problems follow with certain rules

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

problems follow with certain rules

Francesc Peñalvez-2
following the instructions given to me place the access in front of the
rule that is not supported ips unresolved, and as I still have the same
problems I added a debug to that ip that interests me and among other
things in this debug I find this:
16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
check_client_access
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
unknown addr 213.4.61.170
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
postfix / access: unknown: not found
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access: 213.4.61.170
my access file contains:
213.4.61.170 OK

Where do I have the error?

--



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Noel Jones-2
On 4/2/2019 10:17 AM, Francesc Peñalvez wrote:

> following the instructions given to me place the access in front of
> the rule that is not supported ips unresolved, and as I still have
> the same problems I added a debug to that ip that interests me and
> among other things in this debug I find this:
> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
> check_client_access
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
> unknown addr 213.4.61.170
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
> postfix / access: unknown: not found
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
> 213.4.61.170
> my access file contains:
> 213.4.61.170 OK
>
> Where do I have the error?
>


There's not enough context here for anyone to say what the problem is.

If you need more help:
http://www.postfix.org/DEBUG_README.html#mail

Don't post debug logs unless specifically requested.  Normal postfix
logging is sufficient to solve the vast majority of problems.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Bill Cole-3
In reply to this post by Francesc Peñalvez-2
On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:

> following the instructions given to me place the access in front of
> the rule that is not supported ips unresolved, and as I still have the
> same problems I added a debug to that ip that interests me and among
> other things in this debug I find this:
> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
> check_client_access
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
> unknown addr 213.4.61.170
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access:
> unknown
> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
> postfix / access: unknown: not found
> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
> 213.4.61.170
> my access file contains:
> 213.4.61.170 OK
>
> Where do I have the error?

It is impossible for us to tell, because you have not provided enough
information.
The solution may be as simple as using 'postmap' to rebuild the
operational form of the access map (e.g. /etc/postfix/access.db) or it
may be something more complex.

See http://www.postfix.org/DEBUG_README.html#mail for how to effectively
report problems here.

Most importantly:

1. Turn off debug logging.
2. Provide the output of 'postconf -nf' and 'postconf -Mf'
3. Provide log lines relevant to a single SMTP session with the problem.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Francesc Peñalvez-2
the problem is with the directive reject_unknown_reverse_client_hostname
when there is a failure in the resolution of the ip blocks the
connection with this ip, to avoid adding the access file the ip as
indicated in the first mail, but still blocking that ip by not
resolving. activate the debug on that ip in case I saw the reason and
that's what I get between many data when that ip connects

  Out: 250-ETRN
  Out: 250-AUTH PLAIN LOGIN
  Out: 250-AUTH=PLAIN LOGIN
  Out: 250-ENHANCEDSTATUSCODES
  Out: 250-8BITMIME
  Out: 250 DSN
  In:  MAIL From:<[hidden email]>  SIZE=118853
  Out: 250 2.1.0 Ok
  In:  RCPT To:<[hidden email]>
  Out: 450 4.7.25 Client host rejected: cannot find your hostname,
      [217.124.241.125]
  In:  DATA
  Out: 554 5.5.1 Error: no valid recipients
  In:  RSET
  Out: 250 2.0.0 Ok
  In:  QUIT
  Out: 221 2.0.0 Bye

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = yes
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
masquerade_domains = almogavers.net
message_size_limit = 102400000
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6
mydestination = ns.almogavers.net, localhost.almogavers.net, localhost,
     canalonanismo.org, canalonanismo.es, almogavers.net, web.almogavers.net,
     active.almogavers.net, 5.39.93.184, 37.187.18.41
myhostname = almogavers.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2
     almogavers.net 192.168.1.0/24
mynetworks_style = class
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:3277
notify_classes = bounce, 2bounce, delay, policy, protocol, resource, software
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/trusted_ips.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
     b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net swl.spamhaus.org*-4
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_dns_support_level = enabled
smtp_host_lookup = dns
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = medium
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
     permit_tls_all_clientcerts permit_sasl_authenticated permit_auth_destination
     check_client_access hash:/etc/postfix/access
smtpd_hard_error_limit = 20
smtpd_helo_restrictions = permit_mynetworks, check_client_access
     hash:/etc/postfix/access, check_client_access
     cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname, permit
smtpd_milters = inet:localhost:3277
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
     check_client_access hash:/etc/postfix/access permit_auth_destination
     reject_unauth_destination reject_invalid_hostname
     reject_unknown_recipient_domain reject_unknown_client_hostname
     reject_unknown_reverse_client_hostname reject_unverified_recipient
     check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
     defer_unauth_destination permit_inet_interfaces check_client_access
     hash:/etc/postfix/access reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = permit_mynetworks check_client_access
     hash:/etc/postfix/access permit_auth_destination permit_sasl_authenticated
     check_sender_access inline:{ { almogavers.net = REJECT local sender from
     unauthorized client } }
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

smtp       inet  n       -       y       -       -       smtpd
     -o content_filter=spamassassin
     -o smtpd_sasl_auth_enable=yes
     receive_override_options=no_header_body_checks
smtp       inet  n       -       y       -       1       postscreen
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0       tlsproxy
smtpd      pass  -       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
     -o content_filter=spamassassin
smtps      inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/smtps
     -o smtpd_tls_wrappermode=yes
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
pickup     fifo  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
     -o smtp_helo_timeout=5
     -o smtp_connect_timeout=5
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
     user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
     user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
     argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
     user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
     user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
     ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
     user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
     ${user}
policyd-spf unix -       n       n       -       0       spawn user=policyd-spf
     argv=/usr/bin/policyd-spf
smtp-amavis unix -       -       n       -       2       smtp
     -o smtp_data_done_timeout=1200
     -o disable_dns_lookups=yes
127.0.0.1:10025 inet n   -       n       -       -       smtpd
     -o content_filter=
     -o disable_dns_lookups=yes
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o smtpd_restriction_classes=
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o strict_rfc821_envelopes=yes
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtp_data_done_timeout=1200
     -o disable_dns_lookups=yes
spamassassin unix -      n       n       -       -       pipe user=debian-spamd
     argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
dane       unix  -       -       n       -       -       smtp
     -o smtp_dns_support_level=dnssec
     -o smtp_tls_security_level=dane
postlog    unix-dgram n  -       n       -       1       postlogd

El 02/04/2019 a las 18:38, Bill Cole escribió:

> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>
>> following the instructions given to me place the access in front of
>> the rule that is not supported ips unresolved, and as I still have
>> the same problems I added a debug to that ip that interests me and
>> among other things in this debug I find this:
>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>> check_client_access
>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
>> unknown addr 213.4.61.170
>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
>> postfix / access: unknown: not found
>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>> 213.4.61.170
>> my access file contains:
>> 213.4.61.170 OK
>>
>> Where do I have the error?
>
> It is impossible for us to tell, because you have not provided enough
> information.
> The solution may be as simple as using 'postmap' to rebuild the
> operational form of the access map (e.g. /etc/postfix/access.db) or it
> may be something more complex.
>
> See http://www.postfix.org/DEBUG_README.html#mail for how to
> effectively report problems here.
>
> Most importantly:
>
> 1. Turn off debug logging.
> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
> 3. Provide log lines relevant to a single SMTP session with the problem.
>
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Francesc Peñalvez-2

the ip of my last mail does not match the first, but it is from the same company that uses several ips and all of them are added to the access file

El 02/04/2019 a las 19:15, Francesc Peñalvez escribió:

