject)

Christian Rößner
In reply to this post by Wietse Venema

> Am 21.11.2014 um 23:23 schrieb Wietse Venema <[hidden email]>:
>
> Wietse Venema:
>> A. Schulze:
>>> <wish>
>>>  smtpd_recipient_restrictions =
>>>    check_foo_to_allow_something,
>>>    reject "you did this or that wrong, call +49 ... for assistance"
>>> </wish>
>>>
>>> Is that possible?
>>
>> smtpd_recipient_restrictions does not support free text and the
>> main.cf parser does not support quotes.
>>
>> Fortunately, neither is needed.
>>
>> An improved "static" table would do the job:
>>
>>    check_recipient_access static:{reject you did this or that ...}
>>
>> I'll post a patch in a little while. This takes four lines of code.
>
> Four lines would be cheating. It takes more lines when done right.
> Below is a patch for Postfix 2.12 versions after 20141005.
I’ll give it a try.

Thanks

>
> Wietse
>
> *** /var/tmp/postfix-2.12-20141119/src/util/dict_static.c 2012-01-07 10:37:11.000000000 -0500
> --- src/util/dict_static.c 2014-11-21 17:17:40.000000000 -0500
> ***************
> *** 37,42 ****
> --- 37,43 ----
>
>  #include "mymalloc.h"
>  #include "msg.h"
> + #include "stringops.h"
>  #include "dict.h"
>  #include "dict_static.h"
>
> ***************
> *** 56,69 ****
>
>  /* dict_static_open - make association with static variable */
>
> ! DICT   *dict_static_open(const char *name, int unused_flags, int dict_flags)
>  {
>      DICT   *dict;
>
>      dict = dict_alloc(DICT_TYPE_STATIC, name, sizeof(*dict));
>      dict->lookup = dict_static_lookup;
>      dict->close = dict_static_close;
>      dict->flags = dict_flags | DICT_FLAG_FIXED;
>      dict->owner.status = DICT_OWNER_TRUSTED;
> !     return (DICT_DEBUG (dict));
>  }
> --- 57,98 ----
>
>  /* dict_static_open - make association with static variable */
>
> ! DICT   *dict_static_open(const char *name, int open_flags, int dict_flags)
>  {
>      DICT   *dict;
> +     const char *err;
> +     char   *cp, *saved_name = 0;
>
> +     /*
> +      * Let the optimizer worry about eliminating redundant code.
> +      */
> + #define DICT_STATIC_OPEN_RETURN(d) do { \
> +         DICT *__d = (d); \
> +         if (saved_name != 0) \
> +             myfree(saved_name); \
> +         return (__d); \
> +     } while (0)
> +
> +     /*
> +      * Optionally strip surrounding braces and whitespace.
> +      */
> +     if (name[0] == CHARS_BRACE[0]) {
> + saved_name = cp = mystrdup(name);
> + if ((err = extpar(&cp, CHARS_BRACE, EXTPAR_FLAG_STRIP)) != 0)
> +    DICT_STATIC_OPEN_RETURN(dict_surrogate(DICT_TYPE_STATIC, name,
> +   open_flags, dict_flags,
> +   "bad %s:name syntax: %s",
> +   DICT_TYPE_STATIC, err));
> + name = cp;
> +     }
> +
> +     /*
> +      * Bundle up the request.
> +      */
>      dict = dict_alloc(DICT_TYPE_STATIC, name, sizeof(*dict));
>      dict->lookup = dict_static_lookup;
>      dict->close = dict_static_close;
>      dict->flags = dict_flags | DICT_FLAG_FIXED;
>      dict->owner.status = DICT_OWNER_TRUSTED;
> !     DICT_STATIC_OPEN_RETURN(DICT_DEBUG (dict));
>  }
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com


signature.asc (506 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: static:{reject text ...} (was: nice reject)

Christian Rößner

> Am 22.11.2014 um 10:11 schrieb Christian Rößner <[hidden email]>:
>
> I’ll give it a try.


 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1:DHE-RSA-AES256-SHA:256
=== TLS no local certificate set
=== TLS peer DN="/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.roessner-net.de"
 ~> EHLO MacBook-Pro.local
<~  250-mail.roessner-net.de
<~  250-PIPELINING
<~  250-SIZE 31457280
<~  250-VRFY
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
<~  250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250 SMTPUTF8
 ~> MAIL FROM:<[hidden email]>
<~  250 2.1.0 Ok
 ~> RCPT TO:<[hidden email]>
<~* 554-5.7.1 <[hidden email]>: Recipient address rejected: Sie haben sich nicht erfolgreich authentifiziert
<~* 554 5.7.1 For assistance, please provide the following information in your problem report: time (Nov 22 11:23:35), client (193.239.106.201:32794) and server (mail.roessner-net.de).
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.

One question: I also have set smtpd_reject_footer. So I get two reject texts. The first comes from the patch, the second from smtpd_reject_footer. Is that the normal wanted behavior?

smtpd_reject_footer =
 For assistance, please provide the following information in your problem report:
 time (${localtime}), client (${client_address}:${client_port}) and server (${server_name}).

smtpd_relay_restrictions =
    check_sender_access pcre:${map}/sender_access.pcre,
    check_recipient_access ${mapidx}/reject_srvint_net,
    reject_non_fqdn_recipient,
    permit_tls_clientcerts,
    permit_sasl_authenticated,
    reject_unauthenticated_sender_login_mismatch,
    check_recipient_access static:{ reject Sie haben sich nicht erfolgreich authentifiziert },
    reject

Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com


signature.asc (506 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: static:{reject text ...}

lists@rhsoft.net

Am 22.11.2014 um 11:30 schrieb Christian Rößner:
> One question: I also have set smtpd_reject_footer. So I get two reject texts. The first comes from the patch, the second from smtpd_reject_footer. Is that the normal wanted behavior?

surely - a footer is a footer and because it comes *everywhere* at the
end it contains the neutral part of the message like contact and so on

if you don#t want "smtpd_reject_footer" don't configure it

BTW: it should start with \c because there are devices like barracuda
networks showing *only* the last line of the ject text if there is more
than one meanening *only* the footer without any useful text

smtpd_reject_footer = \c, your text

> smtpd_reject_footer =
>   For assistance, please provide the following information in your problem report:
>   time (${localtime}), client (${client_address}:${client_port}) and server (${server_name}).
>
> smtpd_relay_restrictions =
>      check_sender_access pcre:${map}/sender_access.pcre,
>      check_recipient_access ${mapidx}/reject_srvint_net,
>      reject_non_fqdn_recipient,
>      permit_tls_clientcerts,
>      permit_sasl_authenticated,
>      reject_unauthenticated_sender_login_mismatch,
>      check_recipient_access static:{ reject Sie haben sich nicht erfolgreich authentifiziert },
>      reject
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: static:{reject text ...}

Christian Rößner

> Am 22.11.2014 um 11:38 schrieb [hidden email]:
>
> surely - a footer is a footer and because it comes *everywhere* at the end it contains the neutral part of the message like contact and so on
>
> if you don#t want "smtpd_reject_footer" don't configure it

Yes, you are right. Sorry

postscreen_reject_footer (default: $smtpd_reject_footer)
       Optional information that is __appended__ after a 4XX or 5XX postscreen(8) server response. See smtpd_reject_footer for further details.

Thanks

Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com


signature.asc (506 bytes) Download Attachment