sender_access question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

sender_access question

mbridgett
Hi,

This is the first time I have configured sender_access blacklisting -
although it works fine - i.e. the specific email address I have chosen to
blacklist get's their email blocked with /var/log/messages noting it as
"Sender address rejected:access denied".  I notice that after an hour has
gone by- the email is attempted to be delivered again.   Maybe I have missed
a subtlety here but I thought a REJECT would immediately return the message
to the sender but that doesn't appear to be the case.  

I guess my question is - how many times will the message be attempted to be
re-delivered, with my mail server rejecting it - until it will eventually be
returned as undeliverable?

So far it's been 48 hours and I am still getting delivery attempts.

Just wondering if this is another way of rejecting the email without this
continually attempted delivery?

Thanks
Mark



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: sender_access question

Dominic Raferd


On 30 August 2017 at 10:30, mbridgett <[hidden email]> wrote:
Hi,

This is the first time I have configured sender_access blacklisting -
although it works fine - i.e. the specific email address I have chosen to
blacklist get's their email blocked with /var/log/messages noting it as
"Sender address rejected:access denied".  I notice that after an hour has
gone by- the email is attempted to be delivered again.   Maybe I have missed
a subtlety here but I thought a REJECT would immediately return the message
to the sender but that doesn't appear to be the case.

I guess my question is - how many times will the message be attempted to be
re-delivered, with my mail server rejecting it - until it will eventually be
returned as undeliverable?

​With 'REJECT' action Postfix will have sent code $access_map_reject_code (default 554) back to the sending server and so that server should not attempt to send the same email again - see http://www.postfix.org/access.5.html. Of course if the sending server is badly-configured or malicious it may well ignore the code and try to resend the email or (more likely) send similar (but technically different) emails. There is nothing further than Postfix can do to stop this happening.

If the offending emails are all coming from the same ip you could ban this ip with iptables / ufw. A less drastic strategy is to use fail2ban jobs to block offenders on a temporary basis. But since Postfix is already blocking the emails from this sender there is no need to do either.
Reply | Threaded
Open this post in threaded view
|

Re: sender_access question

mbridgett
Thanks for the comprehensive explanation.  What's strange is it's happening
for example to my gmail account (which I was using to test sender_access) as
well and I would have expected their mail servers to "behave".  Theirs seems
to retry at random periods between 90 minutes and two hours.  I sent a test
email over 12 hours ago and gmail keeps trying to re-deliver.

Also I note that my Postfix doesn't appear to be rejecting with the code
mentioned.  Maillog shows (just the last two entries):

Aug 30 07:17:16 localhost postfix/smtpd[1095]: NOQUEUE: reject: RCPT from
mail-qt0-f171.google.com[209.85.216.171]: 454 4.7.1 <[hidden email]>:
Sender address rejected: Access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail-qt0-f171.google.com>
Aug 30 09:43:22 localhost postfix/smtpd[5125]: NOQUEUE: reject: RCPT from
mail-qt0-f174.google.com[209.85.216.174]: 454 4.7.1 <[hidden email]>:
Sender address rejected: Access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail-qt0-f174.google.com>


So isn't think using 454?  I can't see anything outwardly in my config that
looks wrong:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_privs = nobody
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
luser_relay = mbridget
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT"
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 50000000
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = byteplayer.byteplayer.com, mail.byteplayer.com, $myhostname,
$mydomain,
localhost,byteplayer.com,byteplayer.co.uk,byteplayer.dyndns.org,byteplayer.uk
mydomain = byteplayer.com
myhostname = mail.byteplayer.com
mynetworks = 192.168.200.0/24, 127.0.0.0/8
myorigin = byteplayer.com
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org,
b.barracudacentral.org,bl.spamcop.net
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.tools.sky.com]:465
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks,
reject_unauth_destination, reject_invalid_hostname, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/byteplayer.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = RC4-MD5
smtpd_tls_key_file = /etc/letsencrypt/live/byteplayer.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = dovecot

thanks for any support.
Mark



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: sender_access question

Christian Kivalo


On 2017-08-30 12:45, mbridgett wrote:

> Thanks for the comprehensive explanation.  What's strange is it's
> happening
> for example to my gmail account (which I was using to test
> sender_access) as
> well and I would have expected their mail servers to "behave".  Theirs
> seems
> to retry at random periods between 90 minutes and two hours.  I sent a
> test
> email over 12 hours ago and gmail keeps trying to re-deliver.
>
> Also I note that my Postfix doesn't appear to be rejecting with the
> code
> mentioned.  Maillog shows (just the last two entries):
>
> Aug 30 07:17:16 localhost postfix/smtpd[1095]: NOQUEUE: reject: RCPT
> from
> mail-qt0-f171.google.com[209.85.216.171]: 454 4.7.1
> <[hidden email]>:
> Sender address rejected: Access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<mail-qt0-f171.google.com>
> Aug 30 09:43:22 localhost postfix/smtpd[5125]: NOQUEUE: reject: RCPT
> from
> mail-qt0-f174.google.com[209.85.216.174]: 454 4.7.1
> <[hidden email]>:
> Sender address rejected: Access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<mail-qt0-f174.google.com>
>
>
> So isn't think using 454?  I can't see anything outwardly in my config
> that
> looks wrong:
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> compatibility_level = 2
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> xxgdb
> $daemon_directory/$process_name $process_id & sleep 5
> default_privs = nobody
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/header_checks
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> local_recipient_maps =
> luser_relay = mbridget
> mail_owner = postfix
> mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
> "$RECIPIENT"
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 50000000
> milter_connect_macros = j {daemon_name} v {if_name} _
> milter_default_action = accept
> mydestination = byteplayer.byteplayer.com, mail.byteplayer.com,
> $myhostname,
> $mydomain,
> localhost,byteplayer.com,byteplayer.co.uk,byteplayer.dyndns.org,byteplayer.uk
> mydomain = byteplayer.com
> myhostname = mail.byteplayer.com
> mynetworks = 192.168.200.0/24, 127.0.0.0/8
> myorigin = byteplayer.com
> newaliases_path = /usr/bin/newaliases.postfix
> non_smtpd_milters = $smtpd_milters
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org,
> b.barracudacentral.org,bl.spamcop.net
> postscreen_greet_action = enforce
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix/README_FILES
> relayhost = [smtp.tools.sky.com]:465
> sample_directory = /usr/share/doc/postfix/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_tls_security_level = encrypt
> smtp_tls_wrappermode = yes
> smtpd_delay_reject = yes
> smtpd_discard_ehlo_keywords = silent-discard, dsn
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
> smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
> permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks,
> reject_unauth_destination, reject_invalid_hostname, check_sender_access
> hash:/etc/postfix/sender_access, reject_unauth_destination
> smtpd_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> defer_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = /var/spool/postfix/private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks,
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_cert_file =
> /etc/letsencrypt/live/byteplayer.com/fullchain.pem
> smtpd_tls_ciphers = high
> smtpd_tls_exclude_ciphers = RC4-MD5
> smtpd_tls_key_file = /etc/letsencrypt/live/byteplayer.com/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> soft_bounce = yes
^^ you have the soft_bounce safety net enabled. This changes all 5xx to
4xx replies, telling the sending server that it should try again later.
See http://www.postfix.org/postconf.5.html#soft_bounce

> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 550
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
> virtual_transport = dovecot
>
> thanks for any support.
> Mark
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: sender_access question

mbridgett


> soft_bounce = yes
^^ you have the soft_bounce safety net enabled. This changes all 5xx to
4xx replies, telling the sending server that it should try again later.
See http://www.postfix.org/postconf.5.html#soft_bounce

Doh, thanks.  I put that in years ago for some reason that's long since gone
out of my mind.  I have disabled this and am sure this will be the solution.
Thanks.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html