> the problem is with the directive
> reject_unknown_reverse_client_hostname when there is a failure in the
> resolution of the ip blocks the connection with this ip, to avoid
> adding the access file the ip as indicated in the first mail, but
> still blocking that ip by not resolving. activate the debug on that ip
> in case I saw the reason and that's what I get between many data when
> that ip connects
>
>  Out: 250-ETRN
>  Out: 250-AUTH PLAIN LOGIN
>  Out: 250-AUTH=PLAIN LOGIN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL From:<[hidden email]>  SIZE=118853
>  Out: 250 2.1.0 Ok
>  In:  RCPT To:<[hidden email]>
>  Out: 450 4.7.25 Client host rejected: cannot find your hostname,
>      [217.124.241.125]
>  In:  DATA
>  Out: 554 5.5.1 Error: no valid recipients
>  In:  RSET
>  Out: 250 2.0.0 Ok
>  In:  QUIT
>  Out: 221 2.0.0 Bye
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> allow_percent_hack = no
> allow_untrusted_routing = yes
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> mail_owner = postfix
> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> masquerade_domains = almogavers.net
> message_size_limit = 102400000
> meta_directory = /etc/postfix
> milter_default_action = accept
> milter_protocol = 6
> mydestination = ns.almogavers.net, localhost.almogavers.net, localhost,
>     canalonanismo.org, canalonanismo.es, almogavers.net,
> web.almogavers.net,
>     active.almogavers.net, 5.39.93.184, 37.187.18.41
> myhostname = almogavers.net
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2
>     almogavers.net 192.168.1.0/24
> mynetworks_style = class
> newaliases_path = /usr/bin/newaliases
> non_smtpd_milters = inet:localhost:3277
> notify_classes = bounce, 2bounce, delay, policy, protocol, resource,
> software
> postscreen_access_list = permit_mynetworks
> cidr:/etc/postfix/trusted_ips.cidr
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
>     b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net
> swl.spamhaus.org*-4
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_ttl = 10m
> postscreen_greet_action = enforce
> queue_directory = /var/spool/postfix
> readme_directory = no
> recipient_delimiter = +
> sample_directory = /etc/postfix
> sender_bcc_maps = hash:/etc/postfix/bcc
> sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> shlib_directory = /usr/lib/postfix
> smtp_dns_support_level = enabled
> smtp_host_lookup = dns
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_ciphers = medium
> smtp_tls_loglevel = 1
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>     permit_tls_all_clientcerts permit_sasl_authenticated
> permit_auth_destination
>     check_client_access hash:/etc/postfix/access
> smtpd_hard_error_limit = 20
> smtpd_helo_restrictions = permit_mynetworks, check_client_access
>     hash:/etc/postfix/access, check_client_access
>     cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname, permit
> smtpd_milters = inet:localhost:3277
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
>     check_client_access hash:/etc/postfix/access permit_auth_destination
>     reject_unauth_destination reject_invalid_hostname
>     reject_unknown_recipient_domain reject_unknown_client_hostname
>     reject_unknown_reverse_client_hostname reject_unverified_recipient
>     check_policy_service inet:127.0.0.1:10023
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>     defer_unauth_destination permit_inet_interfaces check_client_access
>     hash:/etc/postfix/access reject_unknown_reverse_client_hostname
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous noplaintext
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sender_restrictions = permit_mynetworks check_client_access
>     hash:/etc/postfix/access permit_auth_destination
> permit_sasl_authenticated
>     check_sender_access inline:{ { almogavers.net = REJECT local
> sender from
>     unauthorized client } }
> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
> smtpd_tls_ciphers = medium
> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> smtp       inet  n       -       y       -       -       smtpd
>     -o content_filter=spamassassin
>     -o smtpd_sasl_auth_enable=yes
>     receive_override_options=no_header_body_checks
> smtp       inet  n       -       y       -       1 postscreen
> dnsblog    unix  -       -       y       -       0       dnsblog
> tlsproxy   unix  -       -       y       -       0       tlsproxy
> smtpd      pass  -       -       y       -       -       smtpd
> submission inet  n       -       y       -       -       smtpd
>     -o syslog_name=postfix/submission
>     -o smtpd_tls_security_level=encrypt
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>     -o milter_macro_daemon_name=ORIGINATING
>     -o content_filter=spamassassin
> smtps      inet  n       -       y       -       -       smtpd
>     -o syslog_name=postfix/smtps
>     -o smtpd_tls_wrappermode=yes
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>     -o milter_macro_daemon_name=ORIGINATING
> pickup     fifo  n       -       y       60      1       pickup
> cleanup    unix  n       -       y       -       0       cleanup
> qmgr       fifo  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
> rewrite    unix  -       -       y       -       - trivial-rewrite
> bounce     unix  -       -       y       -       0       bounce
> defer      unix  -       -       y       -       0       bounce
> trace      unix  -       -       y       -       0       bounce
> verify     unix  -       -       y       -       1       verify
> flush      unix  n       -       y       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       y       -       -       smtp
>     -o smtp_helo_timeout=5
>     -o smtp_connect_timeout=5
> relay      unix  -       -       y       -       -       smtp
> showq      unix  n       -       y       -       -       showq
> error      unix  -       -       y       -       -       error
> retry      unix  -       -       y       -       -       error
> discard    unix  -       -       y       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       y       -       -       lmtp
> anvil      unix  -       -       y       -       1       anvil
> scache     unix  -       -       y       -       1       scache
> maildrop   unix  -       n       n       -       -       pipe flags=DRhu
>     user=vmail argv=/usr/bin/maildrop -d ${recipient}
> uucp       unix  -       n       n       -       -       pipe flags=Fqhu
>     user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> ifmail     unix  -       n       n       -       -       pipe flags=F
> user=ftn
>     argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
>     user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
> scalemail-backend unix - n       n       -       2       pipe flags=R
>     user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
>     ${user} ${extension}
> mailman    unix  -       n       n       -       -       pipe flags=FR
>     user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
>     ${user}
> policyd-spf unix -       n       n       -       0       spawn
> user=policyd-spf
>     argv=/usr/bin/policyd-spf
> smtp-amavis unix -       -       n       -       2       smtp
>     -o smtp_data_done_timeout=1200
>     -o disable_dns_lookups=yes
> 127.0.0.1:10025 inet n   -       n       -       -       smtpd
>     -o content_filter=
>     -o disable_dns_lookups=yes
>     -o local_recipient_maps=
>     -o relay_recipient_maps=
>     -o smtpd_restriction_classes=
>     -o smtpd_client_restrictions=
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o mynetworks=127.0.0.0/8
>     -o strict_rfc821_envelopes=yes
>     -o smtpd_error_sleep_time=0
>     -o smtpd_soft_error_limit=1001
>     -o smtpd_hard_error_limit=1000
>     -o smtp_data_done_timeout=1200
>     -o disable_dns_lookups=yes
> spamassassin unix -      n       n       -       -       pipe
> user=debian-spamd
>     argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}
> ${recipient}
> dane       unix  -       -       n       -       -       smtp
>     -o smtp_dns_support_level=dnssec
>     -o smtp_tls_security_level=dane
> postlog    unix-dgram n  -       n       -       1       postlogd
>
> El 02/04/2019 a las 18:38, Bill Cole escribió:
>> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>>
>>> following the instructions given to me place the access in front of
>>> the rule that is not supported ips unresolved, and as I still have
>>> the same problems I added a debug to that ip that interests me and
>>> among other things in this debug I find this:
>>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>>> check_client_access
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
>>> unknown addr 213.4.61.170
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
>>> postfix / access: unknown: not found
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>>> 213.4.61.170
>>> my access file contains:
>>> 213.4.61.170 OK
>>>
>>> Where do I have the error?
>>
>> It is impossible for us to tell, because you have not provided enough
>> information.
>> The solution may be as simple as using 'postmap' to rebuild the
>> operational form of the access map (e.g. /etc/postfix/access.db) or
>> it may be something more complex.
>>
>> See http://www.postfix.org/DEBUG_README.html#mail for how to
>> effectively report problems here.
>>
>> Most importantly:
>>
>> 1. Turn off debug logging.
>> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
>> 3. Provide log lines relevant to a single SMTP session with the problem.
>>
>>
>

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Noel Jones-2
In reply to this post by Francesc Peñalvez-2
On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:
> the problem is with the directive
> reject_unknown_reverse_client_hostname when there is a failure in
> the resolution of the ip blocks the connection with this ip, to
> avoid adding the access file the ip as indicated in the first mail,
> but still blocking that ip by not resolving. activate the debug on
> that ip in case I saw the reason and that's what I get between many
> data when that ip connects

I don't quite understand what you're trying to say above, you don't
show logs indicating the problem you're trying to solve, and your
example SMTP session doesn't seem to match your posted config, so
I'll give some general pointers.

In your posted config, no locally delivered mail gets past the
"permit_auth_destination" statements, bypassing most of your
restrictions.

Mail must be permitted (or not rejected) in every
smtpd_*_restrictions section to be accepted.

It doesn't make much sense to use both
reject_unknown_client_hostname and
reject_unknown_reverse_client_hostname, especially with
reject_unknown_reverse_client_hostname listed second.

Looks like you have a lot of duplicated statements.

In master.cf for your submission and smtps listeners, you should
disable all those extra restrictions, eg.
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_recipient_restrictions=



   -- Noel Jones



>
>   Out: 250-ETRN
>   Out: 250-AUTH PLAIN LOGIN
>   Out: 250-AUTH=PLAIN LOGIN
>   Out: 250-ENHANCEDSTATUSCODES
>   Out: 250-8BITMIME
>   Out: 250 DSN
>   In:  MAIL From:<[hidden email]>  SIZE=118853
>   Out: 250 2.1.0 Ok
>   In:  RCPT To:<[hidden email]>
>   Out: 450 4.7.25 Client host rejected: cannot find your hostname,
>       [217.124.241.125]
>   In:  DATA
>   Out: 554 5.5.1 Error: no valid recipients
>   In:  RSET
>   Out: 250 2.0.0 Ok
>   In:  QUIT
>   Out: 221 2.0.0 Bye
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> allow_percent_hack = no
> allow_untrusted_routing = yes
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> mail_owner = postfix
> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> masquerade_domains = almogavers.net
> message_size_limit = 102400000
> meta_directory = /etc/postfix
> milter_default_action = accept
> milter_protocol = 6
> mydestination = ns.almogavers.net, localhost.almogavers.net, localhost,
>      canalonanismo.org, canalonanismo.es, almogavers.net,
> web.almogavers.net,
>      active.almogavers.net, 5.39.93.184, 37.187.18.41
> myhostname = almogavers.net
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2
>      almogavers.net 192.168.1.0/24
> mynetworks_style = class
> newaliases_path = /usr/bin/newaliases
> non_smtpd_milters = inet:localhost:3277
> notify_classes = bounce, 2bounce, delay, policy, protocol, resource,
> software
> postscreen_access_list = permit_mynetworks
> cidr:/etc/postfix/trusted_ips.cidr
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_reply_map =
> texthash:/etc/postfix/postscreen_dnsbl_reply
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
>      b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net
> swl.spamhaus.org*-4
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_ttl = 10m
> postscreen_greet_action = enforce
> queue_directory = /var/spool/postfix
> readme_directory = no
> recipient_delimiter = +
> sample_directory = /etc/postfix
> sender_bcc_maps = hash:/etc/postfix/bcc
> sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> shlib_directory = /usr/lib/postfix
> smtp_dns_support_level = enabled
> smtp_host_lookup = dns
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_ciphers = medium
> smtp_tls_loglevel = 1
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>      permit_tls_all_clientcerts permit_sasl_authenticated
> permit_auth_destination
>      check_client_access hash:/etc/postfix/access
> smtpd_hard_error_limit = 20
> smtpd_helo_restrictions = permit_mynetworks, check_client_access
>      hash:/etc/postfix/access, check_client_access
>      cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname,
> permit
> smtpd_milters = inet:localhost:3277
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
>      check_client_access hash:/etc/postfix/access
> permit_auth_destination
>      reject_unauth_destination reject_invalid_hostname
>      reject_unknown_recipient_domain reject_unknown_client_hostname
>      reject_unknown_reverse_client_hostname reject_unverified_recipient
>      check_policy_service inet:127.0.0.1:10023
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>      defer_unauth_destination permit_inet_interfaces
> check_client_access
>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous noplaintext
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sender_restrictions = permit_mynetworks check_client_access
>      hash:/etc/postfix/access permit_auth_destination
> permit_sasl_authenticated
>      check_sender_access inline:{ { almogavers.net = REJECT local
> sender from
>      unauthorized client } }
> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
> smtpd_tls_ciphers = medium
> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> smtp       inet  n       -       y       -       -       smtpd
>      -o content_filter=spamassassin
>      -o smtpd_sasl_auth_enable=yes
>      receive_override_options=no_header_body_checks
> smtp       inet  n       -       y       -       1       postscreen
> dnsblog    unix  -       -       y       -       0       dnsblog
> tlsproxy   unix  -       -       y       -       0       tlsproxy
> smtpd      pass  -       -       y       -       -       smtpd
> submission inet  n       -       y       -       -       smtpd
>      -o syslog_name=postfix/submission
>      -o smtpd_tls_security_level=encrypt
>      -o smtpd_sasl_auth_enable=yes
>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>      -o milter_macro_daemon_name=ORIGINATING
>      -o content_filter=spamassassin
> smtps      inet  n       -       y       -       -       smtpd
>      -o syslog_name=postfix/smtps
>      -o smtpd_tls_wrappermode=yes
>      -o smtpd_sasl_auth_enable=yes
>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>      -o milter_macro_daemon_name=ORIGINATING
> pickup     fifo  n       -       y       60      1       pickup
> cleanup    unix  n       -       y       -       0       cleanup
> qmgr       fifo  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
> rewrite    unix  -       -       y       -       -      
> trivial-rewrite
> bounce     unix  -       -       y       -       0       bounce
> defer      unix  -       -       y       -       0       bounce
> trace      unix  -       -       y       -       0       bounce
> verify     unix  -       -       y       -       1       verify
> flush      unix  n       -       y       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       y       -       -       smtp
>      -o smtp_helo_timeout=5
>      -o smtp_connect_timeout=5
> relay      unix  -       -       y       -       -       smtp
> showq      unix  n       -       y       -       -       showq
> error      unix  -       -       y       -       -       error
> retry      unix  -       -       y       -       -       error
> discard    unix  -       -       y       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       y       -       -       lmtp
> anvil      unix  -       -       y       -       1       anvil
> scache     unix  -       -       y       -       1       scache
> maildrop   unix  -       n       n       -       -       pipe
> flags=DRhu
>      user=vmail argv=/usr/bin/maildrop -d ${recipient}
> uucp       unix  -       n       n       -       -       pipe
> flags=Fqhu
>      user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail     unix  -       n       n       -       -       pipe
> flags=F user=ftn
>      argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
>      user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient
> scalemail-backend unix - n       n       -       2       pipe flags=R
>      user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop}
>      ${user} ${extension}
> mailman    unix  -       n       n       -       -       pipe flags=FR
>      user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop}
>      ${user}
> policyd-spf unix -       n       n       -       0       spawn
> user=policyd-spf
>      argv=/usr/bin/policyd-spf
> smtp-amavis unix -       -       n       -       2       smtp
>      -o smtp_data_done_timeout=1200
>      -o disable_dns_lookups=yes
> 127.0.0.1:10025 inet n   -       n       -       -       smtpd
>      -o content_filter=
>      -o disable_dns_lookups=yes
>      -o local_recipient_maps=
>      -o relay_recipient_maps=
>      -o smtpd_restriction_classes=
>      -o smtpd_client_restrictions=
>      -o smtpd_helo_restrictions=
>      -o smtpd_sender_restrictions=
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>      -o mynetworks=127.0.0.0/8
>      -o strict_rfc821_envelopes=yes
>      -o smtpd_error_sleep_time=0
>      -o smtpd_soft_error_limit=1001
>      -o smtpd_hard_error_limit=1000
>      -o smtp_data_done_timeout=1200
>      -o disable_dns_lookups=yes
> spamassassin unix -      n       n       -       -       pipe
> user=debian-spamd
>      argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}
> ${recipient}
> dane       unix  -       -       n       -       -       smtp
>      -o smtp_dns_support_level=dnssec
>      -o smtp_tls_security_level=dane
> postlog    unix-dgram n  -       n       -       1       postlogd
>
> El 02/04/2019 a las 18:38, Bill Cole escribió:
>> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>>
>>> following the instructions given to me place the access in front
>>> of the rule that is not supported ips unresolved, and as I still
>>> have the same problems I added a debug to that ip that interests
>>> me and among other things in this debug I find this:
>>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>>> check_client_access
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access:
>>> name unknown addr 213.4.61.170
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access:
>>> unknown
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc
>>> / postfix / access: unknown: not found
>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>>> 213.4.61.170
>>> my access file contains:
>>> 213.4.61.170 OK
>>>
>>> Where do I have the error?
>>
>> It is impossible for us to tell, because you have not provided
>> enough information.
>> The solution may be as simple as using 'postmap' to rebuild the
>> operational form of the access map (e.g. /etc/postfix/access.db)
>> or it may be something more complex.
>>
>> See http://www.postfix.org/DEBUG_README.html#mail for how to
>> effectively report problems here.
>>
>> Most importantly:
>>
>> 1. Turn off debug logging.
>> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
>> 3. Provide log lines relevant to a single SMTP session with the
>> problem.
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Francesc Peñalvez-2
the problem that I have already described
I have several rules against spamers and one of them is to reject the
ips that are not resolved.
So when the resolution of the dns fails those ips are rejected for not
having an inverse. In the access I have the ips that interest me that
these locks pass, but even so, as you can see in the connection log are
rejected by not solve the ip.
Those ips really do have an inverse but for some fault it does not
resolve at the moment of connecting with my postfix.
The two postconf are from the server with which I have this problem.
In other emails I was told that the rule of the inverse resolution
reject_unknown_reverse_client_hostname was earlier in the line than the
access, so I changed the position but still I still have this failure.
The example of SMTP that I have set, although it does not match the ip,
as I have put in another email is an ip of the same company, in this
case a digital newspaper that uses several ips to send emails.

the problem I do not have it in the shipment if not in the reception of
mails.
I am sorry not to explain myself, I hope that I understand what I want
to express

El 02/04/2019 a las 20:08, Noel Jones escribió:

> On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:
>> the problem is with the directive
>> reject_unknown_reverse_client_hostname when there is a failure in the
>> resolution of the ip blocks the connection with this ip, to avoid
>> adding the access file the ip as indicated in the first mail, but
>> still blocking that ip by not resolving. activate the debug on that
>> ip in case I saw the reason and that's what I get between many data
>> when that ip connects
>
> I don't quite understand what you're trying to say above, you don't
> show logs indicating the problem you're trying to solve, and your
> example SMTP session doesn't seem to match your posted config, so I'll
> give some general pointers.
>
> In your posted config, no locally delivered mail gets past the
> "permit_auth_destination" statements, bypassing most of your
> restrictions.
>
> Mail must be permitted (or not rejected) in every smtpd_*_restrictions
> section to be accepted.
>
> It doesn't make much sense to use both reject_unknown_client_hostname
> and reject_unknown_reverse_client_hostname, especially with
> reject_unknown_reverse_client_hostname listed second.
>
> Looks like you have a lot of duplicated statements.
>
> In master.cf for your submission and smtps listeners, you should
> disable all those extra restrictions, eg.
>   -o smtpd_helo_restrictions=
>   -o smtpd_client_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_recipient_restrictions=
>
>
>
>   -- Noel Jones
>
>
>
>>
>>   Out: 250-ETRN
>>   Out: 250-AUTH PLAIN LOGIN
>>   Out: 250-AUTH=PLAIN LOGIN
>>   Out: 250-ENHANCEDSTATUSCODES
>>   Out: 250-8BITMIME
>>   Out: 250 DSN
>>   In:  MAIL From:<[hidden email]>  SIZE=118853
>>   Out: 250 2.1.0 Ok
>>   In:  RCPT To:<[hidden email]>
>>   Out: 450 4.7.25 Client host rejected: cannot find your hostname,
>>       [217.124.241.125]
>>   In:  DATA
>>   Out: 554 5.5.1 Error: no valid recipients
>>   In:  RSET
>>   Out: 250 2.0.0 Ok
>>   In:  QUIT
>>   Out: 221 2.0.0 Bye
>>
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> allow_percent_hack = no
>> allow_untrusted_routing = yes
>> append_dot_mydomain = no
>> biff = no
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/sbin
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
>> home_mailbox = Maildir/
>> html_directory = no
>> inet_interfaces = all
>> inet_protocols = ipv4
>> mail_owner = postfix
>> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
>> mailbox_size_limit = 0
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/local/man
>> masquerade_domains = almogavers.net
>> message_size_limit = 102400000
>> meta_directory = /etc/postfix
>> milter_default_action = accept
>> milter_protocol = 6
>> mydestination = ns.almogavers.net, localhost.almogavers.net, localhost,
>>      canalonanismo.org, canalonanismo.es, almogavers.net,
>> web.almogavers.net,
>>      active.almogavers.net, 5.39.93.184, 37.187.18.41
>> myhostname = almogavers.net
>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2
>>      almogavers.net 192.168.1.0/24
>> mynetworks_style = class
>> newaliases_path = /usr/bin/newaliases
>> non_smtpd_milters = inet:localhost:3277
>> notify_classes = bounce, 2bounce, delay, policy, protocol, resource,
>> software
>> postscreen_access_list = permit_mynetworks
>> cidr:/etc/postfix/trusted_ips.cidr
>> postscreen_blacklist_action = drop
>> postscreen_dnsbl_action = enforce
>> postscreen_dnsbl_reply_map =
>> texthash:/etc/postfix/postscreen_dnsbl_reply
>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
>>      b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net
>> swl.spamhaus.org*-4
>> postscreen_dnsbl_threshold = 1
>> postscreen_dnsbl_ttl = 10m
>> postscreen_greet_action = enforce
>> queue_directory = /var/spool/postfix
>> readme_directory = no
>> recipient_delimiter = +
>> sample_directory = /etc/postfix
>> sender_bcc_maps = hash:/etc/postfix/bcc
>> sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> shlib_directory = /usr/lib/postfix
>> smtp_dns_support_level = enabled
>> smtp_host_lookup = dns
>> smtp_tls_CApath = /etc/ssl/certs
>> smtp_tls_ciphers = medium
>> smtp_tls_loglevel = 1
>> smtp_tls_protocols = !SSLv2, !SSLv3
>> smtp_tls_security_level = dane
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtp_use_tls = yes
>> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>>      permit_tls_all_clientcerts permit_sasl_authenticated
>> permit_auth_destination
>>      check_client_access hash:/etc/postfix/access
>> smtpd_hard_error_limit = 20
>> smtpd_helo_restrictions = permit_mynetworks, check_client_access
>>      hash:/etc/postfix/access, check_client_access
>>      cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname, permit
>> smtpd_milters = inet:localhost:3277
>> smtpd_recipient_restrictions = permit_mynetworks
>> permit_sasl_authenticated
>>      check_client_access hash:/etc/postfix/access
>> permit_auth_destination
>>      reject_unauth_destination reject_invalid_hostname
>>      reject_unknown_recipient_domain reject_unknown_client_hostname
>>      reject_unknown_reverse_client_hostname reject_unverified_recipient
>>      check_policy_service inet:127.0.0.1:10023
>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>>      defer_unauth_destination permit_inet_interfaces check_client_access
>>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_security_options = noanonymous noplaintext
>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>> smtpd_sender_restrictions = permit_mynetworks check_client_access
>>      hash:/etc/postfix/access permit_auth_destination
>> permit_sasl_authenticated
>>      check_sender_access inline:{ { almogavers.net = REJECT local
>> sender from
>>      unauthorized client } }
>> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
>> smtpd_tls_CApath = /etc/ssl/certs
>> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
>> smtpd_tls_ciphers = medium
>> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
>> smtpd_tls_mandatory_ciphers = high
>> smtpd_tls_protocols = !SSLv2, !SSLv3
>> smtpd_tls_received_header = yes
>> smtpd_tls_security_level = may
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>> smtpd_use_tls = yes
>> virtual_alias_maps = hash:/etc/postfix/virtual
>>
>> smtp       inet  n       -       y       -       -       smtpd
>>      -o content_filter=spamassassin
>>      -o smtpd_sasl_auth_enable=yes
>>      receive_override_options=no_header_body_checks
>> smtp       inet  n       -       y       -       1 postscreen
>> dnsblog    unix  -       -       y       -       0       dnsblog
>> tlsproxy   unix  -       -       y       -       0 tlsproxy
>> smtpd      pass  -       -       y       -       -       smtpd
>> submission inet  n       -       y       -       -       smtpd
>>      -o syslog_name=postfix/submission
>>      -o smtpd_tls_security_level=encrypt
>>      -o smtpd_sasl_auth_enable=yes
>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>      -o milter_macro_daemon_name=ORIGINATING
>>      -o content_filter=spamassassin
>> smtps      inet  n       -       y       -       -       smtpd
>>      -o syslog_name=postfix/smtps
>>      -o smtpd_tls_wrappermode=yes
>>      -o smtpd_sasl_auth_enable=yes
>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>      -o milter_macro_daemon_name=ORIGINATING
>> pickup     fifo  n       -       y       60      1       pickup
>> cleanup    unix  n       -       y       -       0       cleanup
>> qmgr       fifo  n       -       n       300     1       qmgr
>> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
>> rewrite    unix  -       -       y       -       - trivial-rewrite
>> bounce     unix  -       -       y       -       0       bounce
>> defer      unix  -       -       y       -       0       bounce
>> trace      unix  -       -       y       -       0       bounce
>> verify     unix  -       -       y       -       1       verify
>> flush      unix  n       -       y       1000?   0       flush
>> proxymap   unix  -       -       n       -       - proxymap
>> proxywrite unix  -       -       n       -       1 proxymap
>> smtp       unix  -       -       y       -       -       smtp
>>      -o smtp_helo_timeout=5
>>      -o smtp_connect_timeout=5
>> relay      unix  -       -       y       -       -       smtp
>> showq      unix  n       -       y       -       -       showq
>> error      unix  -       -       y       -       -       error
>> retry      unix  -       -       y       -       -       error
>> discard    unix  -       -       y       -       -       discard
>> local      unix  -       n       n       -       -       local
>> virtual    unix  -       n       n       -       -       virtual
>> lmtp       unix  -       -       y       -       -       lmtp
>> anvil      unix  -       -       y       -       1       anvil
>> scache     unix  -       -       y       -       1       scache
>> maildrop   unix  -       n       n       -       -       pipe flags=DRhu
>>      user=vmail argv=/usr/bin/maildrop -d ${recipient}
>> uucp       unix  -       n       n       -       -       pipe flags=Fqhu
>>      user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
>> ifmail     unix  -       n       n       -       -       pipe flags=F
>> user=ftn
>>      argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>> bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
>>      user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
>> $recipient
>> scalemail-backend unix - n       n       -       2       pipe flags=R
>>      user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
>> ${nexthop}
>>      ${user} ${extension}
>> mailman    unix  -       n       n       -       -       pipe flags=FR
>>      user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>> ${nexthop}
>>      ${user}
>> policyd-spf unix -       n       n       -       0       spawn
>> user=policyd-spf
>>      argv=/usr/bin/policyd-spf
>> smtp-amavis unix -       -       n       -       2       smtp
>>      -o smtp_data_done_timeout=1200
>>      -o disable_dns_lookups=yes
>> 127.0.0.1:10025 inet n   -       n       -       -       smtpd
>>      -o content_filter=
>>      -o disable_dns_lookups=yes
>>      -o local_recipient_maps=
>>      -o relay_recipient_maps=
>>      -o smtpd_restriction_classes=
>>      -o smtpd_client_restrictions=
>>      -o smtpd_helo_restrictions=
>>      -o smtpd_sender_restrictions=
>>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>>      -o mynetworks=127.0.0.0/8
>>      -o strict_rfc821_envelopes=yes
>>      -o smtpd_error_sleep_time=0
>>      -o smtpd_soft_error_limit=1001
>>      -o smtpd_hard_error_limit=1000
>>      -o smtp_data_done_timeout=1200
>>      -o disable_dns_lookups=yes
>> spamassassin unix -      n       n       -       -       pipe
>> user=debian-spamd
>>      argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}
>> ${recipient}
>> dane       unix  -       -       n       -       -       smtp
>>      -o smtp_dns_support_level=dnssec
>>      -o smtp_tls_security_level=dane
>> postlog    unix-dgram n  -       n       -       1 postlogd
>>
>> El 02/04/2019 a las 18:38, Bill Cole escribió:
>>> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>>>
>>>> following the instructions given to me place the access in front of
>>>> the rule that is not supported ips unresolved, and as I still have
>>>> the same problems I added a debug to that ip that interests me and
>>>> among other things in this debug I find this:
>>>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>>>> check_client_access
>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access:
>>>> name unknown addr 213.4.61.170
>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access:
>>>> unknown
>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
>>>> postfix / access: unknown: not found
>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>>>> 213.4.61.170
>>>> my access file contains:
>>>> 213.4.61.170 OK
>>>>
>>>> Where do I have the error?
>>>
>>> It is impossible for us to tell, because you have not provided
>>> enough information.
>>> The solution may be as simple as using 'postmap' to rebuild the
>>> operational form of the access map (e.g. /etc/postfix/access.db) or
>>> it may be something more complex.
>>>
>>> See http://www.postfix.org/DEBUG_README.html#mail for how to
>>> effectively report problems here.
>>>
>>> Most importantly:
>>>
>>> 1. Turn off debug logging.
>>> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
>>> 3. Provide log lines relevant to a single SMTP session with the
>>> problem.
>>>
>>>
>>
>

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Noel Jones-2
Great.

Change this:
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>      defer_unauth_destination permit_inet_interfaces check_client_access
>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname

to this:
smtpd_relay_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination


Did you remember to postmap your access map?
postmap hash:/etc/postfix/access





On 4/2/2019 1:49 PM, Francesc Peñalvez wrote:

> the problem that I have already described
> I have several rules against spamers and one of them is to reject
> the ips that are not resolved.
> So when the resolution of the dns fails those ips are rejected for
> not having an inverse. In the access I have the ips that interest me
> that these locks pass, but even so, as you can see in the connection
> log are rejected by not solve the ip.
> Those ips really do have an inverse but for some fault it does not
> resolve at the moment of connecting with my postfix.
> The two postconf are from the server with which I have this problem.
> In other emails I was told that the rule of the inverse resolution
> reject_unknown_reverse_client_hostname was earlier in the line than
> the access, so I changed the position but still I still have this
> failure.
> The example of SMTP that I have set, although it does not match the
> ip, as I have put in another email is an ip of the same company, in
> this case a digital newspaper that uses several ips to send emails.
>
> the problem I do not have it in the shipment if not in the reception
> of mails.
> I am sorry not to explain myself, I hope that I understand what I
> want to express
>
> El 02/04/2019 a las 20:08, Noel Jones escribió:
>> On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:
>>> the problem is with the directive
>>> reject_unknown_reverse_client_hostname when there is a failure in
>>> the resolution of the ip blocks the connection with this ip, to
>>> avoid adding the access file the ip as indicated in the first
>>> mail, but still blocking that ip by not resolving. activate the
>>> debug on that ip in case I saw the reason and that's what I get
>>> between many data when that ip connects
>>
>> I don't quite understand what you're trying to say above, you
>> don't show logs indicating the problem you're trying to solve, and
>> your example SMTP session doesn't seem to match your posted
>> config, so I'll give some general pointers.
>>
>> In your posted config, no locally delivered mail gets past the
>> "permit_auth_destination" statements, bypassing most of your
>> restrictions.
>>
>> Mail must be permitted (or not rejected) in every
>> smtpd_*_restrictions section to be accepted.
>>
>> It doesn't make much sense to use both
>> reject_unknown_client_hostname and
>> reject_unknown_reverse_client_hostname, especially with
>> reject_unknown_reverse_client_hostname listed second.
>>
>> Looks like you have a lot of duplicated statements.
>>
>> In master.cf for your submission and smtps listeners, you should
>> disable all those extra restrictions, eg.
>>   -o smtpd_helo_restrictions=
>>   -o smtpd_client_restrictions=
>>   -o smtpd_sender_restrictions=
>>   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>>   -o smtpd_recipient_restrictions=
>>
>>
>>
>>   -- Noel Jones
>>
>>
>>
>>>
>>>   Out: 250-ETRN
>>>   Out: 250-AUTH PLAIN LOGIN
>>>   Out: 250-AUTH=PLAIN LOGIN
>>>   Out: 250-ENHANCEDSTATUSCODES
>>>   Out: 250-8BITMIME
>>>   Out: 250 DSN
>>>   In:  MAIL From:<[hidden email]>  SIZE=118853
>>>   Out: 250 2.1.0 Ok
>>>   In:  RCPT To:<[hidden email]>
>>>   Out: 450 4.7.25 Client host rejected: cannot find your hostname,
>>>       [217.124.241.125]
>>>   In:  DATA
>>>   Out: 554 5.5.1 Error: no valid recipients
>>>   In:  RSET
>>>   Out: 250 2.0.0 Ok
>>>   In:  QUIT
>>>   Out: 221 2.0.0 Bye
>>>
>>> alias_database = hash:/etc/aliases
>>> alias_maps = hash:/etc/aliases
>>> allow_percent_hack = no
>>> allow_untrusted_routing = yes
>>> append_dot_mydomain = no
>>> biff = no
>>> broken_sasl_auth_clients = yes
>>> command_directory = /usr/sbin
>>> content_filter = smtp-amavis:[127.0.0.1]:10024
>>> daemon_directory = /usr/libexec/postfix
>>> data_directory = /var/lib/postfix
>>> debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
>>> home_mailbox = Maildir/
>>> html_directory = no
>>> inet_interfaces = all
>>> inet_protocols = ipv4
>>> mail_owner = postfix
>>> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d
>>> $LOGNAME
>>> mailbox_size_limit = 0
>>> mailq_path = /usr/bin/mailq
>>> manpage_directory = /usr/local/man
>>> masquerade_domains = almogavers.net
>>> message_size_limit = 102400000
>>> meta_directory = /etc/postfix
>>> milter_default_action = accept
>>> milter_protocol = 6
>>> mydestination = ns.almogavers.net, localhost.almogavers.net,
>>> localhost,
>>>      canalonanismo.org, canalonanismo.es, almogavers.net,
>>> web.almogavers.net,
>>>      active.almogavers.net, 5.39.93.184, 37.187.18.41
>>> myhostname = almogavers.net
>>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>>> 192.168.1.2
>>>      almogavers.net 192.168.1.0/24
>>> mynetworks_style = class
>>> newaliases_path = /usr/bin/newaliases
>>> non_smtpd_milters = inet:localhost:3277
>>> notify_classes = bounce, 2bounce, delay, policy, protocol,
>>> resource, software
>>> postscreen_access_list = permit_mynetworks
>>> cidr:/etc/postfix/trusted_ips.cidr
>>> postscreen_blacklist_action = drop
>>> postscreen_dnsbl_action = enforce
>>> postscreen_dnsbl_reply_map =
>>> texthash:/etc/postfix/postscreen_dnsbl_reply
>>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
>>>      b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net
>>> swl.spamhaus.org*-4
>>> postscreen_dnsbl_threshold = 1
>>> postscreen_dnsbl_ttl = 10m
>>> postscreen_greet_action = enforce
>>> queue_directory = /var/spool/postfix
>>> readme_directory = no
>>> recipient_delimiter = +
>>> sample_directory = /etc/postfix
>>> sender_bcc_maps = hash:/etc/postfix/bcc
>>> sender_dependent_default_transport_maps =
>>> hash:/etc/postfix/dependent
>>> sendmail_path = /usr/sbin/sendmail
>>> setgid_group = postdrop
>>> shlib_directory = /usr/lib/postfix
>>> smtp_dns_support_level = enabled
>>> smtp_host_lookup = dns
>>> smtp_tls_CApath = /etc/ssl/certs
>>> smtp_tls_ciphers = medium
>>> smtp_tls_loglevel = 1
>>> smtp_tls_protocols = !SSLv2, !SSLv3
>>> smtp_tls_security_level = dane
>>> smtp_tls_session_cache_database =
>>> btree:${data_directory}/smtp_scache
>>> smtp_use_tls = yes
>>> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>>>      permit_tls_all_clientcerts permit_sasl_authenticated
>>> permit_auth_destination
>>>      check_client_access hash:/etc/postfix/access
>>> smtpd_hard_error_limit = 20
>>> smtpd_helo_restrictions = permit_mynetworks, check_client_access
>>>      hash:/etc/postfix/access, check_client_access
>>>      cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname,
>>> permit
>>> smtpd_milters = inet:localhost:3277
>>> smtpd_recipient_restrictions = permit_mynetworks
>>> permit_sasl_authenticated
>>>      check_client_access hash:/etc/postfix/access
>>> permit_auth_destination
>>>      reject_unauth_destination reject_invalid_hostname
>>>      reject_unknown_recipient_domain reject_unknown_client_hostname
>>>      reject_unknown_reverse_client_hostname
>>> reject_unverified_recipient
>>>      check_policy_service inet:127.0.0.1:10023
>>> smtpd_relay_restrictions = permit_mynetworks
>>> permit_sasl_authenticated
>>>      defer_unauth_destination permit_inet_interfaces
>>> check_client_access
>>>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname
>>> smtpd_sasl_auth_enable = yes
>>> smtpd_sasl_authenticated_header = yes
>>> smtpd_sasl_path = private/auth
>>> smtpd_sasl_security_options = noanonymous noplaintext
>>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>>> smtpd_sender_restrictions = permit_mynetworks check_client_access
>>>      hash:/etc/postfix/access permit_auth_destination
>>> permit_sasl_authenticated
>>>      check_sender_access inline:{ { almogavers.net = REJECT local
>>> sender from
>>>      unauthorized client } }
>>> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
>>> smtpd_tls_CApath = /etc/ssl/certs
>>> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
>>> smtpd_tls_ciphers = medium
>>> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
>>> smtpd_tls_mandatory_ciphers = high
>>> smtpd_tls_protocols = !SSLv2, !SSLv3
>>> smtpd_tls_received_header = yes
>>> smtpd_tls_security_level = may
>>> smtpd_tls_session_cache_database =
>>> btree:${data_directory}/smtpd_scache
>>> smtpd_use_tls = yes
>>> virtual_alias_maps = hash:/etc/postfix/virtual
>>>
>>> smtp       inet  n       -       y       -       -       smtpd
>>>      -o content_filter=spamassassin
>>>      -o smtpd_sasl_auth_enable=yes
>>>      receive_override_options=no_header_body_checks
>>> smtp       inet  n       -       y       -       1 postscreen
>>> dnsblog    unix  -       -       y       -       0       dnsblog
>>> tlsproxy   unix  -       -       y       -       0 tlsproxy
>>> smtpd      pass  -       -       y       -       -       smtpd
>>> submission inet  n       -       y       -       -       smtpd
>>>      -o syslog_name=postfix/submission
>>>      -o smtpd_tls_security_level=encrypt
>>>      -o smtpd_sasl_auth_enable=yes
>>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>      -o milter_macro_daemon_name=ORIGINATING
>>>      -o content_filter=spamassassin
>>> smtps      inet  n       -       y       -       -       smtpd
>>>      -o syslog_name=postfix/smtps
>>>      -o smtpd_tls_wrappermode=yes
>>>      -o smtpd_sasl_auth_enable=yes
>>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>      -o milter_macro_daemon_name=ORIGINATING
>>> pickup     fifo  n       -       y       60      1       pickup
>>> cleanup    unix  n       -       y       -       0       cleanup
>>> qmgr       fifo  n       -       n       300     1       qmgr
>>> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
>>> rewrite    unix  -       -       y       -       - trivial-rewrite
>>> bounce     unix  -       -       y       -       0       bounce
>>> defer      unix  -       -       y       -       0       bounce
>>> trace      unix  -       -       y       -       0       bounce
>>> verify     unix  -       -       y       -       1       verify
>>> flush      unix  n       -       y       1000?   0       flush
>>> proxymap   unix  -       -       n       -       - proxymap
>>> proxywrite unix  -       -       n       -       1 proxymap
>>> smtp       unix  -       -       y       -       -       smtp
>>>      -o smtp_helo_timeout=5
>>>      -o smtp_connect_timeout=5
>>> relay      unix  -       -       y       -       -       smtp
>>> showq      unix  n       -       y       -       -       showq
>>> error      unix  -       -       y       -       -       error
>>> retry      unix  -       -       y       -       -       error
>>> discard    unix  -       -       y       -       -       discard
>>> local      unix  -       n       n       -       -       local
>>> virtual    unix  -       n       n       -       -       virtual
>>> lmtp       unix  -       -       y       -       -       lmtp
>>> anvil      unix  -       -       y       -       1       anvil
>>> scache     unix  -       -       y       -       1       scache
>>> maildrop   unix  -       n       n       -       -       pipe
>>> flags=DRhu
>>>      user=vmail argv=/usr/bin/maildrop -d ${recipient}
>>> uucp       unix  -       n       n       -       -       pipe
>>> flags=Fqhu
>>>      user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
>>> ($recipient)
>>> ifmail     unix  -       n       n       -       -       pipe
>>> flags=F user=ftn
>>>      argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>>> bsmtp      unix  -       n       n       -       -       pipe
>>> flags=Fq.
>>>      user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
>>> $recipient
>>> scalemail-backend unix - n       n       -       2       pipe
>>> flags=R
>>>      user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
>>> ${nexthop}
>>>      ${user} ${extension}
>>> mailman    unix  -       n       n       -       -       pipe
>>> flags=FR
>>>      user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>>> ${nexthop}
>>>      ${user}
>>> policyd-spf unix -       n       n       -       0       spawn
>>> user=policyd-spf
>>>      argv=/usr/bin/policyd-spf
>>> smtp-amavis unix -       -       n       -       2       smtp
>>>      -o smtp_data_done_timeout=1200
>>>      -o disable_dns_lookups=yes
>>> 127.0.0.1:10025 inet n   -       n       -       -       smtpd
>>>      -o content_filter=
>>>      -o disable_dns_lookups=yes
>>>      -o local_recipient_maps=
>>>      -o relay_recipient_maps=
>>>      -o smtpd_restriction_classes=
>>>      -o smtpd_client_restrictions=
>>>      -o smtpd_helo_restrictions=
>>>      -o smtpd_sender_restrictions=
>>>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>>>      -o mynetworks=127.0.0.0/8
>>>      -o strict_rfc821_envelopes=yes
>>>      -o smtpd_error_sleep_time=0
>>>      -o smtpd_soft_error_limit=1001
>>>      -o smtpd_hard_error_limit=1000
>>>      -o smtp_data_done_timeout=1200
>>>      -o disable_dns_lookups=yes
>>> spamassassin unix -      n       n       -       -       pipe
>>> user=debian-spamd
>>>      argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f
>>> ${sender} ${recipient}
>>> dane       unix  -       -       n       -       -       smtp
>>>      -o smtp_dns_support_level=dnssec
>>>      -o smtp_tls_security_level=dane
>>> postlog    unix-dgram n  -       n       -       1 postlogd
>>>
>>> El 02/04/2019 a las 18:38, Bill Cole escribió:
>>>> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>>>>
>>>>> following the instructions given to me place the access in
>>>>> front of the rule that is not supported ips unresolved, and as
>>>>> I still have the same problems I added a debug to that ip that
>>>>> interests me and among other things in this debug I find this:
>>>>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>>>>> check_client_access
>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access:
>>>>> name unknown addr 213.4.61.170
>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access:
>>>>> unknown
>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: /
>>>>> etc / postfix / access: unknown: not found
>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>>>>> 213.4.61.170
>>>>> my access file contains:
>>>>> 213.4.61.170 OK
>>>>>
>>>>> Where do I have the error?
>>>>
>>>> It is impossible for us to tell, because you have not provided
>>>> enough information.
>>>> The solution may be as simple as using 'postmap' to rebuild the
>>>> operational form of the access map (e.g. /etc/postfix/access.db)
>>>> or it may be something more complex.
>>>>
>>>> See http://www.postfix.org/DEBUG_README.html#mail for how to
>>>> effectively report problems here.
>>>>
>>>> Most importantly:
>>>>
>>>> 1. Turn off debug logging.
>>>> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
>>>> 3. Provide log lines relevant to a single SMTP session with the
>>>> problem.
>>>>
>>>>
>>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Francesc Peñalvez-2
yes every change in access i use postmap access

i I will try the changes that you suggest and I will comment something

Thanks for help

El 02/04/2019 a las 21:11, Noel Jones escribió:

> Great.
>
> Change this:
>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>>      defer_unauth_destination permit_inet_interfaces check_client_access
>>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname
>
> to this:
> smtpd_relay_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_unauth_destination
>
>
> Did you remember to postmap your access map?
> postmap hash:/etc/postfix/access
>
>
>
>
>
> On 4/2/2019 1:49 PM, Francesc Peñalvez wrote:
>> the problem that I have already described
>> I have several rules against spamers and one of them is to reject the
>> ips that are not resolved.
>> So when the resolution of the dns fails those ips are rejected for
>> not having an inverse. In the access I have the ips that interest me
>> that these locks pass, but even so, as you can see in the connection
>> log are rejected by not solve the ip.
>> Those ips really do have an inverse but for some fault it does not
>> resolve at the moment of connecting with my postfix.
>> The two postconf are from the server with which I have this problem.
>> In other emails I was told that the rule of the inverse resolution
>> reject_unknown_reverse_client_hostname was earlier in the line than
>> the access, so I changed the position but still I still have this
>> failure.
>> The example of SMTP that I have set, although it does not match the
>> ip, as I have put in another email is an ip of the same company, in
>> this case a digital newspaper that uses several ips to send emails.
>>
>> the problem I do not have it in the shipment if not in the reception
>> of mails.
>> I am sorry not to explain myself, I hope that I understand what I
>> want to express
>>
>> El 02/04/2019 a las 20:08, Noel Jones escribió:
>>> On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:
>>>> the problem is with the directive
>>>> reject_unknown_reverse_client_hostname when there is a failure in
>>>> the resolution of the ip blocks the connection with this ip, to
>>>> avoid adding the access file the ip as indicated in the first mail,
>>>> but still blocking that ip by not resolving. activate the debug on
>>>> that ip in case I saw the reason and that's what I get between many
>>>> data when that ip connects
>>>
>>> I don't quite understand what you're trying to say above, you don't
>>> show logs indicating the problem you're trying to solve, and your
>>> example SMTP session doesn't seem to match your posted config, so
>>> I'll give some general pointers.
>>>
>>> In your posted config, no locally delivered mail gets past the
>>> "permit_auth_destination" statements, bypassing most of your
>>> restrictions.
>>>
>>> Mail must be permitted (or not rejected) in every
>>> smtpd_*_restrictions section to be accepted.
>>>
>>> It doesn't make much sense to use both
>>> reject_unknown_client_hostname and
>>> reject_unknown_reverse_client_hostname, especially with
>>> reject_unknown_reverse_client_hostname listed second.
>>>
>>> Looks like you have a lot of duplicated statements.
>>>
>>> In master.cf for your submission and smtps listeners, you should
>>> disable all those extra restrictions, eg.
>>>   -o smtpd_helo_restrictions=
>>>   -o smtpd_client_restrictions=
>>>   -o smtpd_sender_restrictions=
>>>   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>>>   -o smtpd_recipient_restrictions=
>>>
>>>
>>>
>>>   -- Noel Jones
>>>
>>>
>>>
>>>>
>>>>   Out: 250-ETRN
>>>>   Out: 250-AUTH PLAIN LOGIN
>>>>   Out: 250-AUTH=PLAIN LOGIN
>>>>   Out: 250-ENHANCEDSTATUSCODES
>>>>   Out: 250-8BITMIME
>>>>   Out: 250 DSN
>>>>   In:  MAIL From:<[hidden email]> SIZE=118853
>>>>   Out: 250 2.1.0 Ok
>>>>   In:  RCPT To:<[hidden email]>
>>>>   Out: 450 4.7.25 Client host rejected: cannot find your hostname,
>>>>       [217.124.241.125]
>>>>   In:  DATA
>>>>   Out: 554 5.5.1 Error: no valid recipients
>>>>   In:  RSET
>>>>   Out: 250 2.0.0 Ok
>>>>   In:  QUIT
>>>>   Out: 221 2.0.0 Bye
>>>>
>>>> alias_database = hash:/etc/aliases
>>>> alias_maps = hash:/etc/aliases
>>>> allow_percent_hack = no
>>>> allow_untrusted_routing = yes
>>>> append_dot_mydomain = no
>>>> biff = no
>>>> broken_sasl_auth_clients = yes
>>>> command_directory = /usr/sbin
>>>> content_filter = smtp-amavis:[127.0.0.1]:10024
>>>> daemon_directory = /usr/libexec/postfix
>>>> data_directory = /var/lib/postfix
>>>> debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
>>>> home_mailbox = Maildir/
>>>> html_directory = no
>>>> inet_interfaces = all
>>>> inet_protocols = ipv4
>>>> mail_owner = postfix
>>>> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
>>>> mailbox_size_limit = 0
>>>> mailq_path = /usr/bin/mailq
>>>> manpage_directory = /usr/local/man
>>>> masquerade_domains = almogavers.net
>>>> message_size_limit = 102400000
>>>> meta_directory = /etc/postfix
>>>> milter_default_action = accept
>>>> milter_protocol = 6
>>>> mydestination = ns.almogavers.net, localhost.almogavers.net,
>>>> localhost,
>>>>      canalonanismo.org, canalonanismo.es, almogavers.net,
>>>> web.almogavers.net,
>>>>      active.almogavers.net, 5.39.93.184, 37.187.18.41
>>>> myhostname = almogavers.net
>>>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2
>>>>      almogavers.net 192.168.1.0/24
>>>> mynetworks_style = class
>>>> newaliases_path = /usr/bin/newaliases
>>>> non_smtpd_milters = inet:localhost:3277
>>>> notify_classes = bounce, 2bounce, delay, policy, protocol,
>>>> resource, software
>>>> postscreen_access_list = permit_mynetworks
>>>> cidr:/etc/postfix/trusted_ips.cidr
>>>> postscreen_blacklist_action = drop
>>>> postscreen_dnsbl_action = enforce
>>>> postscreen_dnsbl_reply_map =
>>>> texthash:/etc/postfix/postscreen_dnsbl_reply
>>>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
>>>>      b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net
>>>> swl.spamhaus.org*-4
>>>> postscreen_dnsbl_threshold = 1
>>>> postscreen_dnsbl_ttl = 10m
>>>> postscreen_greet_action = enforce
>>>> queue_directory = /var/spool/postfix
>>>> readme_directory = no
>>>> recipient_delimiter = +
>>>> sample_directory = /etc/postfix
>>>> sender_bcc_maps = hash:/etc/postfix/bcc
>>>> sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
>>>> sendmail_path = /usr/sbin/sendmail
>>>> setgid_group = postdrop
>>>> shlib_directory = /usr/lib/postfix
>>>> smtp_dns_support_level = enabled
>>>> smtp_host_lookup = dns
>>>> smtp_tls_CApath = /etc/ssl/certs
>>>> smtp_tls_ciphers = medium
>>>> smtp_tls_loglevel = 1
>>>> smtp_tls_protocols = !SSLv2, !SSLv3
>>>> smtp_tls_security_level = dane
>>>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>>>> smtp_use_tls = yes
>>>> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>>>>      permit_tls_all_clientcerts permit_sasl_authenticated
>>>> permit_auth_destination
>>>>      check_client_access hash:/etc/postfix/access
>>>> smtpd_hard_error_limit = 20
>>>> smtpd_helo_restrictions = permit_mynetworks, check_client_access
>>>>      hash:/etc/postfix/access, check_client_access
>>>>      cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname,
>>>> permit
>>>> smtpd_milters = inet:localhost:3277
>>>> smtpd_recipient_restrictions = permit_mynetworks
>>>> permit_sasl_authenticated
>>>>      check_client_access hash:/etc/postfix/access
>>>> permit_auth_destination
>>>>      reject_unauth_destination reject_invalid_hostname
>>>>      reject_unknown_recipient_domain reject_unknown_client_hostname
>>>>      reject_unknown_reverse_client_hostname
>>>> reject_unverified_recipient
>>>>      check_policy_service inet:127.0.0.1:10023
>>>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>>>>      defer_unauth_destination permit_inet_interfaces
>>>> check_client_access
>>>>      hash:/etc/postfix/access reject_unknown_reverse_client_hostname
>>>> smtpd_sasl_auth_enable = yes
>>>> smtpd_sasl_authenticated_header = yes
>>>> smtpd_sasl_path = private/auth
>>>> smtpd_sasl_security_options = noanonymous noplaintext
>>>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>>>> smtpd_sender_restrictions = permit_mynetworks check_client_access
>>>>      hash:/etc/postfix/access permit_auth_destination
>>>> permit_sasl_authenticated
>>>>      check_sender_access inline:{ { almogavers.net = REJECT local
>>>> sender from
>>>>      unauthorized client } }
>>>> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
>>>> smtpd_tls_CApath = /etc/ssl/certs
>>>> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
>>>> smtpd_tls_ciphers = medium
>>>> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
>>>> smtpd_tls_mandatory_ciphers = high
>>>> smtpd_tls_protocols = !SSLv2, !SSLv3
>>>> smtpd_tls_received_header = yes
>>>> smtpd_tls_security_level = may
>>>> smtpd_tls_session_cache_database =
>>>> btree:${data_directory}/smtpd_scache
>>>> smtpd_use_tls = yes
>>>> virtual_alias_maps = hash:/etc/postfix/virtual
>>>>
>>>> smtp       inet  n       -       y       -       - smtpd
>>>>      -o content_filter=spamassassin
>>>>      -o smtpd_sasl_auth_enable=yes
>>>>      receive_override_options=no_header_body_checks
>>>> smtp       inet  n       -       y       -       1 postscreen
>>>> dnsblog    unix  -       -       y       -       0 dnsblog
>>>> tlsproxy   unix  -       -       y       -       0 tlsproxy
>>>> smtpd      pass  -       -       y       -       - smtpd
>>>> submission inet  n       -       y       -       - smtpd
>>>>      -o syslog_name=postfix/submission
>>>>      -o smtpd_tls_security_level=encrypt
>>>>      -o smtpd_sasl_auth_enable=yes
>>>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>>      -o milter_macro_daemon_name=ORIGINATING
>>>>      -o content_filter=spamassassin
>>>> smtps      inet  n       -       y       -       - smtpd
>>>>      -o syslog_name=postfix/smtps
>>>>      -o smtpd_tls_wrappermode=yes
>>>>      -o smtpd_sasl_auth_enable=yes
>>>>      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>>      -o milter_macro_daemon_name=ORIGINATING
>>>> pickup     fifo  n       -       y       60      1 pickup
>>>> cleanup    unix  n       -       y       -       0 cleanup
>>>> qmgr       fifo  n       -       n       300     1 qmgr
>>>> tlsmgr     unix  -       -       y       1000?   1 tlsmgr
>>>> rewrite    unix  -       -       y       -       - trivial-rewrite
>>>> bounce     unix  -       -       y       -       0 bounce
>>>> defer      unix  -       -       y       -       0 bounce
>>>> trace      unix  -       -       y       -       0 bounce
>>>> verify     unix  -       -       y       -       1 verify
>>>> flush      unix  n       -       y       1000?   0 flush
>>>> proxymap   unix  -       -       n       -       - proxymap
>>>> proxywrite unix  -       -       n       -       1 proxymap
>>>> smtp       unix  -       -       y       -       - smtp
>>>>      -o smtp_helo_timeout=5
>>>>      -o smtp_connect_timeout=5
>>>> relay      unix  -       -       y       -       - smtp
>>>> showq      unix  n       -       y       -       - showq
>>>> error      unix  -       -       y       -       - error
>>>> retry      unix  -       -       y       -       - error
>>>> discard    unix  -       -       y       -       - discard
>>>> local      unix  -       n       n       -       - local
>>>> virtual    unix  -       n       n       -       - virtual
>>>> lmtp       unix  -       -       y       -       - lmtp
>>>> anvil      unix  -       -       y       -       1 anvil
>>>> scache     unix  -       -       y       -       1 scache
>>>> maildrop   unix  -       n       n       -       - pipe flags=DRhu
>>>>      user=vmail argv=/usr/bin/maildrop -d ${recipient}
>>>> uucp       unix  -       n       n       -       - pipe flags=Fqhu
>>>>      user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
>>>> ($recipient)
>>>> ifmail     unix  -       n       n       -       - pipe flags=F
>>>> user=ftn
>>>>      argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>>>> bsmtp      unix  -       n       n       -       - pipe flags=Fq.
>>>>      user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
>>>> $recipient
>>>> scalemail-backend unix - n       n       -       2 pipe flags=R
>>>>      user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
>>>> ${nexthop}
>>>>      ${user} ${extension}
>>>> mailman    unix  -       n       n       -       - pipe flags=FR
>>>>      user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>>>> ${nexthop}
>>>>      ${user}
>>>> policyd-spf unix -       n       n       -       0 spawn
>>>> user=policyd-spf
>>>>      argv=/usr/bin/policyd-spf
>>>> smtp-amavis unix -       -       n       -       2 smtp
>>>>      -o smtp_data_done_timeout=1200
>>>>      -o disable_dns_lookups=yes
>>>> 127.0.0.1:10025 inet n   -       n       -       - smtpd
>>>>      -o content_filter=
>>>>      -o disable_dns_lookups=yes
>>>>      -o local_recipient_maps=
>>>>      -o relay_recipient_maps=
>>>>      -o smtpd_restriction_classes=
>>>>      -o smtpd_client_restrictions=
>>>>      -o smtpd_helo_restrictions=
>>>>      -o smtpd_sender_restrictions=
>>>>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
>>>>      -o mynetworks=127.0.0.0/8
>>>>      -o strict_rfc821_envelopes=yes
>>>>      -o smtpd_error_sleep_time=0
>>>>      -o smtpd_soft_error_limit=1001
>>>>      -o smtpd_hard_error_limit=1000
>>>>      -o smtp_data_done_timeout=1200
>>>>      -o disable_dns_lookups=yes
>>>> spamassassin unix -      n       n       -       - pipe
>>>> user=debian-spamd
>>>>      argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}
>>>> ${recipient}
>>>> dane       unix  -       -       n       -       - smtp
>>>>      -o smtp_dns_support_level=dnssec
>>>>      -o smtp_tls_security_level=dane
>>>> postlog    unix-dgram n  -       n       -       1 postlogd
>>>>
>>>> El 02/04/2019 a las 18:38, Bill Cole escribió:
>>>>> On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:
>>>>>
>>>>>> following the instructions given to me place the access in front
>>>>>> of the rule that is not supported ips unresolved, and as I still
>>>>>> have the same problems I added a debug to that ip that interests
>>>>>> me and among other things in this debug I find this:
>>>>>> 16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
>>>>>> check_client_access
>>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access:
>>>>>> name unknown addr 213.4.61.170
>>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access:
>>>>>> unknown
>>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc
>>>>>> / postfix / access: unknown: not found
>>>>>> Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access:
>>>>>> 213.4.61.170
>>>>>> my access file contains:
>>>>>> 213.4.61.170 OK
>>>>>>
>>>>>> Where do I have the error?
>>>>>
>>>>> It is impossible for us to tell, because you have not provided
>>>>> enough information.
>>>>> The solution may be as simple as using 'postmap' to rebuild the
>>>>> operational form of the access map (e.g. /etc/postfix/access.db)
>>>>> or it may be something more complex.
>>>>>
>>>>> See http://www.postfix.org/DEBUG_README.html#mail for how to
>>>>> effectively report problems here.
>>>>>
>>>>> Most importantly:
>>>>>
>>>>> 1. Turn off debug logging.
>>>>> 2. Provide the output of 'postconf -nf' and 'postconf -Mf'
>>>>> 3. Provide log lines relevant to a single SMTP session with the
>>>>> problem.
>>>>>
>>>>>
>>>>
>>>
>

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problems follow with certain rules

Viktor Dukhovni
In reply to this post by Francesc Peñalvez-2
On Tue, Apr 02, 2019 at 07:15:58PM +0200, Francesc Peñalvez wrote:

> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
>      permit_tls_all_clientcerts permit_sasl_authenticated permit_auth_destination
>      check_client_access hash:/etc/postfix/access

The "permit_tls_all_clientcerts" here is currently a NOOP, given
the rest of your configuration, but is a bad idea, and should be
remove.

> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
> smtpd_tls_CApath = /etc/ssl/certs

Your authorized CAs likely include the usual panoply of public CAs,
and you should not be trusting clients with some random certificate
from any of these.

As luck would have it, you're not configured to request client
certs, hence the "NOOP", but this could change later.

--
        Viktor.